137246 – CAN-2004-0990 integer overflow in PNG handling.

Bug 137246 - CAN-2004-0990 integer overflow in PNG handling.

Summary: CAN-2004-0990 integer overflow in PNG handling.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	gd
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Phil Knirsch
QA Contact:
Docs Contact:
URL:
Whiteboard:	public=20041026,impact=moderate
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-26 22:27 UTC by Josh Bressers
Modified:	2015-03-05 01:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-12-17 09:54:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2004:638	0	high	SHIPPED_LIVE	Important: gd security update	2004-12-16 05:00:00 UTC

Description Josh Bressers 2004-10-26 22:27:04 UTC

This was reported to bugtraq.

Summary:

There is an integer overflow when allocating memory in the routine
that handles
loading PNG image files.  This later leads to heap data structures being
overwritten.  If an attacker tricked a user into loading a malicious
PNG image,
they could leverage this into executing arbitrary code in the context
of the
user opening image.  Many programs use GD, such as ImageMagick, and more
importantly it is also the image library used for PHP, and there is a Perl
module as well.  One possibile target would be PHP driven photo
websites that
let users upload images.  Some of them will resize/compress the image
when the
user uploads them.  If this is done using GD, this could be used to
execute code
on the server.  There is a mitigating factor, in order to reach the
vulnerable
code, a large amount of memory needs to be allocated.  My 128MB p2
crapped out
one allocation before it reached the overflow.  However, I think on a
newer box
with lots of memory and swap space, that won't be a problem.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Details:

The vulnerable code occurs in the file gd_png.c, in the function
gdImageCreateFromPngCtx(), which is called by gdImageCreateFromPng().  The
function is used to load an image file into GD data structures.  The
problem
occurs when allocating memory for the image rows, line 314 or so ( I
added some
comments so line number might be off).  Two user supplied values are
multiplied
together (rowbytes * height), and used to allocate memory for an array of
pointers.  This pointer array is then passed to the png_read_image()
function,
which belongs to the libPNG library.  In that function, the pointers
are passed
to the png_read_row() function.  The data for the rows is decompressed
using
zLib function inflate(), and then passed to the png_combine_row()
function,
where the deflated data is memcpy()'d into the heap buffer. 
Exploitation would
require using zLib functions to compress the payload.  Successful
exploitation
would lead to executing arbitrary code.


This issue should also affect RHEL2.1

Comment 1 Josh Bressers 2004-10-26 22:28:21 UTC

No news on an upstream patch for this issue.

Comment 2 Mark J. Cox 2004-10-27 08:21:46 UTC

Proof of concept exploit:
http://www.k-otik.com/exploits/20041026.libgd.c.php

Comment 9 Mark J. Cox 2004-12-17 09:54:59 UTC

An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-638.html

Note You need to log in before you can comment on or make changes to this bug.