Closed
Description
Description
I find the libgd double-free vulnerability when call gdImagePngPtr function.
Environment
Ubuntu x64 16.04
libgd 2.2.4 (Latest commit e65415d)
Detail
➜ gcc_asan_build git:(master) ✗ Bin/test_webp_bug_double_free
GD Warning: gd-png error: no colors in palette
=================================================================
==9574==ERROR: AddressSanitizer: attempting **double-free** on 0x61d00001ea80 in thread T0:
#0 0x7f39d2d5e2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x7f39d2a63d19 in gdFree /home/varsleak/github/libgd/src/gdhelpers.c:115
#2 0x7f39d2a37551 in gdReallocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:412
#3 0x7f39d2a37662 in trimDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:427
#4 0x7f39d2a35fca in gdDPExtractData /home/varsleak/github/libgd/src/gd_io_dp.c:127
#5 0x7f39d2a440e1 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:661
#6 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
#7 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x400968 in _start (/home/varsleak/github/libgd/gcc_asan_build/Bin/test_webp_bug_double_free+0x400968)
0x61d00001ea80 is located 0 bytes inside of 2048-byte region [0x61d00001ea80,0x61d00001f280)
freed by thread T0 here:
#0 0x7f39d2d5e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x7f39d2a63cb8 in gdRealloc /home/varsleak/github/libgd/src/gdhelpers.c:81
#2 0x7f39d2a373e8 in gdReallocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:397
#3 0x7f39d2a37662 in trimDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:427
#4 0x7f39d2a35fca in gdDPExtractData /home/varsleak/github/libgd/src/gd_io_dp.c:127
#5 0x7f39d2a440e1 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:661
#6 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
#7 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f39d2d5e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7f39d2a63c93 in gdMalloc /home/varsleak/github/libgd/src/gdhelpers.c:75
#2 0x7f39d2a36e8a in allocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:327
#3 0x7f39d2a366f5 in newDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:230
#4 0x7f39d2a35d74 in gdNewDynamicCtxEx /home/varsleak/github/libgd/src/gd_io_dp.c:91
#5 0x7f39d2a35d2d in gdNewDynamicCtx /home/varsleak/github/libgd/src/gd_io_dp.c:75
#6 0x7f39d2a440a4 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:658
#7 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
#8 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==9574==ABORTING
the c code
#include "gd.h"
#include "gdtest.h"
int main() {
gdImagePtr im1 = 0;
void * im2 = 0;
int size = 0;
im1 = gdImageCreate(100, 100);
im2 = gdImagePngPtr(im1, &size);
gdFree(im2);
gdImageDestroy(im1);
return 0;
}