Closed
Description
In gif_get_code(), in image.cxx, there is a stack out-of-bounds read in the following code:
267 curbit = (curbit - lastbit) + 8 * last_byte;
268 last_byte += (unsigned)count;
269 lastbit = last_byte * 8;
270 }
271
272 for (ret = 0, i = curbit + (unsigned)code_size - 1, j = (unsigned)code_size;
273 j > 0;
274 i --, j --)
275 ret = (ret << 1) | ((buf[i / 8] & bits[i & 7]) != 0);The expression curbit - lastbit, line 267, can result in an integer overflow when lastbit > curbit, updating curbit to a large number since it is unsigned. Later on line 272 the variable i is set to number less than code_size, since curbit + (unsigned)code_size - 1 overflows, which results after a few iterations in a stack out of bounds read in buf[i/8].
I've attached poc.zip that contains a malicious gif and a html file and triggers the out of bounds read resulting in a segmentation fault.
Steps to reproduce
The following should result in a segmentation fault:
$ unzip poc.zip
$ htmldoc --webpage -f output.pdf crash.html
Steps to analyse the crash on gdb
gdb --args htmldoc --webpage -f output.pdf ./crash.html
# set a breakpoint on gif_get_code
run
continue 3
# reached the gif_get_code that will crash