New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2016-7568 Integer Overflow in gdImageWebpCtx #308
Comments
|
This issue has been fixed in libgd and PHP. I opened it just for issue tracking. Also, can anyone help request a CVE number for it? Thanks. |
|
Hello, CVE-2016-7568 has been assigned to this issue. Thanks. |
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Oct 16, 2016
- make option WEBP default PR: 211368 - Security patch, port was not vulnerable Security: libgd/libgd#308 Security: http://seclists.org/oss-sec/2016/q3/626 Security: CVE-2016-7568 PR: 213020 git-svn-id: svn+ssh://svn.freebsd.org/ports/head@424078 35697150-7ecd-e111-bb59-0022644237b5
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Oct 16, 2016
- make option WEBP default PR: 211368 - Security patch, port was not vulnerable Security: libgd/libgd#308 Security: http://seclists.org/oss-sec/2016/q3/626 Security: CVE-2016-7568 PR: 213020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DESCRIPTION
An integer overflow issue was found in function
gdImageWebpCtxof filegd_webp.cwhich could lead to heap buffer overflow.CREDIT
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
VULNERABILITY DETAILS
The bad code lies in function
gdImageWebpCtxof filegd_webp.c.There is no overflow check before calling the
gdMallocfunction. Actually, aninteger overflowcan be happened here. For example,0x8000 * 0x8001 * 4 = 0x100020000 -> Overflow -> 0x20000. The buffer will be overflowed in the followingforloop.POC
This issue was reported to PHP originally. So currently the proof-of-concept file is only available for PHP. But I think it's not hard to write a PoC for libgd.
EXCEPTION LOG
Also, the exception log was generated by PHP.
PATCH
It's very easy to write a patch for this issue. Just call function
overflow2to check if overflow exists or not before calling functiongdMalloc.TIMELINE
2016/09/02 - Report to PHP as BUG 73003
2016/09/06 - Wrote a patch and created a pull request for libgd
2016/09/06 - Wrote a patch and created a pull request for php-src
2016/09/16 - Fixed in PHP via 46df064 and c18263e
2016/09/16 - Fixed in libgd via 40bec0f
The text was updated successfully, but these errors were encountered: