[cups.bugs] [MOD] STR #2790: Integer overflows in PNG image loading code

Thomas Pollet thomas.pollet at gmail.com
Wed Apr 9 02:14:03 PDT 2008


Hi,

Nevermind my previous mail, I missed the

if (!in || !out)


Regards,
Thomas Pollet

On 09/04/2008, Thomas Pollet <thomas.pollet at gmail.com> wrote:
>
> Hi,
>
> you should check for the return of malloc also: due to the way
> png_read_row works it may be possible to write to some lower address in
> memory if a NULL is passed as the row argument.
> Below is a gdb trace to clarify this.
>
> As you can see, data is not written until row=0x2f928. This can be
> manipulated to write to some interesting lower place in memory (like the
> .got section).
>
> (gdb) break png_read_row
> Breakpoint 1 at 0xb7c5fee2: file pngread.c, line 580.
> (gdb) c
> Continuing.
> [Switching to Thread -1212070224 (LWP 27030)]
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x0, dsp_row=0x0) at
> pngread.c:580
> 580     pngread.c: No such file or directory.
>         in pngread.c
> (gdb) c
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x5f25 <Address 0x5f25
> out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0xbe4a <Address 0xbe4a
> out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x11d6f <Address
> 0x11d6f out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x17c94 <Address
> 0x17c94 out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x1dbb9 <Address
> 0x1dbb9 out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x23ade <Address
> 0x23ade out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x29a03 <Address
> 0x29a03 out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb)
> Continuing.
>
> Breakpoint 1, png_read_row (png_ptr=0x80528d8, row=0x2f928 <Address
> 0x2f928 out of bounds>, dsp_row=0x0) at pngread.c:580
> 580     in pngread.c
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0xb7c57b33 in png_combine_row (png_ptr=0x80528d8, row=0x2f928 <Address
> 0x2f928 out of bounds>, mask=128) at pngrutil.c:2483
> 2483    pngrutil.c: No such file or directory.
>         in pngrutil.c
> (gdb)
>
> Regards,
> Thomas Pollet
>
> On 09/04/2008, Michael Sweet <msweet at apple.com> wrote:
> >
> > [STR Closed w/Resolution]
> >
> > Fixed in Subversion repository.
> >
> > Link: http://www.cups.org/str.php?L2790
> > Version: 1.3-current
> > Fix Version: 1.4-current
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20080409/a13274d7/attachment.html>


More information about the cups-devel mailing list