diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-08-16 16:26:19 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-12-13 15:51:51 +0100 |
commit | 58b6dde319c301b0eae27d12e2a659e067d80558 (patch) | |
tree | 74cdf3396c9f1d3cd9aac81f940138f3b5c8bd0f /tests/tga | |
parent | fe9ed49dafa993e3af96b6a5a589efeea9bfb36f (diff) | |
download | libgd-58b6dde319c301b0eae27d12e2a659e067d80558.tar.gz |
Fix OOB reads of the TGA decompression buffer
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.
This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.
This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.
Diffstat (limited to 'tests/tga')
-rw-r--r-- | tests/tga/Makemodule.am | 3 | ||||
-rw-r--r-- | tests/tga/heap_overflow.c | 16 | ||||
-rw-r--r-- | tests/tga/heap_overflow_1.tga | bin | 0 -> 605 bytes | |||
-rw-r--r-- | tests/tga/heap_overflow_2.tga | bin | 0 -> 8746 bytes |
4 files changed, 14 insertions, 5 deletions
diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am index 916d707..ab08dbf 100644 --- a/tests/tga/Makemodule.am +++ b/tests/tga/Makemodule.am @@ -15,7 +15,8 @@ EXTRA_DIST += \ tga/bug00247a.tga \ tga/bug00248.tga \ tga/bug00248a.tga \ - tga/heap_overflow.tga \ + tga/heap_overflow_1.tga \ + tga/heap_overflow_2.tga \ tga/tga_read_rgb.png \ tga/tga_read_rgb.tga \ tga/tga_read_rgb_rle.tga diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c index 0e9a2d0..ddd4b63 100644 --- a/tests/tga/heap_overflow.c +++ b/tests/tga/heap_overflow.c @@ -1,5 +1,5 @@ /** - * Test that the crafted TGA file doesn't trigger OOB reads. + * Test that crafted TGA files don't trigger OOB reads. */ @@ -7,21 +7,29 @@ #include "gdtest.h" +static void check_file(char *basename); static size_t read_test_file(char **buffer, char *basename); int main() { + check_file("heap_overflow_1.tga"); + check_file("heap_overflow_2.tga"); + + return gdNumFailures(); +} + + +static void check_file(char *basename) +{ gdImagePtr im; char *buffer; size_t size; - size = read_test_file(&buffer, "heap_overflow.tga"); + size = read_test_file(&buffer, basename); im = gdImageCreateFromTgaPtr(size, (void *) buffer); gdTestAssert(im == NULL); free(buffer); - - return gdNumFailures(); } diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga Binary files differnew file mode 100644 index 0000000..e9bc0ec --- /dev/null +++ b/tests/tga/heap_overflow_1.tga diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga Binary files differnew file mode 100644 index 0000000..2b681f2 --- /dev/null +++ b/tests/tga/heap_overflow_2.tga |