[cups.bugs] [MOD] STR #2790: Integer overflows in PNG image loading code

Thomas Pollet thomas.pollet at gmail.com
Wed Apr 9 02:12:05 PDT 2008 

Hi,

you should check for the return of malloc also: due to the way png_read_row
works it may be possible to write to some lower address in memory if a NULL
is passed as the row argument.
Below is a gdb trace to clarify this.

As you can see, data is not written until row=0x2f928. This can be
manipulated to write to some interesting lower place in memory (like the
..got section).

(gdb) break png_read_row
Breakpoint 1 at 0xb7c5fee2: file pngread.c, line 580.
(gdb) c
Continuing.
[Switching to Thread -1212070224 (LWP 27030)]

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x0, dsp_row=0x0) at
pngread.c:580
580     pngread.c: No such file or directory.
        in pngread.c
(gdb) c
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x5f25 <Address 0x5f25
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0xbe4a <Address 0xbe4a
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x11d6f <Address 0x11d6f
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x17c94 <Address 0x17c94
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x1dbb9 <Address 0x1dbb9
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x23ade <Address 0x23ade
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x29a03 <Address 0x29a03
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb)
Continuing.

Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x2f928 <Address 0x2f928
out of bounds>, dsp_row=0x0) at pngread.c:580
580     in pngread.c
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7c57b33 in png_combine_row (png_ptr=0x80528d8, row=0x2f928 <Address
0x2f928 out of bounds>, mask=128) at pngrutil.c:2483
2483    pngrutil.c: No such file or directory.
        in pngrutil.c
(gdb)

Regards,
Thomas Pollet

On 09/04/2008, Michael Sweet <msweet at apple.com> wrote:
>
> [STR Closed w/Resolution]
>
> Fixed in Subversion repository.
>
> Link: http://www.cups.org/str.php?L2790
> Version: 1.3-current
> Fix Version: 1.4-current
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20080409/50a141c2/attachment.html>

More information about the cups-devel mailing list