Package: apng2gif
Version: 1.7-1
Severity: important
Dear Maintainer,
Q.) What led up to the situation?
A.) In load_apng function, the imagesize variable is prone to integer overflow
vulnerability (It is basically calculated from w and h variables which are in
the hands of the user input). And then frameRaw.p and frameCur.p are assigned
an lower amount of memory because of this vulnerability which will result in
unallocated memory pointers in frameRaw.rows and frameCur.rows whose
dereference can cause heap buffer overflow read/write.
Q.) What exactly did you do (or not do) that was effective (or ineffective)?
A.) Just have to modify the relavent offsets in the png file so that the h and
w variables can result in an overflow of the imagesize variable.
Steps to reproduce:
Use the makefile in the attachment and compile the program to get the
program in asan mode.
Use the input.png file in the attachment as input to the program and
run it:
apng2gif input.png
Q.) What was the outcome of this action?
A.) Heap buffer overflow read at memcpy in the if condition bop==0 in
compose_frame function for example. But theoretically, This can result in an
heap overflow write in some memcpy too under specific conditions.
Sample ASAN Output:
apng2gif 1.7
Reading './crashes_submitted/integeroverflow/input.png'...
=================================================================
==16318== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb57ff8ff
at pc 0x804a7e2 bp 0xbfe89908 sp 0xbfe898fc
READ of size 1 at 0xb57ff8ff thread T0
#0 0x804a7e1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a7e1)
#1 0x80582bb (apng2gif/1.7/gccasanbuild/apng2gif+0x80582bb)
#2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b)
#3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2)
#4 0x804a0c1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a0c1)
0xb57ff8ff is located 255 bytes to the right of 67375104-byte region
[0xb17be800,0xb57ff800)
allocated by thread T0 here:
#0 0xb61006a4 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0x116a4)
#1 0x805626a (apng2gif/1.7/gccasanbuild/apng2gif+0x805626a)
#2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b)
#3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2)
Shadow bytes around the buggy address:
0x36affec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36affed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36affee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36affef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36afff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36afff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x36afff20:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36afff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36afff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36afff50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36afff60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==16318== ABORTING
Q.) What outcome did you expect instead?
A.) Maybe some check to see if each pointer in frameRaw.rows/frameCur.rows is
less than or equal to frameCur.p + imagesize before trying to dereference them.
Or may be something to get rid of interger overflow in the first place
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)
Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)
PACKAGE = apng2gif
CC = gcc
CFLAGS = -Wall -g3 -pedantic -fno-omit-frame-pointer -fsanitize=address
CFLAGS_OPT = -O3
LIBS = -lstdc++ -lm -lpng -lz
all :
$(CC) $(CFLAGS) $(CFLAGS_OPT) -o apng2gif apng2gif.cpp $(LIBS)
..PHONY : clean
clean :
rm -rf apng2gif
