#136 Stack-buffer-overflow in gifcolor.c:84

[Manh-Dung NGUYEN]

Hi,

In gifcolor:47, the array ScratchMap is initialized with length 256:

GifColorType        ScratchMap[256];

Then, in gifcolor:84, there is no sanity check of ColorMapSize inside the loop. Consequently, gifcolor (the latest commit on master 866ea06 - version 5.1.9) crashes due to a stack buffer overflow.

/* Read the color map in ColorFile into this color map: */
    ColorMapSize = 0;
    while (fscanf(stdin,
                  "%*3d %3d %3d %3d\n",
                  &red, &green, &blue) == 3) {
            ScratchMap[ColorMapSize].Red = red;
            ScratchMap[ColorMapSize].Green = green;
            ScratchMap[ColorMapSize].Blue = blue;
            ColorMapSize++;
        }

PoC: https://github.com/strongcourage/PoCs/blob/master/giflib_866ea06/PoC_sbo_gifcolor
ASAN says:

./gifcolor-asan < PoC_sbo_gifcolor > /dev/null
=================================================================
==1420==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd2b3a95d0 at pc 0x000000401f71 bp 0x7ffd2b3a9000 sp 0x7ffd2b3a8ff0
WRITE of size 1 at 0x7ffd2b3a95d0 thread T0
    #0 0x401f70 in main /home/dungnguyen/gueb-testing/giflib-asan/gifcolor.c:84
    #1 0x7f3e30f2182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #2 0x402218 in _start (/home/dungnguyen/PoCs/giflib_866ea06/gifcolor-asan+0x402218)

Address 0x7ffd2b3a95d0 is located in stack of thread T0 at offset 1344 in frame
    #0 0x4015df in main /home/dungnguyen/gueb-testing/giflib-asan/gifcolor.c:40

  This frame has 10 object(s):
    [32, 33) 'BackGroundFlag'
    [96, 97) 'HelpFlag'
    [160, 164) 'GifNoisyPrint'
    [224, 228) 'ErrorCode'
    [288, 292) 'red'
    [352, 356) 'green'
    [416, 420) 'blue'
    [480, 544) 'RasterBuffer'
    [576, 1344) 'ScratchMap' <== Memory access at offset 1344 overflows this variable
    [1376, 1416) 'Line'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/dungnguyen/gueb-testing/giflib-asan/gifcolor.c:84 in main
Shadow bytes around the buggy address:
  0x10002566d260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002566d2b0: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00
  0x10002566d2c0: 00 00 00 f4 f4 f4 00 00 00 00 00 00 00 00 00 00
  0x10002566d2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002566d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1420==ABORTING

Thanks,
Manh Dung

[Eric S. Raymond]

Fixed in head, thanks.