Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uninitialized read in gdImageCreateFromXbm (CVE-2019-11038) #501

Closed
carnil opened this issue May 31, 2019 · 3 comments
Closed

Uninitialized read in gdImageCreateFromXbm (CVE-2019-11038) #501

carnil opened this issue May 31, 2019 · 3 comments

Comments

@carnil
Copy link

carnil commented May 31, 2019

There is a GD related issue fixed in PHP (7.1.30, 7.2.19 and 7.3.6) which was assigned CVE-2019-11038 and is in the PHP bug https://bugs.php.net/bug.php?id=77973 .

Filling the issue for the correlated issue in the libgd library itself.

mejo- added a commit to mejo-/libgd that referenced this issue Jun 11, 2019
…1038)

Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
Bug-Debian: https://bugs.debian.org/929821
Bug: libgd#501

We have to ensure that `sscanf()` does indeed read a hex value here,
and bail out otherwise.

Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
@mejo-
Copy link
Contributor

mejo- commented Jun 11, 2019

While working on a security update of libgd for Debian, I prepared a patch to fix this CVE based on the PHP gd patch. You can find it in PR #503.

Here's a simple reproducer:

  1. Create a xbm file that triggers the bug:

    printf "23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a" | xxd -r -p - github_bug_501.xbm
  2. A simple C reproducer:

    #include "gd.h"
    #include <stdio.h>
    
    int main() {
        gdImagePtr im;
        FILE *xbm_in;
    
        xbm_in = fopen("github_bug_501.xbm", "rb");
        im = gdImageCreateFromXbm(xbm_in);
        fclose(xbm_in);
    
        gdImageDestroy(im);
    }

Unfortunately I failed to create a test for this bug (under tests/xbm). If I understand it correctly, we only could test for the error message after gdImageCreateFromXbm, but I don't know how to do that. At least, gdTest doesn't provide functions for that. A simple im == NULL assertion won't help as that would be true both with and without this fix.

@pgajdos
Copy link

pgajdos commented Jul 16, 2019

Note that the test case will segfault in gdImageDestroy() even AFTER, as gdImageCreateFromXbm() returns 0 in case of failure.

wang0z pushed a commit to wang0z/libgd that referenced this issue Aug 15, 2019
@wang0z
Copy link
Contributor

wang0z commented Aug 15, 2019

PR #506 is the test case for the CVE. The CI show it faied because the master has not merge the fix. The case itself is no problem.

wang0z pushed a commit to wang0z/libgd that referenced this issue Aug 23, 2019
When using gdImageCreateFromXbm() it is possible to supply data that
will cause the function to use the value of uninitialized variable.
wang0z pushed a commit to wang0z/libgd that referenced this issue Aug 26, 2019
When using gdImageCreateFromXbm() it is possible to supply data that
will cause the function to use the value of uninitialized variable.
@vapier vapier closed this as completed in e13a342 Sep 2, 2019
vapier pushed a commit that referenced this issue Sep 2, 2019
When using gdImageCreateFromXbm() it is possible to supply data that
will cause the function to use the value of uninitialized variable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants