Bug#715959: [Mayhem] Bug report on hdf5-tools: gif2h5 crashes with exit status 139

Tue Dec 24 14:21:12 UTC 2013

Hi,

The program crashes with an invalid GIF, which you can find under
./crash/file_DAAAAAAAAA.symb. After looking at the code, the problem seems
to be in the main loop of Gif2Mem in gif2mem.c. The loop keeps going as
long as the block identifier is unknown. After many iterations, the memory
dereference *MemGif segfaults. Since MemGif is incremented at each
iteration, it eventually points to unmapped memory.

One solution is to pass the MemGif buffer size as an argument to Gif2mem,
and to check that reads are within bounds at each loop iteration.

Alex

On Tue, Dec 24, 2013 at 2:26 PM, pini <pini at pustule.org> wrote:

> Hi,
>
> Alexandre Rebert a écrit , Le 10/07/2013 21:07:
>
>> Package: hdf5-tools
>> Version: 1.8.10-patch1-1
>> Severity: normal
>> User: mayhem at forallsecure.com
>> Usertags: mayhem
>>
>> gif2h5 crashes with exit status 139. We confirmed the crash by
>> re-running it in a fresh debian unstable installation.
>>
>> The attachment [1] contains a testcase (under ./crash) crashing the
>> program. It ensures that you can easily reproduce the bug. Additionally,
>> under ./crash_info/, we include more information about the crash such as
>> a core dump, the dmesg generated by the crash, and its output.
>>
>> Regards,
>> The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha,
>> David Brumley, Manuel Egele)
>> Cylab, Carnegie Mellon University
>>
>> [1] http://www.forallsecure.com/bug-reports/
>> 44229785e52406a1153f91ea5e404ea14fe736af/full_report
>>
>
> I fail to find a valid GIF file in your archive. This makes it difficult
> for me to understand the problem. Would you mind providing an actual GIF
> file?
>
> Thanks in advance,
>
> _g.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20131224/52417ce3/attachment-0001.html>