Summary

A signed-to-unsigned integer overflow in gifbg.c allows large memory allocation requests due to unchecked negative ImageWidth values, leading to crashes or denial-of-service (DoS).

Vulnerability Details

File: gifbg.c

The code allocates memory with:
c malloc(sizeof(GifPixelType) * ImageWidth * 2);
However, ImageWidth is parsed from user input and can be negative.
When cast to size_t (as required by malloc), negative values become large unsigned values.
For example, ImageWidth = -100 results in a request of ~2^64 bytes on 64-bit systems.
This leads to memory allocation failure, and under memory sanitizers, triggers a fatal error.

Vulnerable Code Snippet

if ((Line = (GifRowType)malloc(sizeof(GifPixelType) * ImageWidth * 2)) == NULL) {
    GIF_EXIT("Failed to allocate memory required, aborted.");
}

Proof of Concept (PoC)

./gifbg -s -100 -100

Crash Information

gifbg(69936,0x1f5eec840) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==69936==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffff38 (0x738 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x10081cc04 in malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54c04)
    #1 0x1003301c8 in main gifbg.c:247
    #2 0x18c1fc270  (<unknown module>)

Credit

Reporter credit: Argusee@DARKNAVY

Discussion

Eric S. Raymond - 2026-02-18

Fix pushed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2026-02-18

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

integer overflow in gifbg.c

A library and utilities for processing GIFs

Group

Searches

Help

#185 integer overflow in gifbg.c