*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
When apng2gif runs with a very long parameter(>256) in argv[2] For example: in command line: $ apng2gif a.png `python -c 'print "a"*0x100'` apng2gif 1.7 *** buffer overflow detected ***: apng2gif terminated 已放弃 (核心已转储) There is a stack-buffer-overflow in main function(in apng2gif) In fact,this vulnerability affects all versions less than 1.8 Analyze: In the sourcecode:https://sourceforge.net/projects/apng2gif/files/1.8/ you can see there is a bug when the main function calls strcpy: ...... if (back_b < 0) back_b = 0; if (back_b > 255) back_b = 255; bcolor = (back_r<<16) + (back_g<<8) + back_b; } } } } else if (szOut[0] == 0) strcpy(szOut, szOpt); } ...... In fact, in the above example:szOpt=&argv[2],and szOut is defined in stack with size 256 so when argv[2] is too lang,it will lead to a stack-buffer-overflow in main function. ** Affects: apng2gif (Ubuntu) Importance: Undecided Status: Incomplete -- stack-buffer-overflow in main function https://bugs.launchpad.net/bugs/1841627 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
