Stack Buffer Overflow in gif_read_lzw
Voiddy-Dev opened this issue · 1 comments
Voiddy-Dev commented
Due to an infinite loop in the gif_read_lzw
function, the sp
variable which belongs heap memory can be arbitrarily modified.
The crash happens in this loop:
while (code >= clear_code)
{
*sp++ = table[1][code];
if (code == table[0][code])
return (255);
code = table[0][code];
}
As sp
is consistently incremented, it reaches out of heap memory which causes the crash:
sp
towards the start of execution:
You can download and attempt the following POC:
htmldoc --webpage -f out.pdf ./crash.html
michaelrsweet commented