search

kohler / gifsicle

Create, manipulate, and optimize GIF images and animations
http://www.lcdf.org/gifsicle/
GNU General Public License v2.0
3.73k stars 236 forks source link

bug fix due to abnormal GIF file's width #171

Closed tank0123 closed 3 years ago

tank0123 commented 3 years ago

System configuration

Abnormal memory access occurs due to the abnormal width of the GIF file. I've attached the file. Please download and check the file. gifsicle_PoC.zip

I've also developed a patch code to mitigate abnormal memory access. Please check it.

kohler commented 3 years ago

GIFs are allowed to have width > 255 so the patch is definitely incorrect.

kohler commented 3 years ago

I compiled Gifsicle with sanitization, which should detect many memory access errors. It reports no memory access errors when run as follows:

kohler@openat gifsicle % ./src/gifsicle --delay=10 --loop < ~/Downloads/gifsicle_PoC > g
gifsicle:<stdin>:#5: read error: unknown block type 64 at file offset 4466
gifsicle:<stdin>:#0: read error: image corrupted, code out of range (2 times)
gifsicle:<stdin>:#0: read error: missing 2 pixels of image data
gifsicle:<stdin>:#1: read error: image corrupted, code out of range
gifsicle:<stdin>:#1: read error: missing 42 pixels of image data
gifsicle:<stdin>:#2: read error: image corrupted, code out of range (17 times)
gifsicle:<stdin>:#2: read error: missing 116 pixels of image data
gifsicle:<stdin>:#3: read error: image corrupted, code out of range
gifsicle:<stdin>:#3: read error: missing 15 pixels of image data
gifsicle:<stdin>:#4: read error: missing 220194 pixels of image data
gifsicle: (plus more errors; is this GIF corrupt?)
gifsicle: warning: some colors undefined by colormap
kohler@openat gifsicle %

Can you explain what made you think there was a memory access error?

tank0123 commented 3 years ago

I compiled Gifsicle with sanitization, which should detect many memory access errors. It reports no memory access errors when run as follows:

kohler@openat gifsicle % ./src/gifsicle --delay=10 --loop < ~/Downloads/gifsicle_PoC > g
gifsicle:<stdin>:#5: read error: unknown block type 64 at file offset 4466
gifsicle:<stdin>:#0: read error: image corrupted, code out of range (2 times)
gifsicle:<stdin>:#0: read error: missing 2 pixels of image data
gifsicle:<stdin>:#1: read error: image corrupted, code out of range
gifsicle:<stdin>:#1: read error: missing 42 pixels of image data
gifsicle:<stdin>:#2: read error: image corrupted, code out of range (17 times)
gifsicle:<stdin>:#2: read error: missing 116 pixels of image data
gifsicle:<stdin>:#3: read error: image corrupted, code out of range
gifsicle:<stdin>:#3: read error: missing 15 pixels of image data
gifsicle:<stdin>:#4: read error: missing 220194 pixels of image data
gifsicle: (plus more errors; is this GIF corrupt?)
gifsicle: warning: some colors undefined by colormap
kohler@openat gifsicle %

Can you explain what made you think there was a memory access error?

After the above output that you've mentioned, the OS forcibly shuts down through the SIGKILL signal in my experimental environment. This observation seems to be caused by accessing an excessively larger index than 255 in the map array.

kohler commented 3 years ago

This invalid GIF claims to have an image of size 29180x41283. Gifsicle tries to allocate image data for an image of that size, which is roughly 1.2GB. It is very likely that your experimental environment is refusing to allocate so much memory and kills Gifsicle as a result.