GIFLIB / Bugs / #176 Incomplete fix for issue 159

#176 Incomplete fix for issue 159

Milestone: v1.0_(example)

Status: open

Owner: Eric S. Raymond

Labels: None

Priority: 1

Updated: 2025-04-08

Created: 2025-01-14

Creator: bale.cen

Private: No

**> Issue 159 is not completely fixed, and memory overwriting still exists.

Version: giflib-5.2.2
Code related:**

        for (i = 0; i < ScreenHeight; i++) {
            GifRow = ScreenBuffer[i];
            GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
            for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
                /* Check if color is within color palete */
                if (GifRow[j] >= ColorMap->ColorCount) {   /*fixing of issue 159*/
                    GIF_EXIT(GifErrorString(
                        D_GIF_ERR_IMAGE_DEFECT));
                }
                ColorMapEntry = &ColorMap->Colors[GifRow[j]];
                *BufferP++ = ColorMapEntry->Red;
                *BufferP++ = ColorMapEntry->Green;
                *BufferP++ = ColorMapEntry->Blue;
            }
            if (fwrite(Buffer, ScreenWidth * 3, 1, rgbfp[0]) != 1) {
                GIF_EXIT("Write to file(s) failed.");
            }
        }

        free((char *)Buffer);
        fclose(rgbfp[0]);
    } else {
        unsigned char *Buffers[3];

        if ((Buffers[0] = (unsigned char *)malloc(ScreenWidth)) ==
                NULL ||
            (Buffers[1] = (unsigned char *)malloc(ScreenWidth)) ==
                NULL ||
            (Buffers[2] = (unsigned char *)malloc(ScreenWidth)) ==
                NULL) {
            GIF_EXIT(
                "Failed to allocate memory required, aborted.");
        }

        for (i = 0; i < ScreenHeight; i++) {
            GifRow = ScreenBuffer[i];
            GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
            for (j = 0; j < ScreenWidth; j++) {
                ColorMapEntry = &ColorMap->Colors[GifRow[j]]; /*here has the same issue*/
                Buffers[0][j] = ColorMapEntry->Red;
                Buffers[1][j] = ColorMapEntry->Green;
                Buffers[2][j] = ColorMapEntry->Blue;
            }
            if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 ||
                fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 ||
                fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1) {
                GIF_EXIT("Write to file(s) failed.");
            }
        }

> Reproduce stack dump:

==1892482==ERROR: AddressSan it izer:heap-buffer-overflow on address 0x602000000039 at pc 0x556e163f7509bp 0x7ffc7e267ff0 sp 0x7ffc7e267fe8
READ of size 1 at 0x602000000039thread T0
#0 Ox556e163f7508 in DumpScreen2RGB/openeuler/gifl ib/gifl ib-5.2.2/gif2rgb.c:341:36
#1 Ox556e163f7508 in GIF2RGB /openeuler/giflib/gifl ib-5.2.2/gif2rgb.c:525:2
#2 0x556e163f7508 in main /openeuler/gifi ib/gifi ib-5.2.2/gif2rgb.c:585:3
#3 0x7fad715a3d8f in libc_start_call_main csu/../sysdeps/nptl/l ibc start_call_main.h:58:16 #4 0x7fad715a3e3f in —libc start main csu/../csu/l ibc-start.c:392:3
#5 Ox556e1632d2f4 in _start (/openeuler/gifl ib/gifl ib-5.2.2/gif2rgb+0x592f4) (Bu ildId: 6f71c65365076b6b)
0x602000000039 is located 3 bytesto the right of 6-byte region [0x602000000030,0x602000000036)
allocated by thread T0 here:
#0 ex556e163b0328 in calloc (/openeuler/gifl ib/gifl ib-5.2.2/gif2rgb+0xdc328)(BuildId: 6f71c65365076b6b)
#1 0x556e1640df25 in GifMakeMap0bject /openeuler/giflib/giflib-5.2.2/gifall0c.c:58:22
SUMMARY: AddressSanitizer: heap-buffer-overflow /openeuler/gifl ib/gifl ib-5.2.2/gif2rgb.c:341:36 in DumpScreen2RGB
Shadow bytes around the buggy address:
ex0cO47fff7fb0: 00 0000 00 e0 00 00 e0 e0 e0 e000 00 e0 00 e0
exece47fff7fce: 00 00 0000 e0 00 e0 e0 00 e0 e0 e6a
0x0c047fff7fd0: 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 0000 00 00 00 00 00 00 00 0000 0000 00
OxOcO47fff7ffO: 00 00 000  0 0 0 0 0 00 ee e0 00 ee
=>0x0c047fff8000: fa fa 03fa fa fa 06[fa]fa fa 00fa fa fa 00 fa
0x0c047fff8010: fa fa 00fa fa fa 00 fa fa fa 00 fa fafa 00 fa
0x0c047fff8020: fa fa 00fa fa fa 00 fa fa fa 00fa fa fa 00 ठ2
0x0c047fff8030: fa fa 00fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fafa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fafa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 applicationbytes):
Addressable:    00
Partially addressable: 01 02 03 0405 06 07
Heap left redzone:  fa
Freed heap region:  fd
Stack left redzone: f1
Stack mid redzone:  f2
Stack right redzone:    f3
Stack after return: f5
Stack use after scope: f8
Global redzone:     f9
Global init order:  f6
Poisoned by user:   f7
Container overflow: fc
Array cookie:       ac
Intra object redzone: bb
ASan internal:      fe
Left alloca redzone:    ca
Right alloca redzone: cb
=1892482==AB0RTING

Discussion

Sebastian Pipping - 2025-04-07

Hello @bale, FYI if I am not mistaken then this is the same thing that is being discussed as CVE-2025-31344 on https://seclists.org/oss-sec/2025/q2/21 at this very moment.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- bale.cen - 2025-04-08
  
  Yes, it's the same issue
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Incomplete fix for issue 159

A library and utilities for processing GIFs

Group

Searches

Help

#176 Incomplete fix for issue 159

Discussion