Closed Jorgecmartins closed 2 years ago
@Jorgecmartins I've tried this on macOS and Linux (Ubuntu 20.04), but only Linux reproduces.
[master 776cf0f] Fix potential stack overflow with GIF images (Issue #463)
@Jorgecmartins I've tried this on macOS and Linux (Ubuntu 20.04), but only Linux reproduces.
@michaelrsweet I was also able to reproduce it on macOS.
Jorge@MacBook-Pro-de-Jorge htmldoc % ./htmldoc --webpage -f output.pdf ./crash.html
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Times-Roman.afm!
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
PAGES: 2
ERR005: Unable to open font file /usr/local/share/htmldoc/fonts/Helvetica.pfa!
zsh: segmentation fault ./htmldoc --webpage -f output.pdf ./crash.html
macOS version: 11.6
Jorge@MacBook-Pro-de-Jorge htmldoc % uname -a
Darwin MacBook-Pro-de-Jorge.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64
@Jorgecmartins I added another layer of protection here:
[master 312f0f9] Block GIF images with a code size > 12 (Issue #463)
@Jorgecmartins I added another layer of protection here:
[master 312f0f9] Block GIF images with a code size > 12 (Issue #463)
@michaelrsweet The extra protection fixed the issue.
In
gif_get_code()
, in image.cxx, there is a stack out-of-bounds read in the following code:The expression
curbit - lastbit
, line 267, can result in an integer overflow whenlastbit > curbit
, updatingcurbit
to a large number since it is unsigned. Later on line 272 the variablei
is set to number less thancode_size
, sincecurbit + (unsigned)code_size - 1
overflows, which results after a few iterations in a stack out of bounds read inbuf[i/8]
.I've attached poc.zip that contains a malicious gif and a html file and triggers the out of bounds read resulting in a segmentation fault.
Steps to reproduce
The following should result in a segmentation fault:
Steps to analyse the crash on gdb