New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid read when call gdImageTiffPtr (CVE-2017-6363) #383
Comments
|
please post all code you're using to test things |
The other image lead to heap-buffer-overflow.May be the same mistake. The ASAN crash log: |
|
CVE-2017-6363 was assigned. |
The gd image formats allow for a palette of 256 colors, so if the transparent index is out of range, disable it.
The gd image formats allow for a palette of 256 colors, so if the transparent index is out of range, disable it. (cherry picked from commit 0be86e1)
|
the gd image readers should have clamped the transparent index to a valid range. i imagine you'd get a similar error if you tried to output to other image formats as we don't do bounds checking at output time (as we assume the inputs were correct to begin with). i fixed the issue in the gd/gd2 image readers. |
When reading images in GD or GD2 format, we have to ensure that the transparent color is not set, if it would refer to a non-extant palette entry. We back that up with respective regression tests.
|
In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be "obsolete, and should only be used for development and testing purposes." |
|
it's too late at this point ;). but regardless of our opinion on the formats, if they're available by default (and they have been), it means people using gd to accept arbitrary inputs from people (like php) are affected. |
|
Well, wrt. PHP the CVE is most likely irrelevant. Firstly, PHP does not have TIFF support (and rather likely the CVE is about this), and secondly, neither GIF, GD(2) nor PNG writing would exhibit a direct vulnerability – the GIF writer just writes the byte, the GD(2) writer also does this, while the PNG writer already caters to out-of-bounds values. The TIFF writer, however, would cause an invalid read. The other writers appear to be agnostic to the transparent color. Generally, I agree, though – we can't know what users of libgd are doing. |
Description
Hi, when I fuzz the libgd, a invalid read occurs within the function tiffWriter of gd_tiff.c, it can be triggered by the
gdfile.txt
Valgrind tracker
The text was updated successfully, but these errors were encountered: