oss-sec mailing list archives
Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 5 Oct 2015 08:14:31 -0300
Could you please share you fuzzed sample?
Sure!, please find attached the compressed test case as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the last version of Evolution will also produce a crash. A detailed backtrace of the heap overflow is here: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:332 332 pixops.c: No such file or directory. (gdb) bt #0 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:332 #1 _pixops_scale_real (interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST, scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2207 #2 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=6, dest_height=dest_height@entry=65532, dest_rowstride=24, dest_channels=4, dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "", src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4, src_has_alpha=1, dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=6, dest_region_height=dest_region_height@entry=4096, offset_x=offset_x@entry=-32768, offset_y=<optimized out>, scale_x=scale_x@entry=1, scale_y=scale_y@entry=1, interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST) at pixops.c:2285 #3 0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850, dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768, offset_y=<optimized out>, scale_x=1, scale_y=1, interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147 #4 0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967 #5 gif_main_loop (context=context@entry=0x6160e0) at io-gif.c:1424 #6 0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment (data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized out>) at io-gif.c:1610 #7 0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f2a0, image_type=image_type@entry=0x0, error=error@entry=0x7ffffffee478) at gdk-pixbuf-loader.c:445 #8 0x00007ffff7bc62b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f2a0, error=error@entry=0x7fffffffe548) at gdk-pixbuf-loader.c:810 #9 0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at gdk-pixbuf-io.c:1372 #10 0x0000000000400838 in main () (gdb) x/i $rip => 0x7ffff7bced38 <_pixops_scale+1048>: mov (%r9),%r15d (gdb) info registers rax 0x7ffff7e4c010 140737352351760 rbx 0x80068000 2147909632 <callto:2147909632> rcx 0x0 0 rdx 0x80008000 2147516416 <callto:2147516416> rsi 0x7fffb599b010 140736240136208 rdi 0x7ffff7e4c010 140737352351760 rbp 0x80068000 0x80068000 rsp 0x7ffffffee130 0x7ffffffee130 r8 0x1000 4096 r9 0x7fffb597b028 140736240005160 r10 0x10000 65536 r11 0x80068000 2147909632 <callto:2147909632> r12 0x4 4 r13 0x8000 32768 r14 0x80008000 2147516416 <callto:2147516416> r15 0x7ffff7e4c010 140737352351760 rip 0x7ffff7bced38 0x7ffff7bced38 <_pixops_scale+1048> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 and the valgrind report: ==8162== Memcheck, a memory error detector ==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==8162== Command: ../bins/gdk-pixbuf sigsegv.gif ==8162== ==8162== Warning: set address range perms: large range [0x3a00e040, 0x79fca040) (undefined) ==8162== Invalid read of size 4 ==8162== at 0x4E4CD38: _pixops_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E44A2C: gdk_pixbuf_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x74B540A: gif_main_loop (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x400837: main (in /home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf) ==8162== Address 0x39fee058 is in the BSS segment of /usr/lib/valgrind/memcheck-amd64-linux ==8162== ==8162== Invalid read of size 4 ==8162== at 0x4E4CD48: _pixops_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E44A2C: gdk_pixbuf_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x74B540A: gif_main_loop (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x400837: main (in /home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf) ==8162== Address 0x39fee058 is in the BSS segment of /usr/lib/valgrind/memcheck-amd64-linux ==8162== ==8162== Warning: set address range perms: large range [0x3a00e028, 0x79fca058) (noaccess) Gerror: GIF file was missing some data (perhaps it was truncated somehow?)
Thanks, Andreas -- Andreas Stieger <astieger () suse com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)
Attachment:
pixbuf_vuln_poc.c
Description:
Attachment:
overflow.gif.gz
Description:
Current thread:
- CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Yann Droneaud (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 cve-assign (Oct 02)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Andreas Stieger (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)