Bug 112937 - media-libs/gd: gd-2.0.32 integer overflows in gdImageCreate(), gdImageCreateTrueColor()
|
Bug#:
112937
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: adobriyan@gmail.com
|
|
Component: Vulnerabilities
|
|
|
URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
|
|
Summary: media-libs/gd: gd-2.0.32 integer overflows in gdImageCreate(), gdImageCreateTrueColor()
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa]
|
|
Opened: 2005-11-18 10:40 0000
|
gd.c:
70 BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy)
71 {
72 int i;
73 gdImagePtr im;
74 im = (gdImage *) gdMalloc (sizeof (gdImage));
75 memset (im, 0, sizeof (gdImage));
76 /* Row-major ever since gd 1.3 */
77 im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
gdImageCreate() is called from gdImageCreateFromXbm() with "sy" directly from
.xbm file.
111 BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy)
112 {
113 int i;
114 gdImagePtr im;
115 im = (gdImage *) gdMalloc (sizeof (gdImage));
116 memset (im, 0, sizeof (gdImage));
117 im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
-----------------------------------------------------------------------
Steps to reproduce:
1.c:
-----------------------------------------
#include <stdio.h>
#include <gd.h>
int main(void)
{
FILE *f;
f = fopen("1.xbm", "rb");
gdImageCreateFromXbm(f);
return 0;
}
-----------------------------------------
gcc -o 1 1.c -lgd
1.xbm: (3 lines)
-----------------------------------------
#define a 1
#define b 1073741824
-----------------------------------------
./1
There's definitely a heap overflow there, but it looks very difficult
(impossible?) to exploit, the allocated chunk is filled up with pointers
returned from more calls to malloc so no direct control over what's written
there.
Nevertheless, it's a bug, and you could cause a linked application to crash
(mod_php?), so this needs to be fixed. handing it over to vulnerabilities.
patch looks good to me ... if someone else wants to peek at it real quick, i'll
hold adding gd-2.0.33 until they do ...
Reporter : you should push this to vendor-sec@lst.de, they might be interested.
We can do it if you prefer, the idea being to set a public disclosure date for
all security releases, like +7 days.
OK this is an old one that never made it upstream (CVE-2004-0941). Probably
better to check the old complete patches to see nothing else slipped through ?
err, i dont think it's those issues ... we've had overflows in the png routines
before, but i dont think anyone has mentioned xbm before
also, if we fix up the core create functions, we might be able to back out some
of the sanity checks in the png layers ... but i'd have to review the code again
to be sure ...
Looks like they open-coded overflow2(). Attaching interesting part FYI.
Created an attachment (id=74735) [details]
Part of libgd2_2.0.33-1.1.diff.gz from Debian
gd.c | 11 ++++++++++-
gd_gd.c | 4 ++++
gd_io_dp.c | 4 +++-
gd_png.c | 5 +++++
gdxpm.c | 5 +++++
wbmp.c | 12 ++++++++----
6 files changed, 35 insertions(+), 6 deletions(-)
vapier: please check and bump
read my comment #3 :P
ive had this done locally, i just asked for feedback a while ago
Apparently nobody wants to doublecheck your patch. Looks good to me but I'm
pointer-impaired. So commit it :)
arches, please test and mark stable - thx
... note to self: don't fight bugs without your morning coffee, sorry.
alpha'lized
Cheers,
Ferdy
ready for glsa. tend to say no here because taviso said that it's probably not
exploitable.
Half yes, for the crash possibility (mod_php and other webapps).
Reverting to no and closing.
