New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
global out of bounds read when encoding gif from malformed input with gd2togif #209
Comments
|
@vapier Please add a test case :) |
|
I've added a test case in PR #265, but the test takes "forever". |
|
Oh was much faster here. So let close again this issue. :/ thanks! |
Do you mean that the test ran much faster, or that you were faster to submit another test case. If the former, please leave that ticket open, because I feel that there is something wrong with reading the GD2 image (that should only take some ms on a slow machine). I'll have a look at it ASAP. |
|
test runs way faster here. But not critical to have in 2.2.3 |
|
Maybe a test case based on this https://bugs.php.net/bug.php?id=72519 will be faster? |
Indeed, there was something wrong, namely a DOS vulnerability, which has been fixed with c6bb583 (available as of GD 2.2.4). I'm going to add a regression test for the submitted image. Presumably, the fixes in gd_gif_out.c are not strictly necessary, but they're adding a second safety net. |
Besides the original fix, which catered to the subsequent output, the potential DOS vulnerability due to a corrupted GD2 image file has been fixed with c6bb583, and here we make sure that this very image is also handled properly.
The attached file causes a global out of bounds read error in the function output (gd_gif_out.c), called by compress/GifEncode. This was found with the help of american fuzzy lop and address sanitizer.
To test pass the attached file (zip-packed due to github limitations) to gd2togif compiled with address sanitizer.
The full address sanitizer error message:
libgd-global-oob-GIFEncode.zip
The text was updated successfully, but these errors were encountered: