CVE-2023-39113
Description
ngiflib commit fb271 was discovered to contain a segmentation violation via the function "main" at gif2tag.c. This vulnerability is triggered when running the program gif2tga.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A segmentation violation in ngiflib's gif2tga tool allows denial of service via a crafted GIF file.
Vulnerability
A segmentation violation (SEGV) exists in ngiflib, specifically in the gif2tga tool, at commit fb2713a548a530c13f14b586a479818cb0182a5e. The crash occurs in the main function at gif2tga.c:169:5 when processing a specially crafted GIF file. The vulnerability is triggered when the program attempts to read from an invalid memory address (0x000000000002), as reported by AddressSanitizer [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious GIF file to the gif2tga utility. No special privileges or authentication are required; the attacker only needs to convince a user to run gif2tga with the crafted input. The tool is typically invoked from the command line, e.g., ./gif2tga -i ./poc3. The crash occurs during the processing of the GIF, leading to an immediate segmentation fault [1].
Impact
Successful exploitation results in a denial of service (DoS) due to the program crash. The vulnerability does not appear to allow arbitrary code execution or information disclosure; the impact is limited to causing the gif2tga process to terminate abnormally. The crash is reproducible and can be used to disrupt services that rely on ngiflib for GIF processing [1].
Mitigation
As of the publication date (2023-08-02), no official fix has been released for this vulnerability. The issue remains open in the ngiflib repository [1]. Users are advised to avoid processing untrusted GIF files with gif2tga until a patch is available. No workaround other than input validation or using alternative libraries is known.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ngiflib/ngiflibdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Null or near-null pointer dereference in the main function at gif2tga.c:169 when processing a crafted GIF file."
Attack vector
An attacker provides a specially crafted GIF file (the PoC file "poc3") as input to the `gif2tga` program [ref_id=1]. The program reads the malicious GIF via `LoadGif()`, and when processing the image data in `main` at `gif2tga.c:169`, it dereferences an invalid memory address (0x000000000002), causing a segmentation violation [ref_id=1]. The attack requires no special privileges beyond the ability to supply the malicious file to the binary.
Affected code
The vulnerability occurs in the `main` function at `gif2tga.c:169:5` [ref_id=1]. The crash is a segmentation violation (SEGV) triggered when processing a crafted GIF file through the `gif2tga` program [ref_id=1].
What the fix does
The advisory does not include a patch or remediation guidance [ref_id=1]. The issue report only documents the crash and provides reproduction steps; no fix commit or recommended mitigation is described in the available reference [ref_id=1].
Preconditions
- inputAttacker must supply a crafted GIF file (poc3) to the gif2tga binary
- configThe program must be compiled with the vulnerable commit (fb2713a548a530c13f14b586a479818cb0182a5e)
Reproduction
Clone the repository at commit fb2713a548a530c13f14b586a479818cb0182a5e, compile with `CC="clang -fsanitize=address -g" CFLAGS+=-DNGIFLIB_NO_FILE make`, then run `./gif2tga -i ./poc3` [ref_id=1]. The program will crash with a SEGV at `gif2tga.c:169:5` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.