[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] About Gif's
- To: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] About Gif's
- From: Karl-Heinz Kreis <khkreis@xxxxxx>
- Date: Wed, 3 Sep 2003 20:25:39 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Hello,
>
> > 01 01 00 Length Datablock 1 ( should be 4 Byte ?? 'no wonder there's
> > error) ( missing ? databytes and terminator (00) )
> > 3b ; (GIF-Terminator)
>
> ahhh... this looks very interesting. So the length of the datablock is
> mis-represented? What does that tell you?
>
> I just altered that GIF file, by making that data block REALLY big:
>
> 00000000 47 49 46 38 39 61 01 00 01 00 80 00 GIF89a......
...
> 000001A4 41 41 41 41 41 41 41 41 41 41 00 3B AAAAAAAAAA.;
>
>
> Now, when I double click on my new image file (evil.gif) it opens in IE,
> and crashes it reliably. In addition, my html file (derived from a
> previous post) which references this new .gif, also reliably crashes IE.
>
> It appears this is an overflow. I haven't done any debugging yet, so I
> don't know if it is on the stack or not.
>
> tim
>
Oh, just stuff data in should crash to, since datablocks have a 'count' as
header.
caraciola
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/VjIwRUX8Hg498GwRApp1AJ0TDF4lyXldsAIQ0wZspK3HmwAWRwCgrx4S
VWJm/banWsPkm8Em1tYz6z8=
=63Tt
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html