| From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001 |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> |
| Date: Tue, 16 Aug 2016 16:26:19 +0200 |
| Subject: [PATCH] Fix OOB reads of the TGA decompression buffer |
| |
| It is possible to craft TGA files which will overflow the decompression |
| buffer, but not the image's bitmap. Therefore we also have to check for |
| potential decompression buffer overflows. |
| |
| This issue had been reported by Ibrahim El-Sayed to security@libgd.org; |
| a modified case exposing an off-by-one error of the first patch had been |
| provided by Konrad Beckmann. |
| |
| This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906 |
| as well. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-6906 |
| |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| src/gd_tga.c | 8 +++++++- |
| tests/tga/Makemodule.am | 3 ++- |
| tests/tga/heap_overflow.c | 16 ++++++++++++---- |
| tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes |
| tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes |
| 5 files changed, 21 insertions(+), 6 deletions(-) |
| create mode 100644 tests/tga/heap_overflow_1.tga |
| create mode 100644 tests/tga/heap_overflow_2.tga |
| |
| diff --git a/src/gd_tga.c b/src/gd_tga.c |
| index 68e4b17..f80f0b1 100644 |
| --- a/src/gd_tga.c |
| +++ b/src/gd_tga.c |
| @@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) |
| buffer_caret = 0; |
| |
| while( bitmap_caret < image_block_size ) { |
| - |
| + |
| + if (buffer_caret + pixel_block_size > rle_size) { |
| + gdFree( decompression_buffer ); |
| + gdFree( conversion_buffer ); |
| + return -1; |
| + } |
| + |
| if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { |
| encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); |
| buffer_caret++; |
| diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am |
| index 916d707..ab08dbf 100644 |
| --- a/tests/tga/Makemodule.am |
| +++ b/tests/tga/Makemodule.am |
| @@ -15,7 +15,8 @@ EXTRA_DIST += \ |
| tga/bug00247a.tga \ |
| tga/bug00248.tga \ |
| tga/bug00248a.tga \ |
| - tga/heap_overflow.tga \ |
| + tga/heap_overflow_1.tga \ |
| + tga/heap_overflow_2.tga \ |
| tga/tga_read_rgb.png \ |
| tga/tga_read_rgb.tga \ |
| tga/tga_read_rgb_rle.tga |
| diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c |
| index 0e9a2d0..ddd4b63 100644 |
| --- a/tests/tga/heap_overflow.c |
| +++ b/tests/tga/heap_overflow.c |
| @@ -1,5 +1,5 @@ |
| /** |
| - * Test that the crafted TGA file doesn't trigger OOB reads. |
| + * Test that crafted TGA files don't trigger OOB reads. |
| */ |
| |
| |
| @@ -7,21 +7,29 @@ |
| #include "gdtest.h" |
| |
| |
| +static void check_file(char *basename); |
| static size_t read_test_file(char **buffer, char *basename); |
| |
| |
| int main() |
| { |
| + check_file("heap_overflow_1.tga"); |
| + check_file("heap_overflow_2.tga"); |
| + |
| + return gdNumFailures(); |
| +} |
| + |
| + |
| +static void check_file(char *basename) |
| +{ |
| gdImagePtr im; |
| char *buffer; |
| size_t size; |
| |
| - size = read_test_file(&buffer, "heap_overflow.tga"); |
| + size = read_test_file(&buffer, basename); |
| im = gdImageCreateFromTgaPtr(size, (void *) buffer); |
| gdTestAssert(im == NULL); |
| free(buffer); |
| - |
| - return gdNumFailures(); |
| } |
| |
| |
| diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd |
| GIT binary patch |
| literal 605 |
| zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS |
| zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> |
| Cavop+ |
| |
| literal 0 |
| HcmV?d00001 |
| |
| diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf |
| GIT binary patch |
| literal 8746 |
| zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h |
| zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71 |
| zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC |
| D4PYIN |
| |
| literal 0 |
| HcmV?d00001 |
| |
| -- |
| 2.10.2 |
| |