CVE-2018-10717

Vulnerability

The DecodeGifImg function in ngiflib.c of MiniUPnP ngiflib version 0.4 does not properly validate the bounds of the pixels data structure. Specifically, in the WritePixels function (line 206), a memcpy can write beyond the allocated heap buffer when processing a specially crafted GIF file. The issue occurs because the number of pixels to write (tocopy) can exceed the remaining space (npix) in the pixel buffer. This vulnerability is distinct from CVE-2018-10677 [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious GIF file to an application that uses the affected library. No authentication or special privileges are required; the attacker only needs to induce the victim application to decode the crafted GIF. The proof-of-concept provided in the reference shows a crash triggered by opening a crafted GIF with the SDLaffgif demo application [1].

Impact

Successful exploitation results in a heap-based buffer overflow, which leads to memory corruption and application crash (denial of service). The official description notes the possibility of "unspecified other impact," which could include arbitrary code execution, though no such exploit is demonstrated. The overflow occurs in a context that may allow overwriting adjacent heap data.

Mitigation

The vulnerability is fixed in commit cf429e0a2fe26b5f01ce0c8e9b79432e94509b6e [2]. Users should update to a version of ngiflib that includes this commit. The fix adds checks on npix before calling WritePixel and WritePixels to ensure that only valid pixel counts are written. As of the publication date, no workaround other than upgrading is available.