← All libraries
Image · C
How to fuzz giflib
GIF's vintage LZW decoder is deceptively tricky to implement without boundary errors.
giflib is the de-facto GIF decoder used by many image toolkits. Its LZW decompressor and extension-block parser are both hand-rolled C without modern safety practices, and animated GIF frame disposal logic adds stateful complexity that is easy to fuzz through.
Common bug classes
- •Heap buffer overflow in LZW string-table expansion
- •Out-of-bounds read in colour-table index validation
- •Integer overflow in graphic control extension parsing
- •Off-by-one in interlaced row assignment
- •Null dereference on truncated extension blocks
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <gif_lib.h>
static int mem_read(GifFileType *gf, GifByteType *buf, int sz) {
size_t *pos = (size_t *)gf->UserData;
/* simplified — real harness carries {data, size, pos} */
(void)buf; (void)sz;
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
int err;
GifFileType *gf = DGifOpen((void *)data, mem_read, &err);
if (!gf) return 0;
DGifSlurp(gf);
DGifCloseFile(gf, &err);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2022-28506
Push the harness above + a Dockerfile. First month 50% off.