Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global out of bounds read when encoding gif from malformed input with gd2togif #209

Closed
hannob opened this issue May 8, 2016 · 7 comments
Closed
Assignees
Labels
bug
Milestone

Comments

@hannob
Copy link

@hannob hannob commented May 8, 2016

The attached file causes a global out of bounds read error in the function output (gd_gif_out.c), called by compress/GifEncode. This was found with the help of american fuzzy lop and address sanitizer.

To test pass the attached file (zip-packed due to github limitations) to gd2togif compiled with address sanitizer.

The full address sanitizer error message:

==26159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000055e4b0 at pc 0x000000531231 bp 0x7ffc8a6e0610 sp 0x7ffc8a6e0608
READ of size 8 at 0x00000055e4b0 thread T0
    #0 0x531230 in output /f/libgd/libgd/src/gd_gif_out.c:1454:20
    #1 0x52fb4a in compress /f/libgd/libgd/src/gd_gif_out.c:1407:3
    #2 0x52b87a in GIFEncode /f/libgd/libgd/src/gd_gif_out.c:1142:2
    #3 0x52b87a in gdImageGifCtx /f/libgd/libgd/src/gd_gif_out.c:236
    #4 0x52bb13 in gdImageGif /f/libgd/libgd/src/gd_gif_out.c:197:2
    #5 0x4f3cc6 in main /f/libgd/libgd/src/gd2togif.c:40:2
    #6 0x7f2ab391b78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x418fa8 in _start (/mnt/ram/gd/gd2togif+0x418fa8)

0x00000055e4b0 is located 16 bytes to the left of global variable 'masks' defined in 'gd_gif_out.c:1445:22' (0x55e4c0) of size 136
0x00000055e4b0 is located 41 bytes to the right of global variable '<string literal>' defined in 'gd_gif_out.c:1078:29' (0x55e480) of size 7
  '<string literal>' is ascii string 'GIF87a'
SUMMARY: AddressSanitizer: global-buffer-overflow /f/libgd/libgd/src/gd_gif_out.c:1454:20 in output
Shadow bytes around the buggy address:
  0x0000800a3c40: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800a3c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3c80: 07 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
=>0x0000800a3c90: 07 f9 f9 f9 f9 f9[f9]f9 00 00 00 00 00 00 00 00
  0x0000800a3ca0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800a3cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a3cd0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800a3ce0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26159==ABORTING

libgd-global-oob-GIFEncode.zip

@vapier vapier added the bug label May 14, 2016
@vapier vapier closed this in 82b80dc May 14, 2016
@pierrejoye

This comment has been minimized.

Copy link
Contributor

@pierrejoye pierrejoye commented Jul 19, 2016

@vapier Please add a test case :)

@pierrejoye pierrejoye reopened this Jul 19, 2016
cmb69 added a commit to cmb69/libgd that referenced this issue Jul 19, 2016
@cmb69

This comment has been minimized.

Copy link
Contributor

@cmb69 cmb69 commented Jul 19, 2016

I've added a test case in PR #265, but the test takes "forever".

@pierrejoye

This comment has been minimized.

Copy link
Contributor

@pierrejoye pierrejoye commented Jul 19, 2016

Oh was much faster here. So let close again this issue. :/ thanks!

@cmb69

This comment has been minimized.

Copy link
Contributor

@cmb69 cmb69 commented Jul 19, 2016

Oh was much faster here.

Do you mean that the test ran much faster, or that you were faster to submit another test case. If the former, please leave that ticket open, because I feel that there is something wrong with reading the GD2 image (that should only take some ms on a slow machine). I'll have a look at it ASAP.

@pierrejoye

This comment has been minimized.

Copy link
Contributor

@pierrejoye pierrejoye commented Jul 19, 2016

test runs way faster here. But not critical to have in 2.2.3

@pierrejoye pierrejoye added this to the GD 2.2.4 milestone Jul 20, 2016
@un-fmunozs

This comment has been minimized.

Copy link

@un-fmunozs un-fmunozs commented Jul 25, 2016

Maybe a test case based on this https://bugs.php.net/bug.php?id=72519 will be faster?

@cmb69

This comment has been minimized.

Copy link
Contributor

@cmb69 cmb69 commented Jan 23, 2017

[…] because I feel that there is something wrong with reading the GD2 image […]

Indeed, there was something wrong, namely a DOS vulnerability, which has been fixed with c6bb583 (available as of GD 2.2.4). I'm going to add a regression test for the submitted image. Presumably, the fixes in gd_gif_out.c are not strictly necessary, but they're adding a second safety net.

cmb69 added a commit that referenced this issue Jan 23, 2017
Besides the original fix, which catered to the subsequent output, the
potential DOS vulnerability due to a corrupted GD2 image file has been
fixed with c6bb583, and here we make sure that this very image is also
handled properly.
@cmb69 cmb69 closed this Jan 24, 2017
cmb69 added a commit that referenced this issue Aug 1, 2017
Besides the original fix, which catered to the subsequent output, the
potential DOS vulnerability due to a corrupted GD2 image file has been
fixed with c6bb583, and here we make sure that this very image is also
handled properly.

(cherry picked from commit 1068340)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.