Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update gdImage*Ptr() functions for possible Double free bugs #492

Closed
y3noor opened this issue Jan 15, 2019 · 9 comments
Closed

Update gdImage*Ptr() functions for possible Double free bugs #492

y3noor opened this issue Jan 15, 2019 · 9 comments

Comments

@y3noor
Copy link

y3noor commented Jan 15, 2019

Hi, please commit the patch file.
@vapier
Copy link
Member

vapier commented Jan 17, 2019

you haven't attached any patches or linked to any bugs/patches/websites. so what are you asking for ?

@y3noor
Copy link
Author

y3noor commented Jan 17, 2019
edited

Hi, the patch file has been sent to mailing list mounts ago and here I added.

https://0bin.asis.io/paste/+yPxFkcF#GHj3EaZckDwD-+d6k/fr3uwpzGg3yBD1jElc5FJiyXE

@y3noor y3noor closed this as completed Jan 17, 2019
@y3noor y3noor reopened this Jan 17, 2019
@vapier
Copy link
Member

vapier commented Jan 17, 2019

if you have a patch you want to merge, please send a PR. we don't use random pastebin websites.

@y3noor
Copy link
Author

y3noor commented Jan 17, 2019

#493

@cmb69 cmb69 closed this as completed in 5537029 Jan 17, 2019
@cmb69
Copy link
Contributor

cmb69 commented Jan 17, 2019

@vapier We need to release 2.2.6 or 2.3.0 (I believe there are a few more sec fixes pending) – could you do this soon?

php-pulls pushed a commit to php/php-src that referenced this issue Jan 19, 2019
@cmb69
Sync with upstream
089f7c0 
Even though libgd/libgd#492 is not a relevant bug fix for PHP, since
the binding doesn't use the `gdImage*Ptr()` functions at all, we're
porting the fix to stay in sync here.
@carnil
Copy link

carnil commented Jan 28, 2019

This issue has been assigned CVE-2019-6978.

@cmb69 cmb69 mentioned this issue May 26, 2019
Closed
@eag1r
Copy link

eag1r commented Jul 8, 2019

@vapier The test for jpeg_ptr_double_free is not what we expected.
The result is always like this regardless of whether the patch is complete :
eager]# vi jpeg_ptr_double_free.log
GD Warning: gd-jpeg: JPEG library reports unrecoverable error: Empty JPEG image (DNL not supported)PASS jpeg/jpeg_ptr_double_free (exit status: 0)

@cmb69
Copy link
Contributor

cmb69 commented Jul 8, 2019

@eag1r, if you can come up with a better test, please provide a PR. Otherwise it seems to me that test is better than nothing, even though it only shows issues when run with valgrind.

@eag1r
Copy link

eag1r commented Jul 9, 2019

@cmb69 Thank you for your reply.
I had tried again with the result:
*** Error in `/data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free': double free or corruption (!prev): 0x0000000001b65ee0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81489)[0x7f7f5b424489]
/data/opensource_workspace/eager/libgd-2.2.5/src/.libs/libgd.so.3(+0x22d07)[0x7f7f5c3ecd07]
/data/opensource_workspace/eager/libgd-2.2.5/src/.libs/libgd.so.3(gdDPExtractData+0x7b)[0x7f7f5c3ed10b]
/data/opensource_workspace/eager/libgd-2.2.5/src/.libs/libgd.so.3(gdImageJpegPtr+0x40)[0x7f7f5c3ee4a0]
/data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free[0x400f44]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f7f5b3c53d5]
/data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free[0x400f97]
======= Memory map: ========
00400000-00403000 r-xp 00000000 ca:41 6308811 /data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free
00602000-00603000 r--p 00002000 ca:41 6308811 /data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free
00603000-00604000 rw-p 00003000 ca:41 6308811 /data/opensource_workspace/eager/libgd-2.2.5/tests/jpeg/.libs/lt-jpeg_ptr_double_free
01b64000-01b86000 rw-p 00000000 00:00 0 [heap]
7f7f54000000-7f7f54021000 rw-p 00000000 00:00 0
7f7f54021000-7f7f58000000 ---p 00000000 00:00 0
7f7f5a955000-7f7f5a96a000 r-xp 00000000 ca:01 2068180 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f7f5a96a000-7f7f5ab69000 ---p 00015000 ca:01 2068180 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f7f5ab69000-7f7f5ab6a000 r--p 00014000 ca:01 2068180 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f7f5ab6a000-7f7f5ab6b000 rw-p 00015000 ca:01 2068180 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f7f5ab6b000-7f7f5ab7a000 r-xp 00000000 ca:01 1442789 /usr/lib64/libbz2.so.1.0.6
7f7f5ab7a000-7f7f5ad79000 ---p 0000f000 ca:01 1442789 /usr/lib64/libbz2.so.1.0.6
7f7f5ad79000-7f7f5ad7a000 r--p 0000e000 ca:01 1442789 /usr/lib64/libbz2.so.1.0.6
7f7f5ad7a000-7f7f5ad7b000 rw-p 0000f000 ca:01 1442789 /usr/lib64/libbz2.so.1.0.6
7f7f5ad7b000-7f7f5ad82000 r-xp 00000000 ca:01 2068396 /usr/lib64/librt-2.17.so
7f7f5ad82000-7f7f5af81000 ---p 00007000 ca:01 2068396 /usr/lib64/librt-2.17.so
7f7f5af81000-7f7f5af82000 r--p 00006000 ca:01 2068396 /usr/lib64/librt-2.17.so
7f7f5af82000-7f7f5af83000 rw-p 00007000 ca:01 2068396 /usr/lib64/librt-2.17.so
7f7f5af83000-7f7f5af9a000 r-xp 00000000 ca:01 1442598 /usr/lib64/libpthread-2.17.so
7f7f5af9a000-7f7f5b199000 ---p 00017000 ca:01 1442598 /usr/lib64/libpthread-2.17.so
7f7f5b199000-7f7f5b19a000 r--p 00016000 ca:01 1442598 /usr/lib64/libpthread-2.17.so
7f7f5b19a000-7f7f5b19b000 rw-p 00017000 ca:01 1442598 /usr/lib64/libpthread-2.17.so
7f7f5b19b000-7f7f5b19f000 rw-p 00000000 00:00 0
7f7f5b19f000-7f7f5b1a1000 r-xp 00000000 ca:01 2068389 /usr/lib64/libdl-2.17.so
7f7f5b1a1000-7f7f5b3a1000 ---p 00002000 ca:01 2068389 /usr/lib64/libdl-2.17.so
7f7f5b3a1000-7f7f5b3a2000 r--p 00002000 ca:01 2068389 /usr/lib64/libdl-2.17.so
7f7f5b3a2000-7f7f5b3a3000 rw-p 00003000 ca:01 2068389 /usr/lib64/libdl-2.17.so
7f7f5b3a3000-7f7f5b565000 r-xp 00000000 ca:01 1442572 /usr/lib64/libc-2.17.so
7f7f5b565000-7f7f5b765000 ---p 001c2000 ca:01 1442572 /usr/lib64/libc-2.17.so
7f7f5b765000-7f7f5b769000 r--p 001c2000 ca:01 1442572 /usr/lib64/libc-2.17.so
7f7f5b769000-7f7f5b76b000 rw-p 001c6000 ca:01 1442572 /usr/lib64/libc-2.17.so
7f7f5b76b000-7f7f5b770000 rw-p 00000000 00:00 0
7f7f5b770000-7f7f5b7b3000 r-xp 00000000 ca:01 1442770 /usr/lib64/libjpeg.so.62.1.0
7f7f5b7b3000-7f7f5b9b3000 ---p 00043000 ca:01 1442770 /usr/lib64/libjpeg.so.62.1.0
7f7f5b9b3000-7f7f5b9b4000 r--p 00043000 ca:01 1442770 /usr/lib64/libjpeg.so.62.1.0
7f7f5b9b4000-7f7f5b9b5000 rw-p 00044000 ca:01 1442770 /usr/lib64/libjpeg.so.62.1.0
7f7f5b9b5000-7f7f5b9c5000 rw-p 00000000 00:00 0
7f7f5b9c5000-7f7f5ba7c000 r-xp 00000000 ca:01 1442759 /usr/lib64/libfreetype.so.6.14.0
7f7f5ba7c000-7f7f5bc7c000 ---p 000b7000 ca:01 1442759 /usr/lib64/libfreetype.so.6.14.0
7f7f5bc7c000-7f7f5bc83000 r--p 000b7000 ca:01 1442759 /usr/lib64/libfreetype.so.6.14.0
7f7f5bc83000-7f7f5bc84000 rw-p 000be000 ca:01 1442759 /usr/lib64/libfreetype.so.6.14.0
7f7f5bc84000-7f7f5bcad000 r-xp 00000000 ca:01 1442777 /usr/lib64/libpng15.so.15.13.0
7f7f5bcad000-7f7f5bead000 ---p 00029000 ca:01 1442777 /usr/lib64/libpng15.so.15.13.0
7f7f5bead000-7f7f5beae000 r--p 00029000 ca:01 1442777 /usr/lib64/libpng15.so.15.13.0
7f7f5beae000-7f7f5beaf000 rw-p 0002a000 ca:01 1442777 /usr/lib64/libpng15.so.15.13.0
7f7f5beaf000-7f7f5bec7000 r-xp 00000000 ca:01 1502103 /usr/local/lib/libz.so.1.2.8
7f7f5bec7000-7f7f5c0c6000 ---p 00018000 ca:01 1502103 /usr/local/lib/libz.so.1.2.8
7f7f5c0c6000-7f7f5c0c7000 r--p 00017000 ca:01 1502103 /usr/local/lib/libz.so.1.2.8
7f7f5c0c7000-7f7f5c0c8000 rw-p 00018000 ca:01 1502103 /usr/local/lib/libz.so.1.2.8
7f7f5c0c8000-7f7f5c1c9000 r-xp 00000000 ca:01 2068390 /usr/lib64/libm-2.17.so
7f7f5c1c9000-7f7f5c3c8000 ---p 00101000 ca:01 2068390 /usr/lib64/libm-2.17.so
7f7f5c3c8000-7f7f5c3c9000 r--p 00100000 ca:01 2068390 /usr/lib64/libm-2.17.so
7f7f5c3c9000-7f7f5c3ca000 rw-p 00101000 ca:01 2068390 /usr/lib64/libm-2.17.so
7f7f5c3ca000-7f7f5c404000 r-xp 00000000 ca:41 6292213 /data/opensource_workspace/eager/libgd-2.2.5/src/.libs/libgd.so.3.0.5
7f7f5c404000-7f7f5c603000 ---p 0003a000 ca:41 6292213 /data/opensource_workspace/eager/libgd-2.2.5/src/.libs/libgd.so.3.0.5../config/test-driver: line 107: 72065 Aborted (core dumped) "$@" > $log_file 2>&1
FAIL: jpeg/jpeg_ptr_double_free

It should have been my failure to restore the patch before.
Now the issue reappears.
Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vapier @carnil @cmb69 @y3noor @eag1r