oss-sec mailing list archives
CVE Request: Buffer overflow in global memory affecting optipng 0.7.5
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Wed, 23 Sep 2015 09:05:09 -0300
Hi, We found a buffer overflow in global memory affecting optipng 0.7.5 using a gif file. Upstream was notified. Find attached the test case in case someone wants to provide some feedback. ASAN report is here: $ ./optipng g.gif.-1694659802519428239 ** Processing: g.gif.-1694659802519428239 Warning: Bogus data in GIF ================================================================= ==11221== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000069541e at pc 0x46d24b bp 0x7fffffffaee0 sp 0x7fffffffaed8 READ of size 1 at 0x00000069541e thread T0 #0 0x46d24a (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a) #1 0x46d724 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724) #2 0x46cfe8 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8) #3 0x46cbde (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde) #4 0x46c35b (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b) #5 0x41c013 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013) #6 0x418878 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878) #7 0x408c9a (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a) #8 0x40c309 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309) #9 0x40e7c5 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5) #10 0x404f3b (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b) #11 0x40503d (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d) #12 0x7ffff4aa7ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) #13 0x401848 (/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848) 0x00000069541e is located 58 bytes to the right of global variable 'last_byte (gifread.c)' (0x6953e0) of size 4 'last_byte (gifread.c)' is ascii string '' 0x00000069541e is located 2 bytes to the left of global variable 'buffer (gifread.c)' (0x695420) of size 280 'buffer (gifread.c)' is ascii string '' Shadow bytes around the buggy address: 0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000800caa50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 =>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00 0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800caaa0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==11221== ABORTING Regards, Gustavo.
Attachment:
g.gif.-1694659802519428239
Description:
Current thread:
- CVE Request: Buffer overflow in global memory affecting optipng 0.7.5 Gustavo Grieco (Sep 23)