gif2swf MovieAddFrame() memcpy overflow

[lcatro]

Crash : https://raw.githubusercontent.com/lcatro/My_PoC/master/swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen

Trigger : ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen

Crash Detail :

fuzzer@ub16x64:~/fuzzing/swftools/src$ ./gif2swf -r 2 -o /dev/null -z swftools/git2swf_-r_2_-o_dev_null_-z_memory_corruption__fopen

==29933==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000006f10 at pc 0x7ff90bb97904 bp 0x7fff993b5990 sp 0x7fff993b5138
WRITE of size 60 at 0x61c000006f10 thread T0
#0 0x7ff90bb97903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x4028b4 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4028b4)
#2 0x403a91 in main (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x403a91)
#3 0x7ff90b0e682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401ff8 in _start (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x401ff8)

0x61c000006f10 is located 0 bytes to the right of 1680-byte region [0x61c000006880,0x61c000006f10)
allocated by thread T0 here:
#0 0x7ff90bba3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4027d5 in MovieAddFrame (/home/fuzzer/fuzzing/swftools/src/gif2swf+0x4027d5)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c387fff8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff8de0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==29933==ABORTING

[yoya]

Probably due to the size mismatch of the GIF Screen & image.
GIF has a Screen size as a display/canvas area and an image size as raster data.
Due to the differences, GIF can have a minimum area image size that changes between frames of the GIF animation. (dirty rectangle as known)

• https://github.com/matthiaskramm/swftools/blob/master/src/gif2swf.c#L342

gif2swf handles the common case of Screen>image size correctly.
But when Screen<image, it treats Screen=image, so it writes a large image to a small screen buffer and appears to cause an overflow.

[yoya]

If my guess is correct, we can fix it by cropping the image of each frame with screen size.
There are a lot of things to be aware of to fix it.
For example, there is a case where the width is Screen>image and the height is Screen<image.
Also, the clip position does not always start from the upper left corner.
Further de-interlace.

[yoya]

Or, If the image size does not fit in the screen size, we may want to make an error.
Because it's vulnerable.