Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-Of-Bounds Read in function read_image_tga of gd_tga.c (CVE-2016-6905) #248

Closed
trylab opened this issue Jul 5, 2016 · 8 comments
Closed
Assignees
Labels

Comments

@trylab
Copy link
Contributor

trylab commented Jul 5, 2016

Hi, I'd like to report a OOB read issue to you. This issue can be triggered when parsing a specially crafted tga image. You can compile libgd/tests/tga/bug00084.c with AddressSanitizer to reproduce this issue.

==2755==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5503f9c at pc 0x081689da bp 0xbf86d738 sp 0xbf86d730
READ of size 1 at 0xb5503f9c thread T0
    #0 0x81689d9 in read_image_tga /tmp/repo/libgd/src/gd_tga.c:293:37
    #1 0x8165b32 in gdImageCreateFromTgaCtx /tmp/repo/libgd/src/gd_tga.c:74:6
    #2 0x8165986 in gdImageCreateFromTga /tmp/repo/libgd/src/gd_tga.c:25:10
    #3 0x81322a1 in main /tmp/repo/libgd/tests/tga/bug00084.c:10:10
    #4 0xb745daf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287
    #5 0x8078b1b in _start (/tmp/repo/libgd/tests/tga/bug00084+0x8078b1b)

0xb5503f9c is located 0 bytes to the right of 796-byte region [0xb5503c80,0xb5503f9c)
allocated by thread T0 here:
    #0 0x81107a9 in malloc (/tmp/repo/libgd/tests/tga/bug00084+0x81107a9)
    #1 0x8167b77 in read_image_tga /tmp/repo/libgd/src/gd_tga.c:254:37

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/repo/libgd/src/gd_tga.c:293 read_image_tga
Shadow bytes around the buggy address:
  0x36aa07a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36aa07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36aa07c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36aa07d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36aa07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36aa07f0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36aa0840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2755==ABORTING

Credit to Ke Liu of Tencent's Xuanwu LAB.
Thanks.

@trylab
Copy link
Contributor Author

trylab commented Jul 5, 2016

Please remove the .txt extension.
poc.tga.txt

@trylab trylab changed the title Out-Of-Bounds Read in gd_tga.c Out-Of-Bounds Read in function read_image_tga of gd_tga.c Jul 5, 2016
@cmb69 cmb69 self-assigned this Jul 5, 2016
@cmb69
Copy link
Contributor

cmb69 commented Jul 5, 2016

That might be a duplicate of #247. I'll have a look at it.

@oerdnj
Copy link
Contributor

oerdnj commented Jul 12, 2016

@vapier Tested POC and it's not duplicate.

@cmb69
Copy link
Contributor

cmb69 commented Jul 12, 2016

@oerdnj I was able to reproduce with valgrind. The file appears to be corrupt wrt. to the RLE.

@oerdnj
Copy link
Contributor

oerdnj commented Jul 12, 2016

@cmb69 I think I have a fix, just a moment to test it.

@oerdnj
Copy link
Contributor

oerdnj commented Jul 12, 2016

The decoding ends with buffer overflow here:

3: image_block_size = 796
2: bitmap_caret = 796
1: buffer_caret = 798

oerdnj added a commit that referenced this issue Jul 12, 2016
@oerdnj oerdnj mentioned this issue Jul 12, 2016
oerdnj added a commit that referenced this issue Jul 12, 2016
oerdnj added a commit that referenced this issue Jul 12, 2016
@pierrejoye
Copy link
Contributor

It would be interesting to have the QuickFuzz test flow in a github repo so we can run it from time to time to valid any code changes we make before a release :)

oerdnj added a commit that referenced this issue Jul 14, 2016
@oerdnj oerdnj closed this as completed in 5ddd5a7 Jul 14, 2016
oerdnj added a commit that referenced this issue Jul 14, 2016
oerdnj added a commit that referenced this issue Jul 15, 2016
oerdnj added a commit that referenced this issue Jul 15, 2016
oerdnj added a commit that referenced this issue Jul 15, 2016
oerdnj added a commit that referenced this issue Jul 15, 2016
oerdnj added a commit that referenced this issue Jul 15, 2016
@trylab
Copy link
Contributor Author

trylab commented Aug 24, 2016

According to http://seclists.org/oss-sec/2016/q3/363 , CVE-2016-6905 has been assigned to this issue.

@trylab trylab changed the title Out-Of-Bounds Read in function read_image_tga of gd_tga.c Out-Of-Bounds Read in function read_image_tga of gd_tga.c (CVE-2016-6905) Aug 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants