search

kohler / gifsicle

Create, manipulate, and optimize GIF images and animations
http://www.lcdf.org/gifsicle/
GNU General Public License v2.0
3.79k stars 241 forks source link

Two FPE bugs unique in gifsicle-1.94 #196

Closed TimChan2001 closed 1 year ago

TimChan2001 commented 1 year ago

We found 2 FPE bugs in gifsicle-1.94. Initially, we thought #193 would be applicable. However, upon discovering that the same reproduction steps didn't work in gifsicle-1.93, we believe this issue might be different.

Reproduction

Build gifsicle-1.94 with ASAN, then run

src/gifsicle --crop 0,0-256,256 --crop-transparency --flip-vertical -i -p 1,1 --rotate-90 --resize=256x256 -o c $POC

We ran it on a 64-bit Ubuntu 18.04.

ASAN Report

1) The POC can be found here. POC1

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4691==ERROR: AddressSanitizer: FPE on unknown address 0x000000584a02 (pc 0x000000584a02 bp 0x7ffc7d0d8eb0 sp 0x7ffc7d0d8ba0 T0)
    #0 0x584a02 in resize_stream /root/gifsicle-1.94/src/xform.c:1327:16
    #1 0x593aeb in merge_and_write_frames /root/gifsicle-1.94/src/gifsicle.c:1029:7
    #2 0x592f94 in output_frames /root/gifsicle-1.94/src/gifsicle.c:1108:7
    #3 0x59b95d in main /root/gifsicle-1.94/src/gifsicle.c:2183:5
    #4 0x7f6fa3046c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41bbc9 in _start (/root/gifsicle-1.94/src/gifsicle+0x41bbc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/gifsicle-1.94/src/xform.c:1327:16 in resize_stream
==4691==ABORTING

2) The POC can be found here. POC2

AddressSanitizer:DEADLYSIGNAL
=================================================================
==21707==ERROR: AddressSanitizer: FPE on unknown address 0x000000584a2e (pc 0x000000584a2e bp 0x7ffcc64822f0 sp 0x7ffcc6481fe0 T0)
    #0 0x584a2e in resize_stream /root/gifsicle-1.94/src/xform.c:1327:49
    #1 0x593aeb in merge_and_write_frames /root/gifsicle-1.94/src/gifsicle.c:1029:7
    #2 0x592f94 in output_frames /root/gifsicle-1.94/src/gifsicle.c:1108:7
    #3 0x59b95d in main /root/gifsicle-1.94/src/gifsicle.c:2183:5
    #4 0x7fc4265dcc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41bbc9 in _start (/root/gifsicle-1.94/src/gifsicle+0x41bbc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/gifsicle-1.94/src/xform.c:1327:49 in resize_stream
==21707==ABORTING
kohler commented 1 year ago

I believe these issues are addressed in 76b1f021dd185ceff7b4a71a9f96a6026aca06af and 06d533628b1f3a75d06cbb29773dc6aaa2916fc3.

kohler commented 1 year ago

Thank you for reporting them!

opoplawski commented 1 year ago

Will there be a new release soon with these fixes? Thanks.

manfredsc commented 1 year ago

This is CVE-2023-46009: gifsicle: floating point exception vulnerability via resize_stream at src/xform.c

opoplawski commented 9 months ago

Again, a release with this fix would be very much appreciated. Thanks.

kohler commented 9 months ago

I've released 1.95 with this fix.

opoplawski commented 9 months ago

Thank you!