search

kohler / gifsicle

Create, manipulate, and optimize GIF images and animations
http://www.lcdf.org/gifsicle/
GNU General Public License v2.0
3.77k stars 239 forks source link

NULL Pointer Dereference vulneribility in mark_used_colors function #115

Closed leonzhao7 closed 7 years ago

leonzhao7 commented 7 years ago

Command and argument

gifsicle --crop 0,0-256,256 --crop-transparency --flip-vertical -i -S 256x256 -p 1,1 --rotate-90 -B "#000000" --resize=256x256 -D previous -l2 -o c [infile]

Crash Information

The function call gfi->img[j], but gfi->img is NULL
gdb and backtrace

Reading symbols from gifsicle...done.
(gdb) set args --crop 0,0-256,256 --crop-transparency --flip-vertical -i -S 256x256 -p 1,1 --rotate-90 -B "#000000" --resize=256x256 -D previous -l2 -o c /root/fuzz/gifsicle/gifsicle-mark_used_colors-85.crash
(gdb) run
Starting program: /root/gifsicle-master/src/gifsicle --crop 0,0-256,256 --crop-transparency --flip-vertical -i -S 256x256 -p 1,1 --rotate-90 -B "#000000" --resize=256x256 -D previous -l2 -o c /root/fuzz/gifsicle/gifsicle-mark_used_colors-85.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
gifsicle:/root/fuzz/gifsicle/gifsicle-mark_used_colors-85.crash:#0: read error: unknown block type 48 at file offset 397
gifsicle:/root/fuzz/gifsicle/gifsicle-mark_used_colors-85.crash: read error: image position and/or dimensions out of range
gifsicle: warning: huge GIF, conserving memory (processing may take a while)

Program received signal SIGSEGV, Segmentation fault.
0x000000000040b8ee in mark_used_colors (gfs=<optimized out>, gfi=gfi@entry=0x62e970, crop=<optimized out>, compress_immediately=compress_immediately@entry=1) at merge.c:85
85              uint8_t *data = gfi->img[j] + l;

(gdb) bt
#0  0x000000000040b8ee in mark_used_colors (gfs=<optimized out>, gfi=gfi@entry=0x62e970, crop=<optimized out>, compress_immediately=compress_immediately@entry=1) at merge.c:85
#1  0x000000000041905b in merge_frame_interval (fset=<optimized out>, f1=f1@entry=0, f2=<optimized out>, output_data=output_data@entry=0x62db00 <active_output_data>, 
    compress_immediately=<optimized out>, huge_stream=huge_stream@entry=0x7fffffffe1b8) at support.c:1546
#2  0x000000000041dfee in merge_and_write_frames (outfile=outfile@entry=0x7fffffffe72f "c", f1=f1@entry=0, f2=f2@entry=-1) at gifsicle.c:1013
#3  0x000000000041f373 in output_frames () at gifsicle.c:1105
#4  0x000000000040369f in main (argc=<optimized out>, argv=<optimized out>) at gifsicle.c:2173

(gdb) l
80              r = gfi->width;
81              b = gfi->height;
82          }
83
84          for (j = t; j != b; ++j) {
85              uint8_t *data = gfi->img[j] + l;
86              for (i = l; i != r; ++i, ++data)
87                  if (*data < ncol && !(col[*data].haspixel & 1) && *data != transp) {
88                      col[*data].haspixel |= 1;
89                      --nleft;

(gdb) p gfi->img
$4 = (uint8_t **) 0x0
(gdb)

POC file

gifsicle-mark_used_colors-85.zip

CREDIT

Zhao Liang, Huawei Weiran Labs