giflib Buffer Overflow Vulnerability in Graphics Control Extension Handling via giftool

A buffer overflow vulnerability has been identified in giflib version 5.2.2. This vulnerability allows remote attackers to cause a denial-of-service by exploiting the EGifGCBToExtension function, which overwrites an existing Graphics Control Extension (GCE) block without proper size validation. The issue arises when a crafted GIF is processed, leading to a heap-based out-of-bounds write.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to memory corruption. While this could potentially be exploited, such an exploitation has not been demonstrated.

Reproduction

The vulnerability can be reproduced by using giftool, a command-line utility that comes with giflib. First, a GIF file must be created with a truncated GCE extension block, ensuring that the extension byte count is less than the required length. This can be done with a Python script that generates a GIF with an invalid GCE length. Once the crafted GIF is ready, it can be processed with giftool using the '-d' option to modify the delay time. This operation triggers the vulnerability by causing giftool to overwrite the GCE block with more data than it can handle, leading to a heap buffer overflow.