Red Hat Bugzilla – Bug 276751
CVE-2007-3472 libgd Integer overflow in TrueColor code
Last modified: 2016-03-04 07:01:33 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3472 to the following vulnerability:
Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact.
This just leads to unsuccessful attempt to allocate huge amount of memory and a
NULL dereference in turn. Just a crash.
(In reply to comment #1)
> This just leads to unsuccessful attempt to allocate huge amount of memory
> and a NULL dereference in turn. Just a crash.
What you refer to here is more likely:
Return values of various *alloc functions were not properly checked. In the
case described in gd bug 89 -- im->tpixels[i] -- possibly being NULL, it depends
on specific use. If attacker may control index used as second array index, he
may possibly read / modify arbitrary memory address. Looking into gd_png and
gd_jpeg (just a few places where gdImageCreateTrueColor is used), it seems that
im->tpixels[i] is traversed from lower indexes, so likely leading to SEGV soon.
Upstream CVS commit for gd bug 89:
Additionally, this seems to be same as CVE-2007-3996, part (b) reported for
php-gd, described in:
(Text does not seem to be correct in claim that gdImageCreate if affected by
overflow too, as char items are allocated.)
SecWeb advisory equivalent for gd:
SecWeb advisory is somewhat misleading, as it describes integer overflow in
gdImageCreateTrueColor, but in example PoC uses gdImageCreateFromXbm, which does
not use gdImageCreateTrueColor, but gdImageCreate. Crash caused by that PoC
seems to be what is known as CVE-2007-3473 (see bug bug #276791).
This issue does not affect versions of gd as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not provide affected gdImageCreateTrueColor() function.
This issue was addressed in:
Red Hat Enterprise Linux:
Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.