Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack out-of-bounds read in gif_get_code() #463

Closed
Jorgecmartins opened this issue Jan 7, 2022 · 5 comments
Closed

Stack out-of-bounds read in gif_get_code() #463

Jorgecmartins opened this issue Jan 7, 2022 · 5 comments
Assignees
Labels
bug Something isn't working platform issue Issue is specific to an OS or desktop priority-low
Milestone

Comments

@Jorgecmartins
Copy link
Contributor

In gif_get_code(), in image.cxx, there is a stack out-of-bounds read in the following code:

267    curbit    = (curbit - lastbit) + 8 * last_byte;
268    last_byte += (unsigned)count;
269    lastbit   = last_byte * 8;
270  }
271
272  for (ret = 0, i = curbit + (unsigned)code_size - 1, j = (unsigned)code_size;
273       j > 0;
274       i --, j --)
275    ret = (ret << 1) | ((buf[i / 8] & bits[i & 7]) != 0);

The expression curbit - lastbit, line 267, can result in an integer overflow when lastbit > curbit, updating curbit to a large number since it is unsigned. Later on line 272 the variable i is set to number less than code_size, since curbit + (unsigned)code_size - 1 overflows, which results after a few iterations in a stack out of bounds read in buf[i/8].

I've attached poc.zip that contains a malicious gif and a html file and triggers the out of bounds read resulting in a segmentation fault.

Steps to reproduce

The following should result in a segmentation fault:

$ unzip poc.zip
$ htmldoc --webpage -f output.pdf crash.html

Steps to analyse the crash on gdb

gdb --args htmldoc --webpage -f output.pdf ./crash.html
# set a breakpoint on gif_get_code
run
continue 3
# reached the gif_get_code that will crash
@michaelrsweet michaelrsweet self-assigned this Jan 7, 2022
@michaelrsweet michaelrsweet added unable-to-reproduce Unable to reproduce bug Something isn't working platform issue Issue is specific to an OS or desktop priority-low and removed unable-to-reproduce Unable to reproduce labels Jan 7, 2022
@michaelrsweet michaelrsweet added this to the Stable milestone Jan 7, 2022
@michaelrsweet
Copy link
Owner

@Jorgecmartins I've tried this on macOS and Linux (Ubuntu 20.04), but only Linux reproduces.

@michaelrsweet
Copy link
Owner

[master 776cf0f] Fix potential stack overflow with GIF images (Issue #463)

@Jorgecmartins
Copy link
Contributor Author

@Jorgecmartins I've tried this on macOS and Linux (Ubuntu 20.04), but only Linux reproduces.

@michaelrsweet I was also able to reproduce it on macOS.

Jorge@MacBook-Pro-de-Jorge htmldoc % ./htmldoc --webpage -f output.pdf ./crash.html
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Times-Roman.afm!
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open psglyphs data file!
ERR005: Unable to open character set file iso-8859-1!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
ERR005: Unable to open font width file /usr/local/share/htmldoc/fonts/Helvetica.afm!
PAGES: 2
ERR005: Unable to open font file /usr/local/share/htmldoc/fonts/Helvetica.pfa!
zsh: segmentation fault  ./htmldoc --webpage -f output.pdf ./crash.html

macOS version: 11.6

Jorge@MacBook-Pro-de-Jorge htmldoc % uname -a
Darwin MacBook-Pro-de-Jorge.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64

@michaelrsweet
Copy link
Owner

@Jorgecmartins I added another layer of protection here:

[master 312f0f9] Block GIF images with a code size > 12 (Issue #463)

@Jorgecmartins
Copy link
Contributor Author

@Jorgecmartins I added another layer of protection here:

[master 312f0f9] Block GIF images with a code size > 12 (Issue #463)

@michaelrsweet The extra protection fixed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working platform issue Issue is specific to an OS or desktop priority-low
Projects
None yet
Development

No branches or pull requests

2 participants