Skip to content

libgd double-free vulnerability #381

Closed
@varsleak

Description

@varsleak

Description

I find the libgd double-free vulnerability when call gdImagePngPtr function.

Environment

Ubuntu x64 16.04
libgd 2.2.4 (Latest commit e65415d)

Detail

➜  gcc_asan_build git:(master) ✗ Bin/test_webp_bug_double_free
GD Warning: gd-png error: no colors in palette
=================================================================
==9574==ERROR: AddressSanitizer: attempting **double-free** on 0x61d00001ea80 in thread T0:
    #0 0x7f39d2d5e2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x7f39d2a63d19 in gdFree /home/varsleak/github/libgd/src/gdhelpers.c:115
    #2 0x7f39d2a37551 in gdReallocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:412
    #3 0x7f39d2a37662 in trimDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:427
    #4 0x7f39d2a35fca in gdDPExtractData /home/varsleak/github/libgd/src/gd_io_dp.c:127
    #5 0x7f39d2a440e1 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:661
    #6 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
    #7 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x400968 in _start (/home/varsleak/github/libgd/gcc_asan_build/Bin/test_webp_bug_double_free+0x400968)

0x61d00001ea80 is located 0 bytes inside of 2048-byte region [0x61d00001ea80,0x61d00001f280)
freed by thread T0 here:
    #0 0x7f39d2d5e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x7f39d2a63cb8 in gdRealloc /home/varsleak/github/libgd/src/gdhelpers.c:81
    #2 0x7f39d2a373e8 in gdReallocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:397
    #3 0x7f39d2a37662 in trimDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:427
    #4 0x7f39d2a35fca in gdDPExtractData /home/varsleak/github/libgd/src/gd_io_dp.c:127
    #5 0x7f39d2a440e1 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:661
    #6 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
    #7 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f39d2d5e602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f39d2a63c93 in gdMalloc /home/varsleak/github/libgd/src/gdhelpers.c:75
    #2 0x7f39d2a36e8a in allocDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:327
    #3 0x7f39d2a366f5 in newDynamic /home/varsleak/github/libgd/src/gd_io_dp.c:230
    #4 0x7f39d2a35d74 in gdNewDynamicCtxEx /home/varsleak/github/libgd/src/gd_io_dp.c:91
    #5 0x7f39d2a35d2d in gdNewDynamicCtx /home/varsleak/github/libgd/src/gd_io_dp.c:75
    #6 0x7f39d2a440a4 in gdImagePngPtr /home/varsleak/github/libgd/src/gd_png.c:658
    #7 0x400b06 in main /home/varsleak/github/libgd/tests/webp/bug_double_free.c:19
    #8 0x7f39d262582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==9574==ABORTING

the c code

#include "gd.h"
#include "gdtest.h"


int main() {
    gdImagePtr im1 = 0;
    void * im2 = 0;
    int size = 0;

    im1 = gdImageCreate(100, 100);

    im2 = gdImagePngPtr(im1, &size);

    gdFree(im2);

    gdImageDestroy(im1);

    return 0;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions