Package: libimlib2
Version: 1.4.7-1
Usertags: afl
Loading the attached image causes out-of-bounds reads:
$ valgrind ./debian/tmp/usr/bin/imlib2_conv oob.gif oob.ppm
==8382== Memcheck, a memory error detector
==8382== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8382== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==8382== Command: ./debian/tmp/usr/bin/imlib2_conv oob.gif oob.ppm
==8382==
==8382== Invalid read of size 1
==8382== at 0x495CABE: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
==8382== Address 0x456cc66 is 2 bytes after a block of size 12 alloc'd
==8382== at 0x402B0D5: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==8382== by 0x4AB329E: MakeMapObject (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFE2A: DGifGetScreenDesc (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFFF6: DGifOpenFileHandle (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x495C93A: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
==8382==
==8382== Invalid read of size 1
==8382== at 0x495CAC2: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
==8382== Address 0x456cc64 is 0 bytes after a block of size 12 alloc'd
==8382== at 0x402B0D5: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==8382== by 0x4AB329E: MakeMapObject (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFE2A: DGifGetScreenDesc (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFFF6: DGifOpenFileHandle (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x495C93A: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
==8382==
==8382== Invalid read of size 1
==8382== at 0x495CAD0: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
==8382== Address 0x456cc65 is 1 bytes after a block of size 12 alloc'd
==8382== at 0x402B0D5: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==8382== by 0x4AB329E: MakeMapObject (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFE2A: DGifGetScreenDesc (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x4AAFFF6: DGifOpenFileHandle (in
/usr/lib/i386-linux-gnu/libgif.so.4.1.6)
==8382== by 0x495C93A: load (in
/usr/lib/i386-linux-gnu/imlib2/loaders/gif.so)
==8382== by 0x405DB36: imlib_save_image (in
/usr/lib/i386-linux-gnu/libImlib2.so.1.4.7)
==8382== by 0x8048893: main (imlib2_conv.c:76)
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libimlib2 depends on:
ii libbz2-1.0 1.0.6-7+b3
ii libc6 2.19-18
ii libfreetype6 2.5.2-4
ii libgif4 4.1.6-11
ii libid3tag0 0.15.1b-11
ii libjpeg62-turbo 1:1.4.0-7
ii libpng12-0 1.2.50-2+b2
ii libtiff5 4.0.3-13
ii libx11-6 2:1.6.3-1
ii libxext6 2:1.3.3-1
ii multiarch-support 2.19-18
ii zlib1g 1:1.2.8.dfsg-2+b1
--
Jakub Wilk