#102 Heap overflow in gif2rgb.c

   Milestone: v1.0_(example)
   Status: open
   Owner: nobody
   Labels: heap overflow (1)
   Priority: 7
   Updated: 2 hours ago
   Created: 2 hours ago
   Creator: STARLAB
   Private: No

   Hello,
   There is a Heap-overflow in giflib 5.1.4. The crash output with asan is as follows:
   ./util/gif2rgb poc
   =================================================================
   ==8885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf6200a3b at pc 0x80d317d bp 0xffce7d58 sp 0xffce7d50
   READ of size 1 at 0xf6200a3b thread T0
   #0 0x80d317c in DumpScreen2RGB /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:294
   #1 0x80d1736 in GIF2RGB /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:474
   #2 0x80cb9e2 in main /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:525
   #3 0xf74b4af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
   #4 0x80ca7f4 in _start (/home/starlab/test-fuzzing/giflib-5.1.4/util/.libs/lt-gif2rgb+0x80ca7f4)

   AddressSanitizer can not describe address in more detail (wild memory access suspected).
   SUMMARY: AddressSanitizer: heap-buffer-overflow /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:294 DumpScreen2RGB
   Shadow bytes around the buggy address:
   0x3ec400f0: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa 03 fa
   0x3ec40100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   =>0x3ec40140: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
   0x3ec40150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable: 00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone: fa
   Heap right redzone: fb
   Freed heap region: fd
   Stack left redzone: f1
   Stack mid redzone: f2
   Stack right redzone: f3
   Stack partial redzone: f4
   Stack after return: f5
   Stack use after scope: f8
   Global redzone: f9
   Global init order: f6
   Poisoned by user: f7
   ASan internal: fe
   ==8885==ABORTING

   The poc is in the attachment
   The vulnerability is found by F4B3CD@STARLAB