[Bug 238735] New: gd: off-by-one bug
https://bugzilla.novell.com/show_bug.cgi?id=238735 Summary: gd: off-by-one bug Product: openSUSE 10.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: thomas@novell.com QAContact: qa@suse.de Hello Vladimir. This is a post from vendor-sec. From: Kees Cook <kees@ubuntu.com> To: vendor-sec@lst.de Subject: [vendor-sec] minor libgd2 issue Errors-To: vendor-sec-admin@lst.de Date: Wed, 24 Jan 2007 16:06:50 -0800 [-- PGP Ausgabe folgt (aktuelle Zeit: Do 25 Jan 2007 14:50:59 CET) --] gpg: Signature made Do 25 Jan 2007 01:06:50 CET using DSA key ID 17063E6D gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: quoted-printable, GröÃ\237e: 3,3K --] Hi, While digging through libgd code for other things, I found a possible off-the-end-of-string increment in very hard to reach code. Analysis showed that adjacent memory was nearly always also NULL, so the overstep really doesn't do much harm. To even hit the problem, you need a JIS-encoded font (which I couldn't find any of online and had to manufacture), a crafted string (starts with "unconvertable" JIS characters and ends with a partial JIS character), and control of a tool that uses libgd that lets you specify encoding types (in my case, I was studying a path through graphviz). Anyway, just a heads-up in case anyone sees other results. Ubuntu is not interested in an embargo. I've asked the libgd maintainer to hold off on patch publication until Friday in case anyone wants an embargo. Attached is patch, a modified font, and "proof of concept" code which isn't much of a PoC. :) --- Original email --- Hi Pierre, Sorry I didn't send this along until, I got distracted by Linux.conf.au. With a JIS-encoded font (which, I might add I had to build myself because I could locate NONE online), it is possible to walk off the end of a string-to-be-printed if it ends with 0xA1 (but contains 0x1B,'K' elsewhere to fool the JIS encoding detector). This may lead to a crash, or possibly the rendering to the image of heap memory. In practice, I don't think this is possible due to adjacent memory almost always having NULLs anyway[1]. Pretty weak, but I thought I'd send it along anyway. Attached is the patch and a .c program and a font to test against. I didn't ever get it to crash. :) Please treat the Proof-of-Concept code (and font) as private. I want to bring it up on vendor-sec just in case, so can you hold off making the patch public until Friday unless someone sees something I didn't and wants an embargo? Thanks again! [1] gdb dump with debug symbols: Hardware watchpoint 10: *next Old value = -95 'ï¿œ' New value = 0 '\0' gdImageStringFTEx (im=0x0, brect=0x7fff7599b040, fg=0, fontlist=0x7fff7599bac8 "./ComicSansMS-Mori2.ttf", ptsize=40, angle=0, x=0, y=0, string=0x656010 "\033K", 'A' <repeats 198 times>..., strex=0x7fff7599b010) at gdft.c:1149 1149 ... (gdb) step 1150 jiscode = 0x100 * (c & 0x7F) + ((*next) & 0x7F); (gdb) 1152 ch = (jiscode >> 8) & 0xFF; (gdb) 1153 jiscode &= 0xFF; (gdb) 1155 if (ch & 1) (gdb) 1156 jiscode += 0x40 - 0x21; (gdb) 1160 if (jiscode >= 0x7F) (gdb) 1162 ch = (ch - 0x21) / 2 + 0x81; (gdb) 1163 if (ch >= 0xA0) (gdb) 1166 ch = (ch << 8) + jiscode; (gdb) 1146 if (0xA1 <= c && c <= 0xFE) (gdb) Breakpoint 11, gdImageStringFTEx (im=0x0, brect=0x7fff7599b040, fg=0, fontlist=0x7fff7599bac8 "./ComicSansMS-Mori2.ttf", ptsize=40, angle=0, x=0, y=0, string=0x656010 "\033K", 'A' <repeats 198 times>..., strex=0x7fff7599b010) at gdft.c:1172 1172 next++; (gdb) print *next $11 = 0 '\0' (gdb) step 1173 .... (gdb) print *next $12 = 0 '\0' --- eom --- -- Kees Cook -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=238735 ------- Comment #1 from thomas@novell.com 2007-01-25 07:12 MST ------- Created an attachment (id=115054) --> (https://bugzilla.novell.com/attachment.cgi?id=115054&action=view) libgd-jis.patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=238735 ------- Comment #2 from thomas@novell.com 2007-01-25 07:12 MST ------- Created an attachment (id=115055) --> (https://bugzilla.novell.com/attachment.cgi?id=115055&action=view) libgd-overstep.c -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=238735 ------- Comment #3 from thomas@novell.com 2007-01-25 07:13 MST ------- Created an attachment (id=115057) --> (https://bugzilla.novell.com/attachment.cgi?id=115057&action=view) libgd-ComicSansMS-Mori2.ttf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=238735 jpr@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|bnc-team- |nadvornik@novell.com |gnome@forge.provo.novell.com| Component|GNOME |Basesystem ------- Comment #4 from jpr@novell.com 2007-01-25 11:33 MST ------- Re-assigning to GD maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com