out-of-bounds access in ModifyColorMap
A library and utilities for processing GIFs
Brought to you by:
abadger1999,
esr
Menu
▾
▴
2 Attachments
#183 out-of-bounds access in ModifyColorMap
Summary
A buffer overflow exists in the ModifyColorMap function of gifclrmp.c, where unvalidated Translation[i] values are used to index the color map, allowing out-of-bounds access when Translation[i] ≥ ColorMap->ColorCount.
Vulnerability Details
File: gifclrmp.c
Function: ModifyColorMap
Translationis a 256-element array of unsigned bytes (0–255).- The function loops
for (i = 0; i < ColorMap->ColorCount; i++)and does:
c
for (i = 0; i < ColorMap->ColorCount; i++) {
NewMap->Colors[i] = ColorMap->Colors[Translation[i]];
}
- No check ensures Translation[i] < ColorMap->ColorCount. If ColorMap->ColorCount is, say, 128, a Translation[i] of 200 will read ColorMap->Colors[200], overflowing the buffer.
Proof of Concept (PoC)
- Create a gif where
ColorMap->ColorCount = 128with a translation map setTranslation[0] = 200. - Run gifclrmp
bash
./gifclrmp -t poc.trans.txt poc.gif
[poc.trans.txt] See attachment.
[poc.gif] See attachment.
Crash Information
=================================================================
==41697==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000000298 at pc 0x000104779c44 bp 0x00016bd0a310 sp 0x00016bd09ac0
READ of size 3 at 0x613000000298 thread T0
#0 0x104779c40 in __asan_memcpy+0x394 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x51c40)
#1 0x1040fa898 in ModifyColorMap gifclrmp.c:390
#2 0x1040f7d68 in main gifclrmp.c:132
#3 0x18c1fc270 (<unknown module>)
0x613000000298 is located 216 bytes after 384-byte region [0x613000000040,0x6130000001c0)
allocated by thread T0 here:
#0 0x10477cfd0 in calloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54fd0)
#1 0x104112c44 in GifMakeMapObject gifalloc.c:58
#2 0x1040fbfc8 in DGifGetScreenDesc dgif_lib.c:280
#3 0x1040fb3fc in DGifOpenFileHandle dgif_lib.c:149
#4 0x1040fac88 in DGifOpenFileName dgif_lib.c:67
#5 0x1040f77bc in main gifclrmp.c:84
#6 0x18c1fc270 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x51c40) in __asan_memcpy+0x394
Shadow bytes around the buggy address:
0x613000000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x613000000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x613000000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x613000000180: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x613000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x613000000280: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x613000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x613000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x613000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x613000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x613000000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==41697==ABORTING
Credit
Reporter credit: Argusee@DARKNAVY
Duplicated bug, already fixed.