uninitialized buffer in DumpScreen2RGB

A library and utilities for processing GIFs

Brought to you by: abadger1999, esr

#184 uninitialized buffer in DumpScreen2RGB

Milestone: v1.0_(example)

Status: closed

Owner: nobody

Labels: None

Priority: 1

Updated: 2026-02-19

Created: 2025-04-24

Creator: DARKNAVY

Private: No

Summary

An uninitialized stack buffer OneFileName in the DumpScreen2RGB function of gif2rgb.c can lead to out-of-bounds reads and writes when strncpy and strncat operate on a non-null-terminated string.

Vulnerability Details

File: gif2rgb.c
Function: DumpScreen2RGB

A local array char OneFileName[80]; is declared but never zero-initialized.
strncpy(OneFileName, FileName, sizeof(OneFileName) - 1); does not guarantee a terminating '\0' if FileName is ≥ 79 bytes and if previous stack contents leave OneFileName[79] non-zero.
Subsequent strlen(OneFileName) may read past the 80-byte buffer boundary.
The strncat call uses this incorrect length to calculate remaining space, enabling both over-read and over-write on OneFileName.

Vulnerable Code Snippet

/* gif2rgb.c */
char OneFileName[80];

for (i = 0; i < 3; i++) {
    strncpy(OneFileName, FileName,
            sizeof(OneFileName) - 1);
    /* If OneFileName lacks a null terminator, strlen may overrun */
    strncat(OneFileName, Postfixes[i],
            sizeof(OneFileName) - 1 -
                strlen(OneFileName));
    /* … */
}

Proof of Concept (PoC)

Compile with MemorySanitizer and run with a long filename:

clang -g -fsanitize=memory -o gif2rgb gif2rgb.c qprintf.c getarg.c gifalloc.c quantize.c dgif_lib.c egif_lib.c gif_err.c openbsd-reallocarray.c gif_hash.c
# use any valid gif with name larger than 79 bytes
./gif2rgb -o aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.gif aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.gif

Crash Information

MemorySanitizer will report a use-of-uninitialized-value in DumpScreen2RGB, demonstrating the unsafe read/write on OneFileName.

Uninitialized bytes in strlen at offset 79 inside [0x7fffbbeaa5d0, 80)
==517028==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5dec1f4b2fd7 in DumpScreen2RGB /home/albanis/giflib-5.2.2/gif2rgb.c:263:17
    #1 0x5dec1f4b0295 in GIF2RGB /home/albanis/giflib-5.2.2/gif2rgb.c:517:2
    #2 0x5dec1f4ace57 in main /home/albanis/giflib-5.2.2/gif2rgb.c:574:3
    #3 0x7b3306c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7b3306c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0x5dec1f414324 in _start (/home/albanis/giflib-5.2.2/gif2rgb+0x32324) (BuildId: 0654e1e6a2978399979398663b9f471a9cd22947)

Credit

Reporter credit: Argusee@DARKNAVY

Discussion

Eric S. Raymond - 2026-02-19

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2026-02-19

Fix pushed,

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: