Failure to check file size leads to out-of-bounds memory access #33

kittener · 2024-07-06T14:16:43Z

Hello,
I am testing my new fuzz tester recently. I found a crash when testing the gif2tga program. After analysis, the vulnerability appears in the following code snippet

	if(v!=i->gce.transparent_color || !i->gce.transparent_flag) {
#ifndef NGIFLIB_INDEXED_ONLY
		if(p->mode & NGIFLIB_MODE_INDEXED) {
#endif /* NGIFLIB_INDEXED_ONLY */
			*context->frbuff_p.p8 = v;
#ifndef NGIFLIB_INDEXED_ONLY
		} else
			*context->frbuff_p.p32 = v < i->ncolors ?
			   GifIndexToTrueColor(i->palette, v) : 0;
#endif /* NGIFLIB_INDEXED_ONLY */
	}

I think it should be caused by not checking the file structure in the LoadGIF function, resulting in too many memory addresses being allocated.

The condition for the vulnerability to be triggered is

gif2tga poc.gif

The poc file is

by Kaiyu Xie

The text was updated successfully, but these errors were encountered:

kittener · 2024-07-06T14:17:37Z

miniupnp · 2024-07-07T14:44:49Z

The GIF looks 65535 x 65535

miniupnp · 2024-07-07T14:50:32Z

So it is trying to write 16GB tga file :(

miniupnp self-assigned this Jul 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Failure to check file size leads to out-of-bounds memory access #33

Failure to check file size leads to out-of-bounds memory access #33

kittener commented Jul 6, 2024 •

edited by miniupnp

Loading

kittener commented Jul 6, 2024

miniupnp commented Jul 7, 2024

miniupnp commented Jul 7, 2024

Failure to check file size leads to out-of-bounds memory access #33

Failure to check file size leads to out-of-bounds memory access #33

Comments

kittener commented Jul 6, 2024 • edited by miniupnp Loading

kittener commented Jul 6, 2024

miniupnp commented Jul 7, 2024

miniupnp commented Jul 7, 2024

kittener commented Jul 6, 2024 •

edited by miniupnp

Loading