Skip to content

Memory leak on gifsicle #195

Closed
Closed
@Frank-Z7

Description

@Frank-Z7

Description

We found a memory leak error when running gifsicle with the "--crop 3,6+5x6 --crop-transparency" configuration options.

At the same time, because gifsicle does not check repeated assignments of the "--crop" configuration, each special assignment of the "--crop" configuration in the command line parameters will increase the memory leak by 48 bytes. **Therefore, the size of this memory leak can be infinite. **For example, an attacker can use "--crop 3,6+5x6" in the command line one hundred thousand times, which will cause a memory leak of 4800000 bytes while the program is running.
**Moreover, although gifsicle will raise a warning, it will still execute the program's processing steps for gif files normally and will not directly exit the program with an error. **This allows attackers to use gifsicle maliciously.

It should be noted that gifsicle(version 1.92-2) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.

image-20230926172116407

Location

Gif_Realloc: gifsicle/src/fmalloc.c:19:13

image-20230926182240425

Affected Component: gifsicle/gifsicle

ASAN Log

./src/gifsicle --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gif

=================================================================
==1919443==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x494f79 in realloc (/afltest/gifsicle/src/gifsicle+0x494f79)
    #1 0x4dc29c in Gif_Realloc /afltest/gifsicle/src/fmalloc.c:19:13
    #2 0x7ffff7c4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).

As mentioned in the Description section, since gifsicle does not check repeated assignments of the "--crop" configuration parameter, we can increase the number of specific assignments to the "--crop" configuration parameter to cause more memory leaks.

./src/gifsicle --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gif

=================================================================
==1919446==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4800 byte(s) in 100 object(s) allocated from:
    #0 0x494f79 in realloc (/afltest/gifsicle/src/gifsicle+0x494f79)
    #1 0x4dc29c in Gif_Realloc /afltest/gifsicle/src/fmalloc.c:19:13
    #2 0x7ffff7c4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 4800 byte(s) leaked in 100 allocation(s).

Version

LCDF Gifsicle 1.94
Copyright (C) 1997-2023 Eddie Kohler
This is free software; see the source for copying conditions.
There is NO warranty, not even for merchantability or fitness for a
particular purpose.

Reference

https://github.com/kohler/gifsicle

http://www.lcdf.org/gifsicle/

Actual Behavior

Memory leak

PoC

gifsiclepoc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/gifsiclepoc

Reproduction

git clone https://github.com/kohler/gifsicle.git
cd gifsicle
autoreconf -i
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make

./src/gifsicle --crop 3,6+5x6 --crop-transparency gifsiclepoc -o out.gif

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))

Song Jiaxuan

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions