[CVE-2016-6132]: A read out-of-bands was found in the parsing of TGA files #247
Description
Hi,
A read out-of-bands was found in the parsing of TGA files using the last revision of libgd (a6a0e7f). Find attached a small sample (it is a tga, not a really a txt) to reproduce it. The ASAN report is here:
==25148==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e91c at pc 0x7ffff6c8b446 bp 0x7fffffffdf40 sp 0x7fffffffdf38
READ of size 4 at 0x62500000e91c thread T0
#0 0x7ffff6c8b445 in gdImageCreateFromTgaCtx /tmp/libgd/src/gd_tga.c:103
#1 0x7ffff6c8ad26 in gdImageCreateFromTga /tmp/libgd/src/gd_tga.c:25
#2 0x401581 in main tga/bug00084.c:10
#3 0x7ffff686aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x401458 (/tmp/libgd/tests/tga/.libs/lt-bug00084+0x401458)
0x62500000e91c is located 0 bytes to the right of 8220-byte region [0x62500000c900,0x62500000e91c)
allocated by thread T0 here:
#0 0x7ffff6f567df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x7ffff6ca49e1 in gdMalloc /tmp/libgd/src/gdhelpers.c:75
#2 0x7ffff6c8c254 in read_image_tga /tmp/libgd/src/gd_tga.c:226
#3 0x7ffff6c8af91 in gdImageCreateFromTgaCtx /tmp/libgd/src/gd_tga.c:74
#4 0x7ffff6c8ad26 in gdImageCreateFromTga /tmp/libgd/src/gd_tga.c:25
#5 0x401581 in main tga/bug00084.c:10
#6 0x7ffff686aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/libgd/src/gd_tga.c:103 gdImageCreateFromTgaCtx
(it is not related with bug 00084, i just re-used the test case to read an arbitrary TGA file)
This issue was found using QuickFuzz.
Regards,
Gustavo.