GIFLIB / Bugs / #73 Null pointer deference in gifclrmap when trying to write the screen color map from a file with none

#73 Null pointer deference in gifclrmap when trying to write the screen color map from a file with none

Milestone: v1.0_(example)

Status: closed

Owner: Eric S. Raymond

Labels: None

Priority: 1

Updated: 2016-02-09

Created: 2015-11-24

Creator: Hugh Davenport

Private: No

Hi,

This was found on git master, commit cb85cee9c10efdb5662831c011daa740e9ebb6d5.

I found this file with afl-fuzz. It produces the following crash.

$ ./util/.libs/lt-gifclrmp gifclrmap-crash.gif 
Segmentation fault

Under ASAN:

$ ./util/gifclrmap gifclrmap-crash.gif
ASAN:SIGSEGV
=================================================================
==27636== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040402d sp 0x7ffc4a45d8e0 bp 0x100009483b22 T0)
AddressSanitizer can not provide additional info.
    #0 0x40402c in ModifyColorMap /root/giflib-code/util/gifclrmp.c:273
    #1 0x4020d5 in main /root/giflib-code/util/gifclrmp.c:130
    #2 0x7f4afd7d6ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #3 0x403c49 in _start (/root/giflib-code/util/.libs/lt-gifclrmp+0x403c49)
SUMMARY: AddressSanitizer: SEGV /root/giflib-code/util/gifclrmp.c:273 ModifyColorMap
==27636== ABORTING
Aborted

Under gdb:

Starting program: /root/giflib-code/util/.libs/lt-gifclrmp gifclrmap-crash.gif

Program received signal SIGSEGV, Segmentation fault.
ModifyColorMap (ColorMap=0x0) at gifclrmp.c:273
warning: Source file is more recent than executable.
273             for (i = 0; i < ColorMap->ColorCount; i++)
(gdb) bt
#0  ModifyColorMap (ColorMap=0x0) at gifclrmp.c:273
#1  0x00000000004033f5 in main (argc=<optimized out>, argv=<optimized out>) at gifclrmp.c:130
(gdb) p ColorMap
$1 = (ColorMapObject *) 0x0

The test file:

$ xxd -g 1 gifclrmap-crash.gif 
0000000: 47 49 46 30 30 30 30 30 30 30 30 30 30           GIF0000000000

A patch to fix is:

diff --git a/util/gifclrmp.c b/util/gifclrmp.c
index fac1334..c44b95d 100644
--- a/util/gifclrmp.c
+++ b/util/gifclrmp.c
@@ -127,6 +127,8 @@ int main(int argc, char **argv)

     if (!ImageNFlag) {
        /* We are supposed to modify the screen color map, so do it: */
+       if (!GifFileIn->SColorMap)
+           GIF_EXIT("No colormap to modify");
        GifFileIn->SColorMap = ModifyColorMap(GifFileIn->SColorMap);
        if (!HasGIFOutput) {
            /* We can quit here, as we have the color map: */

Hope that all helps, let me know if you need any other information.

Cheers,

Hugh

Discussion

Hugh Davenport - 2015-11-24

Added test file.

gifclrmap-crash.gif

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hugh Davenport - 2015-11-24

Added patch to fix.

73.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hugh Davenport - 2015-12-13

Hi, Just checking whether anyone has seen this?

Cheers,

Hugh

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2016-01-06

Fix applied.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2016-01-06

status: open --> closed

assigned_to: Eric S. Raymond
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric S. Raymond - 2016-02-09

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Null pointer deference in gifclrmap when trying to write the screen color...

A library and utilities for processing GIFs

Group

Searches

Help

#73 Null pointer deference in gifclrmap when trying to write the screen color map from a file with none

Discussion