Bugzilla – Bug 138007
VUL-0: looks like gd has more integer overflows
Last modified: 2006-02-01 12:10:44 UTC
Hello Vladimir, this emails were sent to vendor-sec. From: Alexey Dobriyan <adobriyan@gmail.com> To: vendor-sec@lst.de User-Agent: Mutt/1.5.11 Subject: [vendor-sec] libgd-2.0.32: integer overflows Errors-To: vendor-sec-admin@lst.de Date: Fri, 9 Dec 2005 21:13:09 +0300 Thierry Carrez asked me to contact vendor-sec saying "they might be interested". There is a bug sitting in Gentoo bugzilla titled: media-libs/gd: gd-2.0.32 integer overflows in gdImageCreate(), gdImageCreateTrueColor() Relevant bits are: ----------------------------------------------------------------------- gd.c: 70 BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy) 71 { 72 int i; 73 gdImagePtr im; 74 im = (gdImage *) gdMalloc (sizeof (gdImage)); 75 memset (im, 0, sizeof (gdImage)); 76 /* Row-major ever since gd 1.3 */ 77 im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); gdImageCreate() is called from gdImageCreateFromXbm() with "sy" directly from .xbm file. 111 BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy) 112 { 113 int i; 114 gdImagePtr im; 115 im = (gdImage *) gdMalloc (sizeof (gdImage)); 116 memset (im, 0, sizeof (gdImage)); 117 im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); ----------------------------------------------------------------------- Steps to reproduce: 1.c: ----------------------------------------- #include <stdio.h> #include <gd.h> int main(void) { FILE *f; f = fopen("1.xbm", "rb"); gdImageCreateFromXbm(f); return 0; } ----------------------------------------- gcc -o 1 1.c -lgd 1.xbm: (3 lines) ----------------------------------------- #define a 1 #define b 1073741824 ----------------------------------------- ./1 --- gd-2.0.32-000/gd.c +++ gd-2.0.32-001/gd.c @@ -74,6 +74,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (i im = (gdImage *) gdMalloc (sizeof (gdImage)); memset (im, 0, sizeof (gdImage)); /* Row-major ever since gd 1.3 */ + if (overflow2(sizeof (unsigned char *), sy)) { + gdFree(im); + return NULL; + } im->pixels = (unsigned char **) gdMalloc (sizeof (unsigned char *) * sy); im->polyInts = 0; im->polyAllocated = 0; @@ -114,6 +118,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru gdImagePtr im; im = (gdImage *) gdMalloc (sizeof (gdImage)); memset (im, 0, sizeof (gdImage)); + if (overflow2(sizeof (int *), sy)) { + gdFree(im); + return NULL; + } im->tpixels = (int **) gdMalloc (sizeof (int *) * sy); im->polyInts = 0; im->polyAllocated = 0; @@ -2462,6 +2470,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro } bytes = (w * h / 8) + 1; im = gdImageCreate (w, h); + if (!im) + return NULL; gdImageColorAllocate (im, 255, 255, 255); gdImageColorAllocate (im, 0, 0, 0); x = 0; --- gd-2.0.32-000/gd_gd.c +++ gd-2.0.32-001/gd_gd.c @@ -149,6 +149,8 @@ _gdCreateFromFile (gdIOCtx * in, int *sx { im = gdImageCreate (*sx, *sy); } + if (!im) + goto fail1; if (!_gdGetColors (in, im, gd2xFlag)) { goto fail2; ----------------------------------------------------------------------- Thomas Boutell in private email said: "Already patched for the next release". I assume in 2.0.34. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec -------------------- I did some digging into this issue. This is CVE-2004-0941. It was discovered around the same time as CVE-2004-0990, but the fix doesn't seem to have made it upstream (the fix for CVE-2004-0990 does seem to have made it upstream). Thanks for noticing this. -- JB _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec ------------------------------- OK so there is probably no need to keep this private, we'll fix it ASAP. -- Thierry Carrez (Koon) _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Testing this on SL 10.0 PPC. thomas@grape:~/work/10.0/gd-test> gdb ./1 GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "ppc-suse-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r Starting program: /suse/thomas/work/10.0/gd-test/1 Program received signal SIGSEGV, Segmentation fault. 0x0fe91a70 in fgets () from /lib/tls/libc.so.6 (gdb) bt #0 0x0fe91a70 in fgets () from /lib/tls/libc.so.6 #1 0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2 #2 0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2 #3 0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2 #4 0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2 #5 0x0ff9a544 in gdImageCreateFromXbm () from /usr/lib/libgd.so.2 Previous frame inner to this frame (corrupt stack?) (gdb)
Fixed packages are submitted for 9.0-10.0, sles9 and STABLE. It was already fixed on sles8.
Thanks! Maintenance-Tracker-3295
/work/src/done/PATCHINFO/gd.patch.maintained /work/src/done/PATCHINFO/gd.patch.box
still in QA queue...
Thanks. Packages approved.