Summary

A buffer overflow exists in the Icon2Gif function of gifbuild.c, where writes to a 94‐byte KeyTable occur with an unchecked ColorMapSize < 256, allowing out‐of‐bounds writes when ColorMapSize ≥ 94.

Vulnerability Details

File: gifbuild.c
Function: Icon2Gif

Two arrays, GlobalColorKeys and LocalColorKeys, are each defined with size PRINTABLES (94).
The code selects one of these into KeyTable and then does:

c else if (sscanf(buf, " rgb %d %d %d is %c", &red, &green, &blue, &KeyTable[ColorMapSize]) == 4) { if (ColorMapSize >= 256) { PARSE_ERROR("Too many color entries."); exit(EXIT_FAILURE); } ColorMap[ColorMapSize].Red = red; ColorMap[ColorMapSize].Green = green; ColorMap[ColorMapSize].Blue = blue; ColorMapSize++; }

While it enforces ColorMapSize < 256, it never ensures ColorMapSize < PRINTABLES (94).
Once ColorMapSize reaches 94, further writes overflow the 94‐byte buffer, corrupting adjacent memory.

Proof of Concept (PoC)

Create a file poc.txt whose “screen map” section defines more than 94 rgb … is <char> lines (e.g., indices 0 through 95).
Run the icon‐to‐GIF conversion:

bash ./gifbuild ./poc.txt

[poc.txt]See attachment.

Crash Information

=================================================================
==37905==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016d46d6bd at pc 0x000102e8add4 bp 0x00016d46c7a0 sp 0x00016d46bf50
WRITE of size 1 at 0x00016d46d6bd thread T0
    #0 0x102e8add0 in memcpy+0x428 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x52dd0)
    #1 0x18c41bda0 in __fread+0x20c (libsystem_c.dylib:arm64e+0xcda0)
    #2 0x18c419ec0 in __svfscanf_l+0x738 (libsystem_c.dylib:arm64e+0xaec0)
    #3 0x18c41974c in vsscanf_l+0x168 (libsystem_c.dylib:arm64e+0xa74c)
    #4 0x102e5abf4 in sscanf+0x7c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x22bf4)
    #5 0x102997e0c in Icon2Gif gifbuild.c:229
    #6 0x10299451c in main gifbuild.c:96
    #7 0x18c1fc270  (<unknown module>)

Address 0x00016d46d6bd is located in stack of thread T0 at offset 1917 in frame
    #0 0x102996e70 in Icon2Gif gifbuild.c:113

  This frame has 18 object(s):
    [32, 800) 'GlobalColorMap' (line 115)
    [928, 1696) 'LocalColorMap' (line 115)
    [1824, 1917) 'GlobalColorKeys' (line 117) <== Memory access at offset 1917 overflows this variable
    [1952, 2045) 'LocalColorKeys' (line 117)
    [2080, 2084) 'ExtCode' (line 120)
    [2096, 2100) 'intval' (line 120)
    [2112, 2116) 'red' (line 121)
    [2128, 2132) 'green' (line 121)
    [2144, 2148) 'blue' (line 121)
    [2160, 2164) 'n' (line 121)
    [2176, 4224) 'buf' (line 122)
    [4352, 4416) 'InclusionFile' (line 122)
    [4448, 4452) 'LeadingExtensionBlockCount' (line 125)
    [4464, 4472) 'LeadingExtensionBlocks' (line 126)
    [4496, 4500) 'ErrorCode' (line 127)
    [4512, 4768) 'Translation' (line 285)
    [4832, 4848) 'gcb' (line 428)
    [4864, 4867) 'params' (line 482)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x52dd0) in memcpy+0x428
Shadow bytes around the buggy address:
  0x00016d46d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00016d46d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00016d46d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00016d46d580: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x00016d46d600: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
=>0x00016d46d680: 00 00 00 00 00 00 00[05]f2 f2 f2 f2 00 00 00 00
  0x00016d46d700: 00 00 00 00 00 00 00 05 f2 f2 f2 f2 04 f2 04 f2
  0x00016d46d780: 04 f2 04 f2 04 f2 04 f2 00 00 00 00 00 00 00 00
  0x00016d46d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00016d46d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00016d46d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37905==ABORTING

Credit

Reporter credit: Argusee@DARKNAVY

1 Attachments

poc.txt

Discussion

Eric S. Raymond - 2026-02-19

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2026-02-19

Fix pushed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

out‐of‐bounds writes in Icon2Gif

A library and utilities for processing GIFs

Group

Searches

Help

#182 out‐of‐bounds writes in Icon2Gif