-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack out-of-bounds read in gif_get_code() #463
Comments
@Jorgecmartins I've tried this on macOS and Linux (Ubuntu 20.04), but only Linux reproduces. |
@michaelrsweet I was also able to reproduce it on macOS.
macOS version: 11.6
|
@Jorgecmartins I added another layer of protection here: [master 312f0f9] Block GIF images with a code size > 12 (Issue #463) |
@michaelrsweet The extra protection fixed the issue. |
In
gif_get_code()
, in image.cxx, there is a stack out-of-bounds read in the following code:The expression
curbit - lastbit
, line 267, can result in an integer overflow whenlastbit > curbit
, updatingcurbit
to a large number since it is unsigned. Later on line 272 the variablei
is set to number less thancode_size
, sincecurbit + (unsigned)code_size - 1
overflows, which results after a few iterations in a stack out of bounds read inbuf[i/8]
.I've attached poc.zip that contains a malicious gif and a html file and triggers the out of bounds read resulting in a segmentation fault.
Steps to reproduce
The following should result in a segmentation fault:
Steps to analyse the crash on gdb
The text was updated successfully, but these errors were encountered: