#186 integer overflow in Icon2Gif

[DARKNAVY]

Summary

A signed-to-unsigned integer overflow vulnerability exists in Icon2Gif (gifbuild.c) due to unchecked dimensions (Width and Height) parsed from input. When negative values are used, this can lead to an excessive memory allocation request via malloc, resulting in application crashes or potential denial-of-service (DoS).

---

Technical Details

File: gifbuild.c
Function: Icon2Gif
Vulnerable Operation:

if ((Raster = (GifPixelType *)malloc(
        sizeof(GifPixelType) *
        NewImage->ImageDesc.Width *
        NewImage->ImageDesc.Height)) == NULL) {
    PARSE_ERROR("Failed to allocate raster block, aborted.");
    exit(EXIT_FAILURE);
}

• If either Width or Height is negative, the multiplication overflows when cast to size_t, producing a huge allocation request.
• Example: -100 * 1 = -100 → cast to size_t = 0xffffffffffffff9c, triggering malloc failure and sanitizer abort.

---

Proof of Concept

PoC Input (poc2.icon):

image
image bits -100 by 1

Command:

./gifbuild ./poc2.icon

Crash Information

gifbuild(64644,0x1f5eec840) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==64644==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffff9c (0x7a0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x1032f8c04 in malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54c04)
    #1 0x102caa480 in Icon2Gif gifbuild.c:592
    #2 0x102ca451c in main gifbuild.c:96
    #3 0x18c1fc270  (<unknown module>)

Credit

Reporter credit: Argusee@DARKNAVY

[Eric S. Raymond]

Fix pushed.