gd.c: 70 BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy) 71 { 72 int i; 73 gdImagePtr im; 74 im = (gdImage *) gdMalloc (sizeof (gdImage)); 75 memset (im, 0, sizeof (gdImage)); 76 /* Row-major ever since gd 1.3 */ 77 im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); gdImageCreate() is called from gdImageCreateFromXbm() with "sy" directly from .xbm file. 111 BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy) 112 { 113 int i; 114 gdImagePtr im; 115 im = (gdImage *) gdMalloc (sizeof (gdImage)); 116 memset (im, 0, sizeof (gdImage)); 117 im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); ----------------------------------------------------------------------- Steps to reproduce: 1.c: ----------------------------------------- #include <stdio.h> #include <gd.h> int main(void) { FILE *f; f = fopen("1.xbm", "rb"); gdImageCreateFromXbm(f); return 0; } ----------------------------------------- gcc -o 1 1.c -lgd 1.xbm: (3 lines) ----------------------------------------- #define a 1 #define b 1073741824 ----------------------------------------- ./1
There's definitely a heap overflow there, but it looks very difficult (impossible?) to exploit, the allocated chunk is filled up with pointers returned from more calls to malloc so no direct control over what's written there. Nevertheless, it's a bug, and you could cause a linked application to crash (mod_php?), so this needs to be fixed. handing it over to vulnerabilities.
Created attachment 74122 [details, diff] Fix integer overflow Ohhh... something is missing. The patch. ;-) Thorough check of gdImageCreateTrueColor() return values will be done tomorrow, sorry.
patch looks good to me ... if someone else wants to peek at it real quick, i'll hold adding gd-2.0.33 until they do ...
Reporter : you should push this to vendor-sec@lst.de, they might be interested. We can do it if you prefer, the idea being to set a public disclosure date for all security releases, like +7 days.
OK this is an old one that never made it upstream (CVE-2004-0941). Probably better to check the old complete patches to see nothing else slipped through ?
err, i dont think it's those issues ... we've had overflows in the png routines before, but i dont think anyone has mentioned xbm before also, if we fix up the core create functions, we might be able to back out some of the sanity checks in the png layers ... but i'd have to review the code again to be sure ...
It's been fixed under that name on Debian : http://ftp.debian.org/debian/pool/main/libg/libgd2/libgd2_2.0.33-1.1.diff.gz Maybe extract the fixorz from their patchset ?
Looks like they open-coded overflow2(). Attaching interesting part FYI.
Created attachment 74735 [details, diff] Part of libgd2_2.0.33-1.1.diff.gz from Debian gd.c | 11 ++++++++++- gd_gd.c | 4 ++++ gd_io_dp.c | 4 +++- gd_png.c | 5 +++++ gdxpm.c | 5 +++++ wbmp.c | 12 ++++++++---- 6 files changed, 35 insertions(+), 6 deletions(-)
vapier: please check and bump
read my comment #3 :P ive had this done locally, i just asked for feedback a while ago
Apparently nobody wants to doublecheck your patch. Looks good to me but I'm pointer-impaired. So commit it :)
added 2.0.33 to cvs
arches, please test and mark stable - thx
... note to self: don't fight bugs without your morning coffee, sorry.
stable on ppc64
x86 done
alpha'lized Cheers, Ferdy
sparc stable.
Stable on amd64.
Stable on ppc.
ready for glsa. tend to say no here because taviso said that it's probably not exploitable.
Half yes, for the crash possibility (mod_php and other webapps).
½ NO from me.
Reverting to no and closing.
