stack-buffer-overflow in main function

Thanks for reporting this issue. Has this been reported upstream? Also would you mind if I make this bug publicly visible so that the upstream developers can see it?

Hello Kirin, have you reported this issue upstream? Can we open this bug?

Thanks

Yes, you can open this bug.

Seth Arnold <email address hidden> 于2019年9月10日周二 上午10:00写道：

> Hello Kirin, have you reported this issue upstream? Can we open this
> bug?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1841627
>
> Title:
> stack-buffer-overflow in main function
>
> Status in apng2gif package in Ubuntu:
> Incomplete
>
> Bug description:
> When apng2gif runs with a very long parameter(>256) in argv[2]
> For example:
> in command line:
> $ apng2gif a.png `python -c 'print "a"*0x100'`
>
> apng2gif 1.7
>
> *** buffer overflow detected ***: apng2gif terminated
> 已放弃 (核心已转储)
>
> There is a stack-buffer-overflow in main function(in apng2gif)
> In fact,this vulnerability affects all versions less than 1.8
> Analyze:
> In the sourcecode:https://sourceforge.net/projects/apng2gif/files/1.8/
> you can see there is a bug when the main function calls strcpy:
> ......
> if (back_b < 0) back_b = 0;
> if (back_b > 255) back_b = 255;
> bcolor = (back_r<<16) + (back_g<<8) + back_b;
> }
> }
> }
> }
> else
> if (szOut[0] == 0)
> strcpy(szOut, szOpt);
> }
> ......
> In fact, in the above example:szOpt=&argv[2],and szOut is defined in
> stack with size 256
> so when argv[2] is too lang,it will lead to a stack-buffer-overflow in
> main function.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apng2gif/+bug/1841627/+subscriptions
>

[Expired for apng2gif (Ubuntu) because there has been no activity for 60 days.]