Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix OOB reads of the TGA decompression buffer
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.

This commit is an amendment to commit fb0e0cc, so we use CVE-2016-6906
as well.
  • Loading branch information
cmb69 committed Dec 13, 2016
1 parent fe9ed49 commit 58b6dde
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 6 deletions.
8 changes: 7 additions & 1 deletion src/gd_tga.c
Expand Up @@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
buffer_caret = 0;

while( bitmap_caret < image_block_size ) {


if (buffer_caret + pixel_block_size > rle_size) {
gdFree( decompression_buffer );
gdFree( conversion_buffer );
return -1;
}

if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
buffer_caret++;
Expand Down
3 changes: 2 additions & 1 deletion tests/tga/Makemodule.am
Expand Up @@ -15,7 +15,8 @@ EXTRA_DIST += \
tga/bug00247a.tga \
tga/bug00248.tga \
tga/bug00248a.tga \
tga/heap_overflow.tga \
tga/heap_overflow_1.tga \
tga/heap_overflow_2.tga \
tga/tga_read_rgb.png \
tga/tga_read_rgb.tga \
tga/tga_read_rgb_rle.tga
16 changes: 12 additions & 4 deletions tests/tga/heap_overflow.c
@@ -1,27 +1,35 @@
/**
* Test that the crafted TGA file doesn't trigger OOB reads.
* Test that crafted TGA files don't trigger OOB reads.
*/


#include "gd.h"
#include "gdtest.h"


static void check_file(char *basename);
static size_t read_test_file(char **buffer, char *basename);


int main()
{
check_file("heap_overflow_1.tga");
check_file("heap_overflow_2.tga");

return gdNumFailures();
}


static void check_file(char *basename)
{
gdImagePtr im;
char *buffer;
size_t size;

size = read_test_file(&buffer, "heap_overflow.tga");
size = read_test_file(&buffer, basename);
im = gdImageCreateFromTgaPtr(size, (void *) buffer);
gdTestAssert(im == NULL);
free(buffer);

return gdNumFailures();
}


Expand Down
Binary file added tests/tga/heap_overflow_1.tga
Binary file not shown.
Binary file added tests/tga/heap_overflow_2.tga
Binary file not shown.

0 comments on commit 58b6dde

Please sign in to comment.