Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow at WritePixels() in ngiflib.c:226 #15

Closed
cuanduo opened this issue Oct 14, 2019 · 2 comments
Closed

heap-buffer-overflow at WritePixels() in ngiflib.c:226 #15

cuanduo opened this issue Oct 14, 2019 · 2 comments

Comments

@cuanduo
Copy link

cuanduo commented Oct 14, 2019

Tested in Ubuntu 19.04, 64bit, ngiflib(master 2bef2a0)

Triggered by
gif2tga $POC

POC file:

poc.zip

asan

root@ubuntu:/home/tim/ngiflib-normal# ./gif2tga mr_gland.gif-out_of_bound-idx\:0xf3-0x0.gif 
=================================================================
==94158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000162 at pc 0x5632b5984c7a bp 0x7ffd20267aa0 sp 0x7ffd20267a90
READ of size 1 at 0x604000000162 thread T0
    #0 0x5632b5984c79 in GifIndexToTrueColor /home/tim/ngiflib-normal/ngiflib.c:842
    #1 0x5632b5984ec8 in WritePixels /home/tim/ngiflib-normal/ngiflib.c:226
    #2 0x5632b5987664 in DecodeGifImg /home/tim/ngiflib-normal/ngiflib.c:582
    #3 0x5632b5988fb7 in LoadGif /home/tim/ngiflib-normal/ngiflib.c:823
    #4 0x5632b5983f29 in main /home/tim/ngiflib-normal/gif2tga.c:95
    #5 0x7fc810b42b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #6 0x5632b59832d9 in _start (/home/tim/ngiflib-normal/gif2tga+0x22d9)

Address 0x604000000162 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/ngiflib-normal/ngiflib.c:842 in GifIndexToTrueColor
Shadow bytes around the buggy address:
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==94158==ABORTING
@miniupnp
Copy link
Owner

thank you for the bug report

@NicoleG25
Copy link

Note that it appears that CVE-2019-20219 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants