Skip to content

Segmentation fault (Heap buffer overflow)

Hi,

Our fuzzer found a crash on gif2png (the latest commit on master 34b4105c) due to a heap buffer overflow.

ASAN says: gif2png PoC_hbo /dev/null

gif2png: bad version number, not '87a' or '89a', trying anyway
gif2png: image reading error, use option -r to recover 1 complete image and partial data of a broken image
gif2png: 255 unused colors; convert with -O to remove
=================================================================
==30074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efbe at pc 0x7fd6afdb720b bp 0x7ffe4cd29390 sp 0x7ffe4cd28b38
READ of size 15 at 0x60200000efbe thread T0
    #0 0x7fd6afdb720a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x4052ab in writefile /home/dungnguyen/gueb-testing/gif2png-asan/gif2png.c:554
    #2 0x406282 in processfile /home/dungnguyen/gueb-testing/gif2png-asan/gif2png.c:788
    #3 0x406d4d in main /home/dungnguyen/gueb-testing/gif2png-asan/gif2png.c:982
    #4 0x7fd6af77882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401dc8 in _start (/home/dungnguyen/PoCs/gif2png_34b4105/gif2png-asan+0x401dc8)

0x60200000efbe is located 0 bytes to the right of 14-byte region [0x60200000efb0,0x60200000efbe)
allocated by thread T0 here:
    #0 0x7fd6afddf961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x40aa7c in xrealloc /home/dungnguyen/gueb-testing/gif2png-asan/memory.c:32
    #2 0x40b256 in fix_current /home/dungnguyen/gueb-testing/gif2png-asan/memory.c:105
    #3 0x408948 in DoExtension /home/dungnguyen/gueb-testing/gif2png-asan/gifread.c:344
    #4 0x407baf in ReadGIF /home/dungnguyen/gueb-testing/gif2png-asan/gifread.c:175
    #5 0x405e25 in processfile /home/dungnguyen/gueb-testing/gif2png-asan/gif2png.c:707
    #6 0x406d4d in main /home/dungnguyen/gueb-testing/gif2png-asan/gif2png.c:982
    #7 0x7fd6af77882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 03 fa
=>0x0c047fff9df0: fa fa fd fd fa fa 00[06]fa fa 00 fa fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==30074==ABORTING

Thanks,

Manh Dung