[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request: Buffer overflow in global memory affecting optipng 0.7.5
From: Gustavo Grieco <gustavo.grieco () gmail ! com>
Date: 2015-09-23 12:05:09
Message-ID: CACn5sdQ+sMDwN2CwzSzAXnjFvHjHOx1aAbfADeJTgrxt0W-1BQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
We found a buffer overflow in global memory affecting optipng 0.7.5 using a
gif file. Upstream was notified. Find attached the test case in case
someone wants to provide some feedback. ASAN report is here:
$ ./optipng g.gif.-1694659802519428239
** Processing: g.gif.-1694659802519428239
Warning: Bogus data in GIF
=================================================================
==11221== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000069541e at pc 0x46d24b bp 0x7fffffffaee0 sp 0x7fffffffaed8
READ of size 1 at 0x00000069541e thread T0
#0 0x46d24a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)
#1 0x46d724
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)
#2 0x46cfe8
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)
#3 0x46cbde
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)
#4 0x46c35b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)
#5 0x41c013
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)
#6 0x418878
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)
#7 0x408c9a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)
#8 0x40c309
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)
#9 0x40e7c5
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)
#10 0x404f3b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)
#11 0x40503d
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)
#12 0x7ffff4aa7ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#13 0x401848
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)
0x00000069541e is located 58 bytes to the right of global variable
'last_byte (gifread.c)' (0x6953e0) of size 4
'last_byte (gifread.c)' is ascii string ''
0x00000069541e is located 2 bytes to the left of global variable 'buffer
(gifread.c)' (0x695420) of size 280
'buffer (gifread.c)' is ascii string ''
Shadow bytes around the buggy address:
0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800caa50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00
0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800caaa0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==11221== ABORTING
Regards,
Gustavo.
[Attachment #5 (text/html)]
<div dir="ltr"><p>Hi,</p>
<p>We found a buffer overflow in global memory affecting optipng 0.7.5 using a gif file. \
Upstream was notified. Find attached the test case in case someone wants to provide some <span \
class="">feedback</span>. ASAN report is here:</p>$ ./optipng \
g.gif.-1694659802519428239<br><br><div>** Processing: g.gif.-1694659802519428239<br>Warning: \
Bogus data in GIF<br>=================================================================<br>==11221== \
ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000069541e at pc 0x46d24b bp \
0x7fffffffaee0 sp 0x7fffffffaed8<br>READ of size 1 at 0x00000069541e thread T0<br> #0 \
0x46d24a (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)<br> #1 0x46d724 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)<br> #2 0x46cfe8 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)<br> #3 0x46cbde \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)<br> #4 0x46c35b \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)<br> #5 0x41c013 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)<br> #6 0x418878 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)<br> #7 0x408c9a \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)<br> #8 0x40c309 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)<br> #9 0x40e7c5 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)<br> #10 0x404f3b \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)<br> #11 0x40503d \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)<br> #12 0x7ffff4aa7ec4 \
(/lib/x86_64-linux-gnu/<a href="http://libc-2.19.so">libc-2.19.so</a>+0x21ec4)<br> #13 \
0x401848 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)<br>0x00000069541e is \
located 58 bytes to the right of global variable 'last_byte (gifread.c)' (0x6953e0) of \
size 4<br> 'last_byte (gifread.c)' is ascii string ''<br>0x00000069541e is \
located 2 bytes to the left of global variable 'buffer (gifread.c)' (0x695420) of size \
280<br> 'buffer (gifread.c)' is ascii string ''<br>Shadow bytes around the \
buggy address:<br> 0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9<br> \
0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9<br> 0x0000800caa50: f9 f9 f9 \
f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br> 0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 \
f9 04 f9 f9 f9<br> 0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 \
f9<br>=>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00<br> \
0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br> 0x0000800caaa0: 00 00 00 \
00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9<br> 0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 \
f9 04 f9 f9 f9<br> 0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br> \
0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br>Shadow byte legend (one \
shadow byte represents 8 application bytes):<br> Addressable: 00<br> \
Partially addressable: 01 02 03 04 05 06 07 <br> Heap left redzone: fa<br> Heap \
righ redzone: fb<br> Freed Heap region: fd<br> Stack left redzone: \
f1<br> Stack mid redzone: f2<br> Stack right redzone: f3<br> Stack partial \
redzone: f4<br> Stack after return: f5<br> Stack use after scope: f8<br> Global \
redzone: f9<br> Global init order: f6<br> Poisoned by user: \
f7<br> ASan internal: fe<br>==11221== \
ABORTING<br><br></div><div>Regards,<br></div><div>Gustavo.<br></div></div>
--001a11406a5a0d4329052068ed62--
["g.gif.-1694659802519428239" (application/octet-stream)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic