| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200309032004.20192.caraciola@gmx.net> From: khkreis at web.de (Karl-Heinz Kreis) Subject: About Gif's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Hello, > > > 01 01 00 Length Datablock 1 ( should be 4 Byte ?? 'no wonder there's > > error) ( missing ? databytes and terminator (00) ) > > 3b ; (GIF-Terminator) > > ahhh... this looks very interesting. So the length of the datablock is > mis-represented? What does that tell you? > > I just altered that GIF file, by making that data block REALLY big: > > 00000000 47 49 46 38 39 61 01 00 01 00 80 00 GIF89a...... ... > 000001A4 41 41 41 41 41 41 41 41 41 41 00 3B AAAAAAAAAA.; > > > Now, when I double click on my new image file (evil.gif) it opens in IE, > and crashes it reliably. In addition, my html file (derived from a > previous post) which references this new .gif, also reliably crashes IE. > > It appears this is an overflow. I haven't done any debugging yet, so I > don't know if it is on the stack or not. > > tim > Oh, just stuff data in should crash to, since datablocks have a 'count' as header. caraciola -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/VjIwRUX8Hg498GwRApp1AJ0TDF4lyXldsAIQ0wZspK3HmwAWRwCgrx4S VWJm/banWsPkm8Em1tYz6z8= =63Tt -----END PGP SIGNATURE-----
Powered by blists - more mailing lists