Ubuntu 8.10
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2007-6697/SDL_image-1.2.6.tar.gz
tar -xvf SDL_image-1.2.6.tar.gz
cd SDL_image-1.2.6
./configure
make
./showimage poc.gif
SDL_image 1.2.6 - Invalid '.GIF' File LWZ Minimum Code Size Remote Buffer Overflow
SDL_image Invalid GIF File LWZ Minimum Code Size Remote Buffer Overflow Vulnerability
The problem takes place when a GIF file has invalid LWZ Minimum Code Size in the Table Based Image Data header. The standard allows the codes to have maximum size of 12 bits, but this is not checked in SDL_image. An attacker could use this for a local or remote buffer overflow attack that may have denial of service or arbitrary code execution effect.
SDL_image file IMG_gif.c, function ReadImage:
...
unsigned char c;
...
if (LWZReadByte(src, TRUE, c) < 0) {
RWSetMsg("error reading image");
return NULL;
}
/*
** If this is an "uninteresting picture" ignore it.
*/
if (ignore) {
while (LWZReadByte(src, FALSE, c) >= 0)
;
return NULL;
}
...
Please note that 'c' value is passed to LZWReadByte without checking if it is OK with the standard.
Then in function LWZReadByte:
LWZReadByte(SDL_RWops *src, int flag, int input_code_size)
...
static int table[2][(1 << MAX_LWZ_BITS)];
...
set_code_size = input_code_size;
...
clear_code = 1 << set_code_size;
...
for (i = 0; i < clear_code; ++i) {
table[0][i] = 0;
table[1][i] = i;
}
...
Details are in https://marc.info/?l=bugtraq&m=120110205511630&w=4