search

kohler / gifsicle

Create, manipulate, and optimize GIF images and animations
http://www.lcdf.org/gifsicle/
GNU General Public License v2.0
3.77k stars 239 forks source link

heap-buffer-overflow in ambiguity_error #191

Closed shinibufa closed 1 year ago

shinibufa commented 1 year ago

Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.

Command To Reproduce the bug:

./gifsicle --loopcount=-

Environment

ASAN Report

================================================================= ==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8 READ of size 1 at 0x60300000005a thread T0

0 0x4dd2b3 in ambiguity_error /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:2395:62

#1 0x4d17b1 in parse_string_list /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1216:9
#2 0x4d949e in Clp_Next /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1967:6
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/gifsicle.c:1533:15
#4 0x7fdb41691082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41d4cd in _start (/home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/install/bin/gifsicle+0x41d4cd)

0x60300000005a is located 2 bytes to the right of 24-byte region [0x603000000040,0x603000000058) allocated by thread T0 here:

0 0x499c7d in __interceptor_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/install/bin/gifsicle+0x499c7d)

#1 0x4d4a20 in finish_string_list /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1230:50
#2 0x4d47fc in Clp_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1332:9
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/gifsicle.c:1461:3
#4 0x7fdb41691082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:2395:62 in ambiguity_error Shadow bytes around the buggy address: 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00[fa]fa fa 00 00 0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==956047==ABORTING

Many Thanks. cheng meng da

shinibufa commented 1 year ago

We have identified this bug in the code at /src/clp.c:2395. Specifically, the iopt variable is allocated by malloc with a size of 2 sizeof(Clp_InternOption) elements. However, the code at line 2395 accesses iopt[2], which results in a heap-buffer-overflow bug. It's worth noting that this bug only manifests when compiling gifsicle with ASAN.

kohler commented 1 year ago

Thanks for reporting this problem!

shinibufa commented 1 year ago

You are welcome!