{"id":945,"date":"2016-11-22T18:39:48","date_gmt":"2016-11-22T16:39:48","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=945"},"modified":"2016-11-22T18:48:27","modified_gmt":"2016-11-22T16:48:27","slug":"metapixel-heap-based-buffer-overflow-in-open_gif_file-rwgif-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/22\/metapixel-heap-based-buffer-overflow-in-open_gif_file-rwgif-c\/","title":{"rendered":"metapixel: heap-based buffer overflow in open_gif_file (rwgif.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.complang.tuwien.ac.at\/schani\/metapixel\/\">metapixel<\/a> is a program for generating photomosaics.<\/p>\n<p>A fuzzing on metapixel-imagesize revealed an overflow. The latest upstream release was about ten years ago, so I didn&#8217;t made any report. The bug does not resides in any shared object which aren&#8217;t provided by the package. If you have a web application which relies on the metapixel-imagesize binary, then you are affected. Since the &#8220;READ of size 1&#8221; it may don&#8217;t warrant a CVE at all, but some distros and packagers would have the bug fixed in their repository, so I&#8217;m sharing it.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># metapixel-imagesize $FILE\r\n==24883==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff9 at pc 0x00000050edcf bp 0x7ffce3891f90 sp 0x7ffce3891f88\r\nREAD of size 1 at 0x60200000eff9 thread T0\r\n    #0 0x50edce in open_gif_file \/tmp\/portage\/media-gfx\/metapixel-1.0.2-r1\/work\/metapixel-1.0.2\/rwimg\/rwgif.c:132:60\r\n    #1 0x50a4cd in open_image_reading \/tmp\/portage\/media-gfx\/metapixel-1.0.2-r1\/work\/metapixel-1.0.2\/rwimg\/readimage.c:88:9\r\n    #2 0x50a18b in main \/tmp\/portage\/media-gfx\/metapixel-1.0.2-r1\/work\/metapixel-1.0.2\/imagesize.c:37:14\r\n    #3 0x7fcc5c3a861f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #4 0x41a1d8 in _init (\/usr\/bin\/metapixel-imagesize+0x41a1d8)\r\n\r\n0x60200000eff9 is located 3 bytes to the right of 6-byte region [0x60200000eff0,0x60200000eff6)\r\nallocated by thread T0 here:\r\n    #0 0x4d3195 in calloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:72\r\n    #1 0x7fcc5d267392 in GifMakeMapObject \/tmp\/portage\/media-libs\/giflib-5.1.4\/work\/giflib-5.1.4\/lib\/gifalloc.c:55\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/media-gfx\/metapixel-1.0.2-r1\/work\/metapixel-1.0.2\/rwimg\/rwgif.c:132:60 in open_gif_file\r\nShadow bytes around the buggy address:\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=&gt;0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa 06[fa]\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==24883==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.0.2<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00058-metapipxel-heapoverflow-open_gif_file\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00058-metapipxel-heapoverflow-open_gif_file<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-11-22: bug discovered<br \/>\n2016-11-22: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"w94V0Pq8jM\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/22\/metapixel-heap-based-buffer-overflow-in-open_gif_file-rwgif-c\/\">metapixel: heap-based buffer overflow in open_gif_file (rwgif.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/11\/22\/metapixel-heap-based-buffer-overflow-in-open_gif_file-rwgif-c\/embed\/#?secret=w94V0Pq8jM\" data-secret=\"w94V0Pq8jM\" width=\"600\" height=\"338\" title=\"&#8220;metapixel: heap-based buffer overflow in open_gif_file (rwgif.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: metapixel is a program for generating photomosaics. A fuzzing on metapixel-imagesize revealed an overflow. The latest upstream release was about ten years ago, so I didn&#8217;t made any report. The bug does not resides in any shared object which &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/11\/22\/metapixel-heap-based-buffer-overflow-in-open_gif_file-rwgif-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-ff","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/945"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=945"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/945\/revisions"}],"predecessor-version":[{"id":956,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/945\/revisions\/956"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}