[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [gif2png] long filename Buffer Overrun

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [gif2png] long filename Buffer Overrun
From: Razuel Akaharnath <razuel@xxxxxxxxx>
Date: Sat, 12 Dec 2009 22:59:28 +0200

DESCRIPTION:
"The gif2png program converts files from the obsolescent Graphic Interchange
Format to Portable Network Graphics <http://www.libpng.org/pub/png/>. The
conversion preserves all graphic information, including transparency,
perfectly. The gif2png program can even recover data from corrupted GIFs."

homepage: http://catb.org/~esr/gif2png/ <http://catb.org/%7Eesr/gif2png/>

VULNERABILITY:
gif2png does not perform proper bounds checking on the size of input
filename. The buffer (1025 in size) is easily overrun with a strcpy
function.

AFFECTED VERSION:
latest: 2.5.2

POC:
$> ./gif2png $(perl -e 'print "A" x 1053')


#Razuel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] [gif2png] long filename Buffer Overrun
  - From: Patroklos Argyroudis

Prev by Date: [Full-disclosure] [SECURITY] [DSA-1950-1] New webkit packages fix several vulnerabilities
Next by Date: Re: [Full-disclosure] IE 0day for sale
Previous by thread: [Full-disclosure] [SECURITY] [DSA-1950-1] New webkit packages fix several vulnerabilities
Next by thread: Re: [Full-disclosure] [gif2png] long filename Buffer Overrun
Index(es):
- Date
- Thread