[cups.bugs] [MOD] STR #2790: Integer overflows in PNG image loading code
Thomas Pollet
thomas.pollet at gmail.com
Wed Apr 9 02:12:05 PDT 2008
Hi,
you should check for the return of malloc also: due to the way png_read_row
works it may be possible to write to some lower address in memory if a NULL
is passed as the row argument.
Below is a gdb trace to clarify this.
As you can see, data is not written until row=0x2f928. This can be
manipulated to write to some interesting lower place in memory (like the
..got section).
(gdb) break png_read_row
Breakpoint 1 at 0xb7c5fee2: file pngread.c, line 580.
(gdb) c
Continuing.
[Switching to Thread -1212070224 (LWP 27030)]
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x0, dsp_row=0x0) at
pngread.c:580
580 pngread.c: No such file or directory.
in pngread.c
(gdb) c
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x5f25 <Address 0x5f25
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0xbe4a <Address 0xbe4a
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x11d6f <Address 0x11d6f
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x17c94 <Address 0x17c94
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x1dbb9 <Address 0x1dbb9
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x23ade <Address 0x23ade
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x29a03 <Address 0x29a03
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb)
Continuing.
Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x2f928 <Address 0x2f928
out of bounds>, dsp_row=0x0) at pngread.c:580
580 in pngread.c
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xb7c57b33 in png_combine_row (png_ptr=0x80528d8, row=0x2f928 <Address
0x2f928 out of bounds>, mask=128) at pngrutil.c:2483
2483 pngrutil.c: No such file or directory.
in pngrutil.c
(gdb)
Regards,
Thomas Pollet
On 09/04/2008, Michael Sweet <msweet at apple.com> wrote:
>
> [STR Closed w/Resolution]
>
> Fixed in Subversion repository.
>
> Link: http://www.cups.org/str.php?L2790
> Version: 1.3-current
> Fix Version: 1.4-current
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20080409/50a141c2/attachment.html>
More information about the cups-devel
mailing list