#181 out-of-bounds access in Gif2Icon

[DARKNAVY]

Summary

A buffer overflow exists in the Gif2Icon function of gifbuild.c, where unvalidated values are used to index a user-supplied NameTable, allowing out-of-bounds access.

Vulnerability Details

File: gifbuild.c
Function: Gif2Icon

In Gif2Icon, NameTable may be a user-supplied string shorter than the default 94-character table. Although the code enforces ColorCount < PRINTABLES or ch < PRINTABLES (94) or , it never checks that the actual length of a custom NameTable is ≥ 94. As a result, a crafted GIF with pixel values < 94 but ≥ strlen(userNameTable) will index past the end of the buffer, causing memory corruption.

for (i = 0; i < GifFile->SColorMap->ColorCount; i++) {
  if (GifFile->SColorMap->ColorCount < PRINTABLES) {
    printf("\trgb %03d %03d %03d is %c\n",
            GifFile->SColorMap->Colors[i].Red,
            GifFile->SColorMap->Colors[i].Green,
            GifFile->SColorMap->Colors[i].Blue,
            /* Only ensures i(ColorCount) < PRINTABLES, not NameTable length */
            NameTable[i]);
  } else {
    printf("\trgb %03d %03d %03d\n",
            GifFile->SColorMap->Colors[i].Red,
            GifFile->SColorMap->Colors[i].Green,
            GifFile->SColorMap->Colors[i].Blue);
  }
}

Proof of Concept (PoC)

./gifbuild -d -t H ./poc.gif

poc.gif

Since NameTable is a pointer to argv on the stack, after executing the poc, environment variables can be observed.

example output:

...
image # 1
image left 0
image top 0
image bits 8 by 7
/poc.gif
TERM_SE
SSION_ID
=w2t3p0:
890CD4E0
-35EE-4E
56-A1E6-
...

Credit

Reporter credit: Argusee@DARKNAVY

[Eric S. Raymond]

Fix pushed.