Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Sep 2015 09:05:09 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Buffer overflow in global memory affecting optipng 0.7.5

Hi,

We found a buffer overflow in global memory affecting optipng 0.7.5 using a
gif file. Upstream was notified. Find attached the test case in case
someone wants to provide some feedback. ASAN report is here:
$ ./optipng g.gif.-1694659802519428239

** Processing: g.gif.-1694659802519428239
Warning: Bogus data in GIF
=================================================================
==11221== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000069541e at pc 0x46d24b bp 0x7fffffffaee0 sp 0x7fffffffaed8
READ of size 1 at 0x00000069541e thread T0
    #0 0x46d24a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d24a)
    #1 0x46d724
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46d724)
    #2 0x46cfe8
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cfe8)
    #3 0x46cbde
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46cbde)
    #4 0x46c35b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x46c35b)
    #5 0x41c013
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x41c013)
    #6 0x418878
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x418878)
    #7 0x408c9a
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x408c9a)
    #8 0x40c309
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40c309)
    #9 0x40e7c5
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40e7c5)
    #10 0x404f3b
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x404f3b)
    #11 0x40503d
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x40503d)
    #12 0x7ffff4aa7ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #13 0x401848
(/home/vagrant/repos/optipng-0.7.5/src/optipng/optipng+0x401848)
0x00000069541e is located 58 bytes to the right of global variable
'last_byte (gifread.c)' (0x6953e0) of size 4
  'last_byte (gifread.c)' is ascii string ''
0x00000069541e is located 2 bytes to the left of global variable 'buffer
(gifread.c)' (0x695420) of size 280
  'buffer (gifread.c)' is ascii string ''
Shadow bytes around the buggy address:
  0x0000800caa30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800caa50: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa60: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caa70: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0000800caa80: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800caaa0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caab0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caac0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800caad0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11221== ABORTING

Regards,
Gustavo.

Content of type "text/html" skipped

Download attachment "g.gif.-1694659802519428239" of type "application/octet-stream" (1133 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.