buffer read overflow in gd_gif_in.c
| Sec Bug #68601 | buffer read overflow in gd_gif_in.c | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-12-13 07:52 UTC | Modified: | 2015-03-24 09:31 UTC | ||
| From: | remi@php.net | Assigned: | remi (profile) | ||
| Status: | Closed | Package: | GD related | ||
| PHP Version: | 5.4.35 | OS: | irrevelant | ||
| Private report: | No | CVE-ID: | 2014-9709 | ||
[2014-12-13 07:52 UTC] remi@php.net
Description:
------------
An ASAN'ified call looks like this:
./giftogd2 asan_stack-oob_53533d_34_adaf0da1764aafb7039440dbe098569b.gif
/tmp/null 1 1
=================================================================
==23529==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff7ca923b8 at pc 0x53533d bp 0x7fff7ca80750 sp 0x7fff7ca80748
READ of size 1 at 0x7fff7ca923b8 thread T0
#0 0x53533c in GetCode_ /libgd-2.1.0_master/master/src/gd_gif_in.c:471
#1 0x5332d1 in GetCode /libgd-2.1.0_master/master/src/gd_gif_in.c:484
#2 0x53044e in LWZReadByte_ /libgd-2.1.0_master/master/src/gd_gif_in.c:538
#3 0x52e7b5 in LWZReadByte /libgd-2.1.0_master/master/src/gd_gif_in.c:627
#4 0x52d5cf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:677
#5 0x52a760 in gdImageCreateFromGifCtx
/libgd-2.1.0_master/master/src/gd_gif_in.c:311
#6 0x52822e in gdImageCreateFromGif
/libgd-2.1.0_master/master/src/gd_gif_in.c:154
#7 0x47d204 in main /libgd-2.1.0_master/master/src/giftogd2.c:32
#8 0x7f5e313afec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#9 0x47cbcc in _start
(/libgd-2.1.0_master/master/f_app_src/giftogd2+0x47cbcc)
Address 0x7fff7ca923b8 is located in stack of thread T0 at offset 66744 in frame
#0 0x52c6bf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:638
This frame has 14 object(s):
[32, 40) ''
[96, 104) ''
[160, 164) ''
[224, 228) ''
[288, 296) ''
[352, 356) ''
[416, 424) ''
[480, 481) 'c'
[544, 548) 'xpos'
[608, 612) 'ypos'
[672, 676) 'pass'
[736, 740) 'v'
[800, 804) 'i'
[864, 66744) 'sd' <== Memory access at offset 66744 overflows this variable
SUMMARY: AddressSanitizer: stack-buffer-overflow
/libgd-2.1.0_master/master/src/gd_gif_in.c:471 GetCode_
Shadow bytes around the buggy address:
0x10006f94a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006f94a470: 00 00 00 00 00 00 00[f4]f3 f3 f3 f3 00 00 00 00
0x10006f94a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006f94a4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==23529==ABORTING
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-12-13 07:54 UTC] remi@php.net
-Assigned To: +Assigned To: remi
[2014-12-13 08:07 UTC] remi@php.net
-Status: Assigned +Status: Closed
[2015-03-28 11:30 UTC] ghedo at debian dot org