#151 A heap-buffer-overflow in gif2rgb.c:294:45

[zhouan]

System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), gif2rgb (5.14, github mirror)

Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

Command line

./util/gif2rgb @@

AddressSanitizer output

=================================================================
==64686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000080 at pc 0x0000005158ee bp 0x7ffccb7b85b0 sp 0x7ffccb7b85a8
READ of size 1 at 0x604000000080 thread T0
    #0 0x5158ed in DumpScreen2RGB /home/seviezhou/giflib/util/gif2rgb.c:294:45
    #1 0x5158ed in GIF2RGB /home/seviezhou/giflib/util/gif2rgb.c:474
    #2 0x5158ed in main /home/seviezhou/giflib/util/gif2rgb.c:525
    #3 0x7fcb3aeb5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x41a259 in _start (/home/seviezhou/giflib/util/gif2rgb+0x41a259)

0x604000000080 is located 0 bytes to the right of 48-byte region [0x604000000050,0x604000000080)
allocated by thread T0 here:
    #0 0x4da338 in calloc (/home/seviezhou/giflib/util/gif2rgb+0x4da338)
    #1 0x5342f8 in GifMakeMapObject /home/seviezhou/giflib/lib/gifalloc.c:55:38

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/giflib/util/gif2rgb.c:294:45 in DumpScreen2RGB
Shadow bytes around the buggy address:
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
=>0x0c087fff8010:[fa]fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8020: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8030: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8040: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8050: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8060: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64686==ABORTING

[Eric S. Raymond]

This is not an interesting bug. The master of the manual page now warns that feeding it malformed GIFs can crash it.

Pleasee don't bother reporting the 507th bug in gif2rgb unless you can include a fix patch.

[Eric S. Raymond]

After I wrote my previious reply this bug was fixed by a submitted patch

esr@snark:~/WWW/giflib$ ./gif2rgb @@
GIF-LIB error: Failed to open given file.