Skip to content

Commit 58b6dde

Browse files
committed
Fix OOB reads of the TGA decompression buffer
It is possible to craft TGA files which will overflow the decompression buffer, but not the image's bitmap. Therefore we also have to check for potential decompression buffer overflows. This issue had been reported by Ibrahim El-Sayed to security@libgd.org; a modified case exposing an off-by-one error of the first patch had been provided by Konrad Beckmann. This commit is an amendment to commit fb0e0cc, so we use CVE-2016-6906 as well.
1 parent fe9ed49 commit 58b6dde

File tree

5 files changed

+21
-6
lines changed

5 files changed

+21
-6
lines changed

Diff for: src/gd_tga.c

+7-1
Original file line numberDiff line numberDiff line change
@@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
295295
buffer_caret = 0;
296296

297297
while( bitmap_caret < image_block_size ) {
298-
298+
299+
if (buffer_caret + pixel_block_size > rle_size) {
300+
gdFree( decompression_buffer );
301+
gdFree( conversion_buffer );
302+
return -1;
303+
}
304+
299305
if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
300306
encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
301307
buffer_caret++;

Diff for: tests/tga/Makemodule.am

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ EXTRA_DIST += \
1515
tga/bug00247a.tga \
1616
tga/bug00248.tga \
1717
tga/bug00248a.tga \
18-
tga/heap_overflow.tga \
18+
tga/heap_overflow_1.tga \
19+
tga/heap_overflow_2.tga \
1920
tga/tga_read_rgb.png \
2021
tga/tga_read_rgb.tga \
2122
tga/tga_read_rgb_rle.tga

Diff for: tests/tga/heap_overflow.c

+12-4
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,35 @@
11
/**
2-
* Test that the crafted TGA file doesn't trigger OOB reads.
2+
* Test that crafted TGA files don't trigger OOB reads.
33
*/
44

55

66
#include "gd.h"
77
#include "gdtest.h"
88

99

10+
static void check_file(char *basename);
1011
static size_t read_test_file(char **buffer, char *basename);
1112

1213

1314
int main()
15+
{
16+
check_file("heap_overflow_1.tga");
17+
check_file("heap_overflow_2.tga");
18+
19+
return gdNumFailures();
20+
}
21+
22+
23+
static void check_file(char *basename)
1424
{
1525
gdImagePtr im;
1626
char *buffer;
1727
size_t size;
1828

19-
size = read_test_file(&buffer, "heap_overflow.tga");
29+
size = read_test_file(&buffer, basename);
2030
im = gdImageCreateFromTgaPtr(size, (void *) buffer);
2131
gdTestAssert(im == NULL);
2232
free(buffer);
23-
24-
return gdNumFailures();
2533
}
2634

2735

Diff for: tests/tga/heap_overflow_1.tga

605 Bytes
Binary file not shown.

Diff for: tests/tga/heap_overflow_2.tga

8.54 KB
Binary file not shown.

0 commit comments

Comments
 (0)