oss-sec mailing list archives
Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 5 Oct 2015 08:10:39 -0300
2015-10-05 7:18 GMT-03:00 Andreas Stieger <astieger () suse com>:
Hello, On 10/01/2015 04:56 PM, Gustavo Grieco wrote:Do you also need a crasher and a stack trace?Could you make them available please?
Sure! Please find attached the two test cases as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size. Also, a detailed backtrace of the heap overflow is here: Starting program: pixbuf_vuln_poc overflow.tga Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974 974 (gdb) bt #0 scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974 #1 0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>, render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>, render_y1=<optimized out>, dest_rowstride=<optimized out>, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0, check_size=0, color1=0, color2=0, filter=0x7ffffffedc90, line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0 <scale_pixel>) at pixops.c:1366 #2 0x00002aaaaace5f09 in _pixops_scale_real (interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry =PIXOPS_INTERP_NEAREST, scale_y=0,0068091545299791946, scale_x=0,0068060281964025283, src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435, src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1, dest_channels=4, dest_rowstride=616, render_y1=<optimized out>, render_x1=154, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2230 #3 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154, dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=154, dest_region_height=dest_region_height@entry=180, offset_x=offset_x@entry=0, offset_y=<optimized out>, scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry =0,0068091545299791946, interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285 #4 0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050, dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0, offset_y=<optimized out>, scale_x=0,0068060281964025283, scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:147 #5 0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@entry=0x618000, dest_width=154, dest_height=dest_height@entry=180, interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:321 #6 0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440, pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138 #7 0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe36b "overflow.tga", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at gdk-pixbuf-io.c:1377 #8 0x00000000004007b8 in main () (gdb) x/i $rip => 0x2aaaaace3dd0 <scale_line+448>: movzbl 0x3(%rcx),%edx (gdb) info registers rax 0x0 0 rbx 0x94 148 rcx 0x2aaa2d6d51c4 46910394945988 rdx 0x0 0 rsi 0x4 4 rdi 0x2aab3c468c10 46914939030544 rbp 0x2aab3c468e60 0x2aab3c468e60 rsp 0x7ffffffeda18 0x7ffffffeda18 r8 0x0 0 r9 0x0 0 r10 0x0 0 r11 0x0 0 r12 0x0 0 r13 0x63ce60 6540896 r14 0x2aab3c468c10 46914939030544 r15 0x94 148 rip 0x2aaaaace3dd0 0x2aaaaace3dd0 <scale_line+448> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 And the backtrace of the DoS here: Starting program: pixbuf_vuln_poc DoS.tga [Depuración de hilo usando libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367 367 (gdb) bt #0 0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367 #1 parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413 #2 gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>, size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922 #3 0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f200, image_type=image_type@entry=0x0, error=error@entry=0x7ffffffede28) at gdk-pixbuf-loader.c:445 #4 0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f200, error=error@entry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810 #5 0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe370 "DoS.tga", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at gdk-pixbuf-io.c:1372 #6 0x00000000004007b8 in main () (gdb) x/i $rip => 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>: mov 0x8(%rdx),%rdx (gdb) info registers rax 0x6163e0 6382560 rbx 0x614ca0 6376608 rcx 0x7 7 rdx 0x0 0 rsi 0x611b02 6363906 rdi 0x618000 6389760 rbp 0x7ffffffede28 0x7ffffffede28 rsp 0x7ffffffedd80 0x7ffffffedd80 r8 0x616200 6382080 r9 0x6163e7 6382567 r10 0x8 8 r11 0x2aaaaaf05c10 46912500685840 r12 0x0 0 r13 0x0 0 r14 0x15 21 r15 0xb 11 rip 0x2aaaacf4c384 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Thanks, Andreas -- Andreas Stieger <astieger () suse com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Attachment:
overflow.tga.gz
Description:
Attachment:
DoS.tga.gz
Description:
Attachment:
pixbuf_vuln_poc.c
Description:
Current thread:
- CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Kurt Seifried (Oct 01)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Andreas Stieger (Oct 05)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 05)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Gustavo Grieco (Oct 01)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 Kurt Seifried (Oct 01)
- Re: CVE request: Heap overflow and DoS with a tga file in gdk-pixbuf < 2.32.1 cve-assign (Oct 02)