Headline
CVE-2023-36193: heap-buffer-overflow in ambiguity_error · Issue #191 · kohler/gifsicle
Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the ambiguity_error component at /src/clp.c.
Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.
Command To Reproduce the bug:
./gifsicle --loopcount=-
Environment
- OS: Ubuntu 20.04
- gcc 9.4.0
- gifsicle 1.93
ASAN Report
=================================================================
==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8
READ of size 1 at 0x60300000005a thread T0
#0 0x4dd2b3 in ambiguity_error /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:2395:62
#1 0x4d17b1 in parse_string_list /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1216:9
#2 0x4d949e in Clp_Next /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1967:6
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/gifsicle.c:1533:15
#4 0x7fdb41691082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16
#5 0x41d4cd in _start (/home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/install/bin/gifsicle+0x41d4cd)
0x60300000005a is located 2 bytes to the right of 24-byte region [0x603000000040,0x603000000058)
allocated by thread T0 here:
#0 0x499c7d in __interceptor_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/install/bin/gifsicle+0x499c7d)
#1 0x4d4a20 in finish_string_list /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1230:50
#2 0x4d47fc in Clp_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:1332:9
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/gifsicle.c:1461:3
#4 0x7fdb41691082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/…/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle_aflpp/src/clp.c:2395:62 in ambiguity_error
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00[fa]fa fa 00 00
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==956047==ABORTING
Many Thanks.
cheng meng da