Null pointer dereference vulnerability in main() - giflib 5.1.4October 30, 2018
CVE Number
-
CWE
CWE-476: NULL Pointer Dereference
Product Details
A program to modify GIF image colormaps. Any local colormap in a GIF file can be modified at a time, or the global screen one. And it extracts colourmaps from GIF images.
URL:http://giflib.sourceforge.net/
Vulnerable Versions
5.1.4 branch
Vulnerability Details
A NULL Pointer Dereference was discovered in the gifclrmp binary of giflib 5.1.4. The issue gets triggered in the function main() at gifclrmp.c, causing a denial of service.
SYNOPSIS
Under progress
Analysis
if (EGifPutExtensionLeader(GifFileOut, ExtCode) == GIF_ERROR)
QuitGifError(GifFileIn, GifFileOut);
if (EGifPutExtensionBlock(GifFileOut, Extension[0], //NULL dereference
Extension + 1) == GIF_ERROR)
QuitGifError(GifFileIn, GifFileOut);
while (Extension != NULL) {
if (DGifGetExtensionNext(GifFileIn, &Extension)==GIF_ERROR)
QuitGifError(GifFileIn, GifFileOut);
gef➤ p Extension
$1 = (GifByteType *) 0x0
gef➤ p Extension[0]
Cannot access memory at address 0x0
ASAN Output
ASAN: DEADLYSIGNAL
=================================================================
==11264==ERROR: Address Sanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c069cec56b bp 0x7ffdd566fd70 sp 0x7ffdd566f9a0 T0)
==11264==The signal is caused by a READ memory access.
==11264==Hint: address points to the zero page.
#0 0x55c069cec56a in main /home/loginsoft/Desktop/packages/giflib-5.1.4-2.module_2253+ad19d02c.src/giflib-5.1.4/util/gifclrmp.c:228
#1 0x7f5db6642b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#2 0x55c069ceae29 in _start (/usr/local/bin/gifclrmp+0x2e29)
Address Sanitizer cannot provide additional info.
SUMMARY: Address Sanitizer: SEGV /home/loginsoft/Desktop/packages/giflib-5.1.4-2.module_2253+ad19d02c.src/giflib-5.1.4/util/gifclrmp.c:228 in main
==11264==ABORTING
Proof of Concept
gifclrmp -v -g 2.8 $POC
Timeline
Vendor Disclosure: 2018-10-02
Public Disclosure: 2018-10-03
Credit
Discovered by ACE Team - Loginsoft
