'[oss-security] CVE Request: Buffer overflow in global memory affecting optipng 0.7.5'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: Buffer overflow in global memory affecting optipng 0.7.5
From:       Gustavo Grieco <gustavo.grieco () gmail ! com>
Date:       2015-09-23 12:05:09
Message-ID: CACn5sdQ+sMDwN2CwzSzAXnjFvHjHOx1aAbfADeJTgrxt0W-1BQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

We found a buffer overflow in global memory affecting optipng 0.7.5 using a
gif file. Upstream was notified. Find attached the test case in case
someone wants to provide some feedback. ASAN report is here:
$ ./optipng g.gif.-1694659802519428239

** Processing: g.gif.-1694659802519428239
Warning: Bogus data in GIF
=================================================================
==11221== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000069541e at pc 0x46d24b bp 0x7fffffffaee0 sp 0x7fffffffaed8
READ of size 1 at 0x00000069541e thread T0
    #0 0x46d24a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)
    #1 0x46d724
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)
    #2 0x46cfe8
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)
    #3 0x46cbde
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)
    #4 0x46c35b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)
    #5 0x41c013
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)
    #6 0x418878
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)
    #7 0x408c9a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)
    #8 0x40c309
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)
    #9 0x40e7c5
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)
    #10 0x404f3b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)
    #11 0x40503d
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)
    #12 0x7ffff4aa7ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #13 0x401848
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)
0x00000069541e is located 58 bytes to the right of global variable
'last_byte (gifread.c)' (0x6953e0) of size 4
  'last_byte (gifread.c)' is ascii string ''
0x00000069541e is located 2 bytes to the left of global variable 'buffer
(gifread.c)' (0x695420) of size 280
  'buffer (gifread.c)' is ascii string ''
Shadow bytes around the buggy address:
  0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caaa0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11221== ABORTING

Regards,
Gustavo.

[Attachment #5 (text/html)]

<div dir="ltr"><p>Hi,</p>
<p>We found a buffer overflow in global memory affecting optipng 0.7.5 using a gif file. \
Upstream was notified. Find attached the test  case in case someone wants to provide some <span \
class="">feedback</span>. ASAN report is here:</p>$ ./optipng \
g.gif.-1694659802519428239<br><br><div>** Processing: g.gif.-1694659802519428239<br>Warning: \
Bogus data in GIF<br>=================================================================<br>==11221== \
ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000069541e at pc 0x46d24b bp \
0x7fffffffaee0 sp 0x7fffffffaed8<br>READ of size 1 at 0x00000069541e thread T0<br>       #0 \
0x46d24a (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)<br>       #1 0x46d724 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)<br>       #2 0x46cfe8 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)<br>       #3 0x46cbde \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)<br>       #4 0x46c35b \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)<br>       #5 0x41c013 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)<br>       #6 0x418878 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)<br>       #7 0x408c9a \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)<br>       #8 0x40c309 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)<br>       #9 0x40e7c5 \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)<br>       #10 0x404f3b \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)<br>       #11 0x40503d \
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)<br>       #12 0x7ffff4aa7ec4 \
(/lib/x86_64-linux-gnu/<a href="http://libc-2.19.so">libc-2.19.so</a>+0x21ec4)<br>       #13 \
0x401848 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)<br>0x00000069541e is \
located 58 bytes to the right of global variable &#39;last_byte (gifread.c)&#39; (0x6953e0) of \
size 4<br>   &#39;last_byte (gifread.c)&#39; is ascii string &#39;&#39;<br>0x00000069541e is \
located 2 bytes to the left of global variable &#39;buffer (gifread.c)&#39; (0x695420) of size \
280<br>   &#39;buffer (gifread.c)&#39; is ascii string &#39;&#39;<br>Shadow bytes around the \
buggy address:<br>   0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9<br>   \
0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9<br>   0x0000800caa50: f9 f9 f9 \
f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br>   0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 \
f9 04 f9 f9 f9<br>   0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 \
f9<br>=&gt;0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00<br>   \
0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>   0x0000800caaa0: 00 00 00 \
00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9<br>   0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 \
f9 04 f9 f9 f9<br>   0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br>   \
0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9<br>Shadow byte legend (one \
shadow byte represents 8 application bytes):<br>   Addressable:                     00<br>   \
Partially addressable: 01 02 03 04 05 06 07 <br>   Heap left redzone:         fa<br>   Heap \
righ redzone:         fb<br>   Freed Heap region:         fd<br>   Stack left redzone:       \
f1<br>   Stack mid redzone:         f2<br>   Stack right redzone:     f3<br>   Stack partial \
redzone: f4<br>   Stack after return:       f5<br>   Stack use after scope: f8<br>   Global \
redzone:               f9<br>   Global init order:         f6<br>   Poisoned by user:           \
f7<br>   ASan internal:                 fe<br>==11221== \
ABORTING<br><br></div><div>Regards,<br></div><div>Gustavo.<br></div></div>

--001a11406a5a0d4329052068ed62--


["g.gif.-1694659802519428239" (application/octet-stream)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic