Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Buffer Overflow in gif_read_lzw #470

Closed
Voiddy-Dev opened this issue Jan 25, 2022 · 1 comment
Closed

Stack Buffer Overflow in gif_read_lzw #470

Voiddy-Dev opened this issue Jan 25, 2022 · 1 comment
Assignees
Labels
bug Something isn't working priority-medium
Milestone

Comments

@Voiddy-Dev
Copy link

Due to an infinite loop in the gif_read_lzw function, the sp variable which belongs heap memory can be arbitrarily modified.

The crash happens in this loop:

    while (code >= clear_code)
    {
      *sp++ = table[1][code];
      if (code == table[0][code])
	return (255);

      code = table[0][code];
    }

crash_gdb

As sp is consistently incremented, it reaches out of heap memory which causes the crash:

sp towards the start of execution:
sp_in_heap

sp once the crash happened:
sp_end

You can download and attempt the following POC:
htmldoc --webpage -f out.pdf ./crash.html

poc.zip

@michaelrsweet
Copy link
Owner

[master fb0334a] Fix a potential stack overflow bug with GIF images (Issue #470)

@michaelrsweet michaelrsweet self-assigned this Jan 25, 2022
@michaelrsweet michaelrsweet added bug Something isn't working priority-medium labels Jan 25, 2022
@michaelrsweet michaelrsweet added this to the Stable milestone Jan 25, 2022
@Voiddy-Dev Voiddy-Dev changed the title Heap Overflow in gif_read_lzw Stack Buffer Overflow in gif_read_lzw Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-medium
Projects
None yet
Development

No branches or pull requests

2 participants