Re: About Gif's

[Karl-Heinz Kreis <khkreis () web de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Hello,
>
> > 01 01  00   Length Datablock 1 ( should be 4 Byte ??  'no wonder there's
> > error) ( missing ? databytes and terminator (00) )
> > 3b          ; (GIF-Terminator)
>
> ahhh... this looks very interesting.  So the length of the datablock is
> mis-represented?  What does that tell you?
>
> I just altered that GIF file, by making that data block REALLY big:
>
> 00000000   47 49 46 38  39 61 01 00  01 00 80 00  GIF89a......
...
> 000001A4   41 41 41 41  41 41 41 41  41 41 00 3B  AAAAAAAAAA.;
>
>
> Now, when I double click on my new image file (evil.gif) it opens in IE,
> and crashes it reliably.  In addition, my html file (derived from a
> previous post) which references this new .gif, also reliably crashes IE.
>
> It appears this is an overflow.  I haven't done any debugging yet, so I
> don't know if it is on the stack or not.
>
> tim
Oh, just stuff data in should crash to, since datablocks have a 'count' as
header.

caraciola
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/VjIwRUX8Hg498GwRApp1AJ0TDF4lyXldsAIQ0wZspK3HmwAWRwCgrx4S
VWJm/banWsPkm8Em1tYz6z8=
=63Tt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html