Failure to check file size leads to out-of-bounds memory access

[kittener]

Hello,
I am testing my new fuzz tester recently. I found a crash when testing the gif2tga program. After analysis, the vulnerability appears in the following code snippet

	if(v!=i->gce.transparent_color || !i->gce.transparent_flag) {
#ifndef NGIFLIB_INDEXED_ONLY
		if(p->mode & NGIFLIB_MODE_INDEXED) {
#endif /* NGIFLIB_INDEXED_ONLY */
			*context->frbuff_p.p8 = v;
#ifndef NGIFLIB_INDEXED_ONLY
		} else
			*context->frbuff_p.p32 = v < i->ncolors ?
			   GifIndexToTrueColor(i->palette, v) : 0;
#endif /* NGIFLIB_INDEXED_ONLY */
	}

I think it should be caused by not checking the file structure in the LoadGIF function, resulting in too many memory addresses being allocated.

The condition for the vulnerability to be triggered is

gif2tga poc.gif

The poc file is

by Kaiyu Xie

[kittener]

[miniupnp]

The GIF looks 65535 x 65535

[miniupnp]

So it is trying to write 16GB tga file :(