Null pointer dereference vulnerability in main() – giflib 5.1.4

October 30, 2018

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

A program to modify GIF image colormaps. Any local colormap in a GIF file can be modified at a time, or the global screen one. And it extracts colourmaps from GIF images..
URL: http://giflib.sourceforge.net/

Vulnerable Versions

5.1.4 branch

Vulnerability Details

A NULL Pointer Dereference was discovered in the gifclrmp binary of giflib 5.1.4. The issue gets triggered in the function main() at gifclrmp.c, causing a denial of service.

SYNOPSIS

Under progress

Analysis

 

if (EGifPutExtensionLeader(GifFileOut, ExtCode) == GIF_ERROR)
		    QuitGifError(GifFileIn, GifFileOut);
		    if (EGifPutExtensionBlock(GifFileOut, Extension[0], //NULL dereference
					  Extension + 1) == GIF_ERROR)
		    QuitGifError(GifFileIn, GifFileOut);
		    while (Extension != NULL) {
		    if (DGifGetExtensionNext(GifFileIn, &Extension)==GIF_ERROR)
			QuitGifError(GifFileIn, GifFileOut);
gef➤  p Extension 
$1 = (GifByteType *) 0x0 
gef➤  p Extension[0] 
Cannot access memory at address 0x0
ASAN Output
ASAN: DEADLYSIGNAL 
 ================================================================= 
 ==11264==ERROR: Address Sanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c069cec56b bp 0x7ffdd566fd70 sp 0x7ffdd566f9a0 T0) 
 ==11264==The signal is caused by a READ memory access. 
 ==11264==Hint: address points to the zero page. 
     #0 0x55c069cec56a in main /home/loginsoft/Desktop/packages/giflib-5.1.4-2.module_2253+ad19d02c.src/giflib-5.1.4/util/gifclrmp.c:228 
     #1 0x7f5db6642b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) 
     #2 0x55c069ceae29 in _start (/usr/local/bin/gifclrmp+0x2e29) 

Address Sanitizer cannot provide additional info. 
 SUMMARY: Address Sanitizer: SEGV /home/loginsoft/Desktop/packages/giflib-5.1.4-2.module_2253+ad19d02c.src/giflib-5.1.4/util/gifclrmp.c:228 in main 
 ==11264==ABORTING
Proof of Concept

gifclrmp -v -g 2.8 $POC

Timeline

Vendor Disclosure: 2018-10-02
Public Disclosure: 2018-10-03

Credit

Discovered by ACE Team – Loginsoft