Package: apng2gif
Version: 1.7-1
Severity: important
Dear Maintainer,
Q.) What led up to the situation?
A.) In main function, the variable szOut is being used to store the input file
name in the statements "strcpy(szOut, szOpt)" and "strcpy(szOut, szInput)",
since szOut is of size 256 and there is no check on the size of input parameter
that is being copied into szOut, user can pass a parameter of size more than
256 to corrupt the stack.
Q.) What exactly did you do (or not do) that was effective (or ineffective)?
What was the outcome of this action?
A.) Just have to pass a parameter of size more than 256 characters.
Steps to reproduce:
Use the makefile in the attachment and compile the program (Attaching
makefile just as a reference).
Since there are multiple places in the code where the stack overflow is
possible, im just pointing out 2 of these cases:
Case 1: (at strcpy(szOut, szOpt))
Command line:
../gccbuild/apng2gif ./aflasanbuildinput/not_kitty.png
111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
Output:
apng2gif 1.7
Reading './aflasanbuildinput/not_kitty.png'...
1 frame.
5 colors.
Error: can't open
'111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
save_agif() failed:
'111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
*** stack smashing detected ***: ./gccbuild/apng2gif terminated
Aborted (core dumped)
Case 2: (at strcpy(szOut, szInput))
Command line:
../gccbuild/apng2gif
../aflasanbuildinput/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.png
Output:
apng2gif 1.7
Reading
'./aflasanbuildinput/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.png'...
load_apng() failed:
'./aflasanbuildinput/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.png'
*** stack smashing detected ***: ./gccbuild/apng2gif terminated
Aborted (core dumped)
Q.) What outcome did you expect instead?
A.) Maybe some check to see if the parameter passed is greater than 255
characters before trying to do strcpy.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)
Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
PACKAGE = apng2gif
CC = gcc
CFLAGS = -Wall -pedantic
CFLAGS_OPT = -g
LIBS = -lstdc++ -lm -lpng -lz
all :
$(CC) $(CFLAGS) $(CFLAGS_OPT) -o apng2gif apng2gif.cpp $(LIBS)
..PHONY : clean
clean :
rm -rf apng2gif
