oob read, bof bugs
We found 2 bugs in gif2png 2.5.8, and both bugs are in gifread.c
The first bug is out of bound read, which caused segmentation fault in gifread.c:578, nextLWZ function.
The maximum value of second index of table is 4096, defined as 1 << MAX_LWZ_BITS, MAX_LWZ_BITS is 12, in gifread.c:525. And code is return value of nextCode function, in gifread.c:530. When segfault occurred, code had value of more than 200000.
The second bug is global buffer overflow in gifread.c:509, nextCode function.
When bof occurred, i was holding minus value. I is calculated by curbit / 8 in gifread.c:501, and curbit is calculated by (curbit – lastbit) + 16 in gifread.c:494. Lastbit is calculated by (2+(int)count) in gifread.c:495, and count is return value of GetDataBlock function. Getdatablock uses ReadOK Macro, and ReadOK is macro which calls fread.
We thought that in nextCode function, getdatablock returns abnormal value to count due to reading corrupted gif files, and nextCode don’t take care of abnormal count value well, so it makes the binary crash.