Bug 138007

Summary: VUL-0: looks like gd has more integer overflows
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: patchinfos submitted
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-12-12 09:27:54 UTC 
Hello Vladimir,
this emails were sent to vendor-sec.

From: Alexey Dobriyan <adobriyan@gmail.com>
To: vendor-sec@lst.de
User-Agent: Mutt/1.5.11
Subject: [vendor-sec] libgd-2.0.32: integer overflows
Errors-To: vendor-sec-admin@lst.de
Date: Fri, 9 Dec 2005 21:13:09 +0300

Thierry Carrez asked me to contact vendor-sec saying "they might be
interested".

There is a bug sitting in Gentoo bugzilla titled:

media-libs/gd: gd-2.0.32 integer overflows in gdImageCreate(),
gdImageCreateTrueColor()

Relevant bits are:
-----------------------------------------------------------------------
gd.c:
    70  BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy)
    71  {
    72    int i;
    73    gdImagePtr im;
    74    im = (gdImage *) gdMalloc (sizeof (gdImage));
    75    memset (im, 0, sizeof (gdImage));
    76    /* Row-major ever since gd 1.3 */
    77    im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);

gdImageCreate() is called from gdImageCreateFromXbm() with "sy" directly from
.xbm file.

   111  BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy)
   112  {
   113    int i;
   114    gdImagePtr im;
   115    im = (gdImage *) gdMalloc (sizeof (gdImage));
   116    memset (im, 0, sizeof (gdImage));
   117    im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
-----------------------------------------------------------------------
Steps to reproduce:

1.c:
-----------------------------------------
#include <stdio.h>
#include <gd.h>

int main(void)
{
        FILE *f;

        f = fopen("1.xbm", "rb");
        gdImageCreateFromXbm(f);
        return 0;
}
-----------------------------------------
gcc -o 1 1.c -lgd

1.xbm: (3 lines)
-----------------------------------------
#define a 1
#define b 1073741824

-----------------------------------------
./1




--- gd-2.0.32-000/gd.c
+++ gd-2.0.32-001/gd.c
@@ -74,6 +74,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
   /* Row-major ever since gd 1.3 */
+  if (overflow2(sizeof (unsigned char *), sy)) {
+    gdFree(im);
+    return NULL;
+  }
   im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy);
   im->polyInts = 0;
   im->polyAllocated = 0;
@@ -114,6 +118,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
   gdImagePtr im;
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
+  if (overflow2(sizeof (int *), sy)) {
+    gdFree(im);
+    return NULL;
+  }
   im->tpixels = (int **) gdMalloc (sizeof (int *) * sy);
   im->polyInts = 0;
   im->polyAllocated = 0;
@@ -2462,6 +2470,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
     }
   bytes = (w * h / 8) + 1;
   im = gdImageCreate (w, h);
+  if (!im)
+    return NULL;
   gdImageColorAllocate (im, 255, 255, 255);
   gdImageColorAllocate (im, 0, 0, 0);
   x = 0;
--- gd-2.0.32-000/gd_gd.c
+++ gd-2.0.32-001/gd_gd.c
@@ -149,6 +149,8 @@ _gdCreateFromFile (gdIOCtx * in, int *sx
     {
       im = gdImageCreate (*sx, *sy);
     }
+  if (!im)
+    goto fail1;
   if (!_gdGetColors (in, im, gd2xFlag))
     {
       goto fail2;
-----------------------------------------------------------------------
Thomas Boutell in private email said: "Already patched for the next
release". I assume in 2.0.34.

_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec



--------------------


I did some digging into this issue.  This is CVE-2004-0941.  It was
discovered around the same time as CVE-2004-0990, but the fix doesn't seem
to have made it upstream (the fix for CVE-2004-0990 does seem to have made
it upstream).

Thanks for noticing this.

--
    JB
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec


-------------------------------


OK so there is probably no need to keep this private, we'll fix it ASAP.

--
Thierry Carrez (Koon)
 
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Thomas Biege 2005-12-12 09:34:20 UTC 
Testing this on SL 10.0 PPC.

thomas@grape:~/work/10.0/gd-test> gdb ./1
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "ppc-suse-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) r
Starting program: /suse/thomas/work/10.0/gd-test/1 

Program received signal SIGSEGV, Segmentation fault.
0x0fe91a70 in fgets () from /lib/tls/libc.so.6
(gdb) bt
#0  0x0fe91a70 in fgets () from /lib/tls/libc.so.6
#1  0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2
#2  0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2
#3  0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2
#4  0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2
#5  0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2
Previous frame inner to this frame (corrupt stack?)
(gdb)
Comment 2 Vladimir Nadvornik 2006-01-05 13:00:53 UTC 
Fixed packages are submitted for 9.0-10.0, sles9 and STABLE.
It was already fixed on sles8.
Comment 3 Thomas Biege 2006-01-11 14:13:21 UTC 
Thanks!

Maintenance-Tracker-3295
Comment 4 Thomas Biege 2006-01-11 14:18:03 UTC 
/work/src/done/PATCHINFO/gd.patch.maintained
/work/src/done/PATCHINFO/gd.patch.box
Comment 5 Thomas Biege 2006-01-31 14:17:56 UTC 
still in QA queue...
Comment 6 Thomas Biege 2006-02-01 12:10:44 UTC 
Thanks. 
Packages approved.