Headline
CVE-2018-11490: Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c · Issue #38 · pts/sam2p
The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain “Private->RunningCode - 2” array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
Here is the bug:
1295 if (LastCode != NO_SUCH_CODE) {
1296 Prefix[Private->RunningCode - 2] = LastCode;
the “Private->RunningCode - 2” should be checked if it is less than LZ_MAX_CODE.
The crash is as follows:
(gdb) run crash000005 1.pdf
Program received signal SIGSEGV, Segmentation fault.
0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296
1296 Prefix[Private->RunningCode - 2] = LastCode;
(gdb) bt
#0 0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296
#1 0x00000000004132eb in CGIF::DGifGetLine (GifFile=0x691740, Line=, LineLen=) at cgif.c:939
#2 0x00000000004136ba in CGIF::DGifSlurp (GifFile=GifFile@entry=0x691740) at cgif.c:1508
#3 0x000000000041391d in in_gif_reader (ufd=) at in_gif.cpp:48
#4 0x000000000042fca8 in Image::load (ufd0=0x66a010, loadHints=…, format=format@entry=0x0) at image.cpp:1428
#5 0x0000000000401eb0 in run_sam2p_engine (sout=…, serr=…, argv1=, helpp=helpp@entry=false) at sam2p_main.cpp:1055
#6 0x00000000004014d0 in main (argv=0x7fffffffe5c8) at sam2p_main.cpp:1148
(gdb) p Private->RunningCode
$1 = 32772
(gdb)