Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ilLoadGifL / iReadLump out-of-bounds writing #67

Open
Photosounder opened this issue Oct 9, 2017 · 0 comments
Open

ilLoadGifL / iReadLump out-of-bounds writing #67

Photosounder opened this issue Oct 9, 2017 · 0 comments

Comments

@Photosounder
Copy link

Photosounder commented Oct 9, 2017

I've isolated a bug that occurs when loading certain GIFs, demonstrated with this minimalistic code:

#include <stdlib.h>
#include <stdio.h>

#ifdef _MSC_VER
#pragma comment (lib, "DevIL.lib")
#pragma comment (lib, "ILU.lib")
#pragma comment (lib, "ILUT.lib")
#endif

#include <IL/il.h>
#include <IL/ilu.h>

char *load_raw_file(const char *path, size_t *size)
{
	FILE *in_file;
	char *data;
	size_t fsize;
	
	in_file = fopen(path, "rb");

	if (in_file==NULL)
	{
		fprintf(stderr, "File '%s' not found.\n", path);
		return NULL;
	}

	fseek(in_file, 0, SEEK_END);
	fsize = ftell(in_file);
	rewind (in_file);

	data = calloc (fsize+1, sizeof(char));
	fread(data, 1, fsize, in_file);

	fclose(in_file);

	if (size)
		*size = fsize;

	return data;	
}

void load_image_libdevil(const char *in_path)
{
	ILubyte *raw_data;
	size_t size;
	ILboolean err;
	ILuint ImgId;

	raw_data = load_raw_file(in_path, &size);
	if (raw_data==NULL || size==0)
		return ;

	// Initialize DevIL.
	ilInit();
	ilOriginFunc(IL_ORIGIN_UPPER_LEFT);
	ilEnable(IL_ORIGIN_SET);
	ilGenImages(1, &ImgId);		// Generate the main image name to use.
	ilBindImage(ImgId);		// Bind this image name.

	if (!ilLoadL(IL_TYPE_UNKNOWN, raw_data, size))
	{
		fprintf(stderr, "Could not open image from the %d byte buffer in memory\n", size);
		return ;
	}
}

int main()
{
	load_image_libdevil("1477604070775.gif");
	
	printf("Done.\n");

	return 0;
}

This code loads the GIF's data into memory then lets ilLoadL do its work. Typically it works fine except with some GIFs like this one, the call stack is ilLoadL→ilLoadGifL→iLoadGifInternal→GetImages→iGetPalette→iReadLump, and in iReadLump() the problem occurs at the line *((ILubyte*)Buffer + i) = *((ILubyte*)ReadLump + ReadLumpPos + i);, the problem being that *((ILubyte*)Buffer + i) is out of bounds for some reason.

I'm using DevIL 1.8.0, and appverif.exe to catch the problem. Here's a ZIP containing the source, the problem causing GIF, the VS2017 project and the DevIL.dll (and its .pdb file).

DevIL_bug.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant