Closed
Description
The attached file causes a global out of bounds read error in the function output (gd_gif_out.c), called by compress/GifEncode. This was found with the help of american fuzzy lop and address sanitizer.
To test pass the attached file (zip-packed due to github limitations) to gd2togif compiled with address sanitizer.
The full address sanitizer error message:
==26159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000055e4b0 at pc 0x000000531231 bp 0x7ffc8a6e0610 sp 0x7ffc8a6e0608
READ of size 8 at 0x00000055e4b0 thread T0
#0 0x531230 in output /f/libgd/libgd/src/gd_gif_out.c:1454:20
#1 0x52fb4a in compress /f/libgd/libgd/src/gd_gif_out.c:1407:3
#2 0x52b87a in GIFEncode /f/libgd/libgd/src/gd_gif_out.c:1142:2
#3 0x52b87a in gdImageGifCtx /f/libgd/libgd/src/gd_gif_out.c:236
#4 0x52bb13 in gdImageGif /f/libgd/libgd/src/gd_gif_out.c:197:2
#5 0x4f3cc6 in main /f/libgd/libgd/src/gd2togif.c:40:2
#6 0x7f2ab391b78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
#7 0x418fa8 in _start (/mnt/ram/gd/gd2togif+0x418fa8)
0x00000055e4b0 is located 16 bytes to the left of global variable 'masks' defined in 'gd_gif_out.c:1445:22' (0x55e4c0) of size 136
0x00000055e4b0 is located 41 bytes to the right of global variable '<string literal>' defined in 'gd_gif_out.c:1078:29' (0x55e480) of size 7
'<string literal>' is ascii string 'GIF87a'
SUMMARY: AddressSanitizer: global-buffer-overflow /f/libgd/libgd/src/gd_gif_out.c:1454:20 in output
Shadow bytes around the buggy address:
0x0000800a3c40: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800a3c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a3c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a3c80: 07 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
=>0x0000800a3c90: 07 f9 f9 f9 f9 f9[f9]f9 00 00 00 00 00 00 00 00
0x0000800a3ca0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0000800a3cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a3cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800a3cd0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800a3ce0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26159==ABORTING