Comment 3 for bug 1841627

Yes, you can open this bug.

Seth Arnold <email address hidden> 于2019年9月10日周二 上午10:00写道：

> Hello Kirin, have you reported this issue upstream? Can we open this
> bug?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1841627
>
> Title:
> stack-buffer-overflow in main function
>
> Status in apng2gif package in Ubuntu:
> Incomplete
>
> Bug description:
> When apng2gif runs with a very long parameter(>256) in argv[2]
> For example:
> in command line:
> $ apng2gif a.png `python -c 'print "a"*0x100'`
>
> apng2gif 1.7
>
> *** buffer overflow detected ***: apng2gif terminated
> 已放弃 (核心已转储)
>
> There is a stack-buffer-overflow in main function(in apng2gif)
> In fact,this vulnerability affects all versions less than 1.8
> Analyze:
> In the sourcecode:https://sourceforge.net/projects/apng2gif/files/1.8/
> you can see there is a bug when the main function calls strcpy:
> ......
> if (back_b < 0) back_b = 0;
> if (back_b > 255) back_b = 255;
> bcolor = (back_r<<16) + (back_g<<8) + back_b;
> }
> }
> }
> }
> else
> if (szOut[0] == 0)
> strcpy(szOut, szOpt);
> }
> ......
> In fact, in the above example:szOpt=&argv[2],and szOut is defined in
> stack with size 256
> so when argv[2] is too lang,it will lead to a stack-buffer-overflow in
> main function.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apng2gif/+bug/1841627/+subscriptions
>