oss-sec mailing list archives
Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 5 Oct 2015 08:14:31 -0300
Could you please share you fuzzed sample?
Sure!, please find attached the compressed test case as well as a minimal
example of a vulnerable program: it is just a call to
gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the
last version of Evolution will also produce a crash.
A detailed backtrace of the heap overflow is here:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>,
src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
332 pixops.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized
out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24,
render_y1=<optimized out>,
render_x1=6, render_y0=<optimized out>, render_x0=0,
dest_buf=<optimized out>) at pixops.c:332
#1 _pixops_scale_real (interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST,
scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4,
src_rowstride=262076, src_height=4096, src_width=65519,
src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4,
dest_rowstride=24, render_y1=<optimized out>, render_x1=6,
render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at
pixops.c:2207
#2 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=6,
dest_height=dest_height@entry=65532, dest_rowstride=24, dest_channels=4,
dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "",
src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4,
src_has_alpha=1, dest_x=dest_x@entry=0, dest_y=dest_y@entry=0,
dest_region_width=dest_region_width@entry=6,
dest_region_height=dest_region_height@entry=4096,
offset_x=offset_x@entry=-32768, offset_y=<optimized out>,
scale_x=scale_x@entry=1,
scale_y=scale_y@entry=1,
interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST)
at pixops.c:2285
#3 0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850,
dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768,
offset_y=<optimized out>, scale_x=1, scale_y=1,
interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147
#4 0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967
#5 gif_main_loop (context=context@entry=0x6160e0) at io-gif.c:1424
#6 0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment
(data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized
out>)
at io-gif.c:1610
#7 0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module
(loader=loader@entry=0x60f2a0,
image_type=image_type@entry=0x0,
error=error@entry=0x7ffffffee478) at gdk-pixbuf-loader.c:445
#8 0x00007ffff7bc62b8 in gdk_pixbuf_loader_close
(loader=loader@entry=0x60f2a0,
error=error@entry=0x7fffffffe548) at gdk-pixbuf-loader.c:810
#9 0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>,
height=<optimized out>,
preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at
gdk-pixbuf-io.c:1372
#10 0x0000000000400838 in main ()
(gdb) x/i $rip
=> 0x7ffff7bced38 <_pixops_scale+1048>: mov (%r9),%r15d
(gdb) info registers
rax 0x7ffff7e4c010 140737352351760
rbx 0x80068000 2147909632 <callto:2147909632>
rcx 0x0 0
rdx 0x80008000 2147516416 <callto:2147516416>
rsi 0x7fffb599b010 140736240136208
rdi 0x7ffff7e4c010 140737352351760
rbp 0x80068000 0x80068000
rsp 0x7ffffffee130 0x7ffffffee130
r8 0x1000 4096
r9 0x7fffb597b028 140736240005160
r10 0x10000 65536
r11 0x80068000 2147909632 <callto:2147909632>
r12 0x4 4
r13 0x8000 32768
r14 0x80008000 2147516416 <callto:2147516416>
r15 0x7ffff7e4c010 140737352351760
rip 0x7ffff7bced38 0x7ffff7bced38 <_pixops_scale+1048>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
and the valgrind report:
==8162== Memcheck, a memory error detector
==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==8162== Command: ../bins/gdk-pixbuf sigsegv.gif
==8162==
==8162== Warning: set address range perms: large range [0x3a00e040,
0x79fca040) (undefined)
==8162== Invalid read of size 4
==8162== at 0x4E4CD38: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162== Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Invalid read of size 4
==8162== at 0x4E4CD48: _pixops_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E44A2C: gdk_pixbuf_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x74B540A: gif_main_loop (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so)
==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7)
==8162== by 0x400837: main (in
/home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf)
==8162== Address 0x39fee058 is in the BSS segment of
/usr/lib/valgrind/memcheck-amd64-linux
==8162==
==8162== Warning: set address range perms: large range [0x3a00e028,
0x79fca058) (noaccess)
Gerror: GIF file was missing some data (perhaps it was truncated somehow?)
Thanks, Andreas -- Andreas Stieger <astieger () suse com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)
Attachment:
pixbuf_vuln_poc.c
Description:
Attachment:
overflow.gif.gz
Description:
Current thread:
- CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Yann Droneaud (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 cve-assign (Oct 02)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Andreas Stieger (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 05)
- Re: CVE request: Heap overflow with a gif file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)