Skip to content

global out of bounds read when encoding gif from malformed input with gd2togif #209

Closed
@hannob

Description

@hannob

The attached file causes a global out of bounds read error in the function output (gd_gif_out.c), called by compress/GifEncode. This was found with the help of american fuzzy lop and address sanitizer.

To test pass the attached file (zip-packed due to github limitations) to gd2togif compiled with address sanitizer.

The full address sanitizer error message:

==26159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000055e4b0 at pc 0x000000531231 bp 0x7ffc8a6e0610 sp 0x7ffc8a6e0608
READ of size 8 at 0x00000055e4b0 thread T0
    #0 0x531230 in output /f/libgd/libgd/src/gd_gif_out.c:1454:20
    #1 0x52fb4a in compress /f/libgd/libgd/src/gd_gif_out.c:1407:3
    #2 0x52b87a in GIFEncode /f/libgd/libgd/src/gd_gif_out.c:1142:2
    #3 0x52b87a in gdImageGifCtx /f/libgd/libgd/src/gd_gif_out.c:236
    #4 0x52bb13 in gdImageGif /f/libgd/libgd/src/gd_gif_out.c:197:2
    #5 0x4f3cc6 in main /f/libgd/libgd/src/gd2togif.c:40:2
    #6 0x7f2ab391b78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x418fa8 in _start (/mnt/ram/gd/gd2togif+0x418fa8)

0x00000055e4b0 is located 16 bytes to the left of global variable 'masks' defined in 'gd_gif_out.c:1445:22' (0x55e4c0) of size 136
0x00000055e4b0 is located 41 bytes to the right of global variable '<string literal>' defined in 'gd_gif_out.c:1078:29' (0x55e480) of size 7
  '<string literal>' is ascii string 'GIF87a'
SUMMARY: AddressSanitizer: global-buffer-overflow /f/libgd/libgd/src/gd_gif_out.c:1454:20 in output
Shadow bytes around the buggy address:
  0x0000800a3c40: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800a3c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c80: 07 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
=>0x0000800a3c90: 07 f9 f9 f9 f9 f9[f9]f9 00 00 00 00 00 00 00 00
  0x0000800a3ca0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800a3cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3cd0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800a3ce0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26159==ABORTING

libgd-global-oob-GIFEncode.zip

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions