Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two FPE bugs unique in gifsicle-1.94 #196

Closed
TimChan2001 opened this issue Oct 10, 2023 · 7 comments
Closed

Two FPE bugs unique in gifsicle-1.94 #196

TimChan2001 opened this issue Oct 10, 2023 · 7 comments

Comments

@TimChan2001
Copy link

We found 2 FPE bugs in gifsicle-1.94. Initially, we thought #193 would be applicable. However, upon discovering that the same reproduction steps didn't work in gifsicle-1.93, we believe this issue might be different.

Reproduction

Build gifsicle-1.94 with ASAN, then run

src/gifsicle --crop 0,0-256,256 --crop-transparency --flip-vertical -i -p 1,1 --rotate-90 --resize=256x256 -o c $POC

We ran it on a 64-bit Ubuntu 18.04.

ASAN Report

  1. The POC can be found here. POC1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4691==ERROR: AddressSanitizer: FPE on unknown address 0x000000584a02 (pc 0x000000584a02 bp 0x7ffc7d0d8eb0 sp 0x7ffc7d0d8ba0 T0)
    #0 0x584a02 in resize_stream /root/gifsicle-1.94/src/xform.c:1327:16
    #1 0x593aeb in merge_and_write_frames /root/gifsicle-1.94/src/gifsicle.c:1029:7
    #2 0x592f94 in output_frames /root/gifsicle-1.94/src/gifsicle.c:1108:7
    #3 0x59b95d in main /root/gifsicle-1.94/src/gifsicle.c:2183:5
    #4 0x7f6fa3046c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41bbc9 in _start (/root/gifsicle-1.94/src/gifsicle+0x41bbc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/gifsicle-1.94/src/xform.c:1327:16 in resize_stream
==4691==ABORTING
  1. The POC can be found here. POC2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21707==ERROR: AddressSanitizer: FPE on unknown address 0x000000584a2e (pc 0x000000584a2e bp 0x7ffcc64822f0 sp 0x7ffcc6481fe0 T0)
    #0 0x584a2e in resize_stream /root/gifsicle-1.94/src/xform.c:1327:49
    #1 0x593aeb in merge_and_write_frames /root/gifsicle-1.94/src/gifsicle.c:1029:7
    #2 0x592f94 in output_frames /root/gifsicle-1.94/src/gifsicle.c:1108:7
    #3 0x59b95d in main /root/gifsicle-1.94/src/gifsicle.c:2183:5
    #4 0x7fc4265dcc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41bbc9 in _start (/root/gifsicle-1.94/src/gifsicle+0x41bbc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/gifsicle-1.94/src/xform.c:1327:49 in resize_stream
==21707==ABORTING
@kohler
Copy link
Owner

kohler commented Oct 11, 2023

I believe these issues are addressed in 76b1f02 and 06d5336.

@kohler
Copy link
Owner

kohler commented Oct 11, 2023

Thank you for reporting them!

@opoplawski
Copy link

Will there be a new release soon with these fixes? Thanks.

@manfredsc
Copy link

This is CVE-2023-46009: gifsicle: floating point exception vulnerability via resize_stream at src/xform.c

@opoplawski
Copy link

Again, a release with this fix would be very much appreciated. Thanks.

@kohler
Copy link
Owner

kohler commented Feb 19, 2024

I've released 1.95 with this fix.

@opoplawski
Copy link

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kohler @opoplawski @manfredsc @TimChan2001