New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libgd double-free vulnerability #381
Comments
|
The problem is that gdImagePngPtr() calls gdImangePngCtxEx(), but the latter bails out because there are no colors in the palette. However, gdImagePngCtxEx() doesn't provide a meaningful return value, so gdImagePngPtr() can't check whether the operation succeeded. It seems that we need a fix analogous to commt a49feea. Other image output functions might be affected as well. |
|
To clarify: this is not a security issue, but rather a programmer error, but still it should be fixed. |
|
OK. thank you very much. |
|
I find the double-free vulnerability again, the file leading to the crash is double-free.txt. |
|
Why did you close this ticket? I assume that was by accident, so i'm re-opening. |
|
Yes, that's an accident. |
AnalysisThe second argument(int required) of the gdReallocDynamic function is 0. Step 1: at if((newPtr = gdRealloc(dp->data, required))) { , dp->data will be free and the newPtr will be set NULL due to required is 0. Step 2: newPtr = gdMalloc(required); newPtr be set new memory space. funny is the newPtr and dp->data are the same address. Step 3: memcpy is work. Step 4: gdFree(dp->data) ,notice newPtr and dp->data is same. The first free occured, Step 5: return dp->data to previous function. The end: |
|
CVE-2017-6362 was assigned |
|
Is this bug still valid? |
|
@pierrejoye Yes, still valid (I've send a patch in 41c4ecbc-f5a4-4592-8a74-b4b1155ae2d5@gmx.de). PHP's bundled libgd is affected as well, so we should coordinate the releases. I'm not sure what to do for PHP 5.6. Is there any schedule for 5.6.31? |
I did, but this was about a completely unrelated issue. PS:
As the second example (importing a GD image) shows, this is a security issue. |
The issue is that `gdImagePngCtxEx` (which is called by `gdImagePngPtr` and the other PNG output functions to do the real work) does not return whether it succeeded or failed, so this is not checked in `gdImagePngPtr` and the function wrongly assumes everything is okay, which is not, in this case, because the palette image contains no palette entries. We can't change the signature of `gdImagePngCtxEx` for API compatibility reasons, so we introduce the static helper `_gdImagePngCtxEx` which returns success respective failure, so `gdImagePngPtr` and `gdImagePngPtrEx` can check the return value. We leave it solely to libpng for now to report warnings regarding the failing write. CVE-2017-6362 (cherry picked from commit 2207e3c)
No. Actually, |
Description
I find the libgd double-free vulnerability when call gdImagePngPtr function.
Environment
Ubuntu x64 16.04
libgd 2.2.4 (Latest commit e65415d)
Detail
the c code
The text was updated successfully, but these errors were encountered: