Tested Version:
libextractor v1.6
Tested System:
Linux leon-virtual-machine 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Details:
In function EXTRACTOR_gif_extract_method at gif_extractor.c
112 while (1)
113 {
114 if (GIF_OK !=
115 DGifGetRecordType (gif_file,
116 &gif_type))
117 break;
118 if (UNDEFINED_RECORD_TYPE == gif_type)
119 break;
120 if (EXTENSION_RECORD_TYPE != gif_type)
121 continue;
122 if (GIF_OK !=
123 DGifGetExtension (gif_file, &et, &ext))
124 continue;
125 if (COMMENT_EXT_FUNC_CODE == et)
126 {
127 ec->proc (ec->cls,
128 "gif",
129 EXTRACTOR_METATYPE_COMMENT,
130 EXTRACTOR_METAFORMAT_C_STRING,
131 "text/plain",
132 (char*) &ext[1],
133 (uint8_t) ext[0]);
134 break;
135 }
136 while ( (GIF_ERROR !=
137 DGifGetExtensionNext(gif_file, &ext)) &&
138 (NULL != ext) ) ; /* keep going */
139 }
DGifGetExtension returns GIF_OK and et = COMMENT_EXT_FUNC_CODE, but ext is NULL.
Crash Information:
The output with address sanitizer enabled
./extract -i extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash
Keywords for file extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash:
mimetype - image/gif
image dimensions - 3x65515
ASAN:SIGSEGV
=================================================================
==48940==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa06398d3b2 bp 0x7ffe2a064e20 sp 0x7ffe2a064bf0 T0)
#0 0x7fa06398d3b1 in EXTRACTOR_gif_extract_method /root/libextractor-1.6/src/plugins/gif_extractor.c:133
#1 0x7fa069c079a1 in do_extract /root/libextractor-1.6/src/main/extractor.c:583
#2 0x7fa069c07db5 in EXTRACTOR_extract /root/libextractor-1.6/src/main/extractor.c:662
#3 0x4044f9 in main /root/libextractor-1.6/src/main/extract.c:983
#4 0x7fa06984182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libextractor-1.6/src/plugins/gif_extractor.c:133 EXTRACTOR_gif_extract_method
==48940==ABORTING
gdb and backtrace
(gdb) b gif_extractor.c:122
No source file named gif_extractor.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (gif_extractor.c:122) pending.
(gdb) run -i extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash
Starting program: /opt/asan/bin/extract -i extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash:
mimetype - image/gif
image dimensions - 3x65515
Breakpoint 1, EXTRACTOR_gif_extract_method (ec=0x7fffffffa050) at gif_extractor.c:122
122 if (GIF_OK !=
(gdb) c
Continuing.
Breakpoint 1, EXTRACTOR_gif_extract_method (ec=0x7fffffffa050) at gif_extractor.c:122
122 if (GIF_OK !=
(gdb) n
125 if (COMMENT_EXT_FUNC_CODE == et)
(gdb) n
127 ec->proc (ec->cls,
(gdb) p ext
$1 = (GifByteType *) 0x0
CREDIT
Zhao Liang, Huawei Weiran Labs
Attachment is POC file
extract.EXTRACTOR_gif_extract_method.gif_extractor.133.crash