DevIL icon indicating copy to clipboard operation
DevIL copied to clipboard

Published 20 hours ago verified publisher icon DentonW

ilLoadGifL / iReadLump out-of-bounds writing

Open Photosounder opened this issue 7 years ago • 0 comments

I've isolated a bug that occurs when loading certain GIFs, demonstrated with this minimalistic code:

#include <stdlib.h>
#include <stdio.h>

#ifdef _MSC_VER
#pragma comment (lib, "DevIL.lib")
#pragma comment (lib, "ILU.lib")
#pragma comment (lib, "ILUT.lib")
#endif

#include <IL/il.h>
#include <IL/ilu.h>

char *load_raw_file(const char *path, size_t *size)
{
	FILE *in_file;
	char *data;
	size_t fsize;
	
	in_file = fopen(path, "rb");

	if (in_file==NULL)
	{
		fprintf(stderr, "File '%s' not found.\n", path);
		return NULL;
	}

	fseek(in_file, 0, SEEK_END);
	fsize = ftell(in_file);
	rewind (in_file);

	data = calloc (fsize+1, sizeof(char));
	fread(data, 1, fsize, in_file);

	fclose(in_file);

	if (size)
		*size = fsize;

	return data;	
}

void load_image_libdevil(const char *in_path)
{
	ILubyte *raw_data;
	size_t size;
	ILboolean err;
	ILuint ImgId;

	raw_data = load_raw_file(in_path, &size);
	if (raw_data==NULL || size==0)
		return ;

	// Initialize DevIL.
	ilInit();
	ilOriginFunc(IL_ORIGIN_UPPER_LEFT);
	ilEnable(IL_ORIGIN_SET);
	ilGenImages(1, &ImgId);		// Generate the main image name to use.
	ilBindImage(ImgId);		// Bind this image name.

	if (!ilLoadL(IL_TYPE_UNKNOWN, raw_data, size))
	{
		fprintf(stderr, "Could not open image from the %d byte buffer in memory\n", size);
		return ;
	}
}

int main()
{
	load_image_libdevil("1477604070775.gif");
	
	printf("Done.\n");

	return 0;
}

This code loads the GIF's data into memory then lets ilLoadL do its work. Typically it works fine except with some GIFs like this one, the call stack is ilLoadL→ilLoadGifL→iLoadGifInternal→GetImages→iGetPalette→iReadLump, and in iReadLump() the problem occurs at the line *((ILubyte*)Buffer + i) = *((ILubyte*)ReadLump + ReadLumpPos + i);, the problem being that *((ILubyte*)Buffer + i) is out of bounds for some reason.

I'm using DevIL 1.8.0, and appverif.exe to catch the problem. Here's a ZIP containing the source, the problem causing GIF, the VS2017 project and the DevIL.dll (and its .pdb file).

DevIL_bug.zip

Photosounder avatar Oct 09 '17 11:10 Photosounder