Non-exploitable (DoS) heap corruption with GIF
| Bug #41630 | Non-exploitable (DoS) heap corruption with GIF | ||||
|---|---|---|---|---|---|
| Submitted: | 2007-06-07 19:37 UTC | Modified: | 2007-06-08 05:31 UTC | ||
| From: | wccoder at gmail dot com | Assigned: | pajoye (profile) | ||
| Status: | Closed | Package: | GD related | ||
| PHP Version: | 5.2.3 | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2007-06-07 19:37 UTC] wccoder at gmail dot com
Description:
------------
The corruption actually happens at ext/gd/libgd/gd_gif_in.c:590-594
590 while ((v = LWZReadByte(fd, &sd, FALSE, c, ZeroDataBlockP)) >= 0 ) {
591 /* This how we recognize which colors are actually used. */
592 if (im->open[v]) {
593 im->open[v] = 0;
594 }
Values read from the data stream are not bounds-checked. An attacker can create values of v (type int) which are larger than the array im->open (256 bytes). If the value of im->open[v] happens to be non-zero, it is overwritten with a zero on line 593. This corrupts the heap. The attacker can't control what value is overwritten (always 0), but they could control which bytes are overwritten. libgd should clamp values of v to be between acceptable values [0,255].
Note that values of v are clamped to 4096, since this is the maximum number of bits per codeword that gd will accept, so it isn't an arbitrary overwrite. It is enough to corrupt the heap and cause a DoS though.
Reproduce code:
---------------
I have a sample .gif file. Email me for it.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2007-06-07 20:15 UTC] pajoye@php.net
[2007-06-08 05:31 UTC] pajoye@php.net