|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-12-13 07:54 UTC] remi@php.net
-Assigned To:
+Assigned To: remi
[2014-12-13 07:54 UTC] remi@php.net
[2014-12-13 08:07 UTC] remi@php.net
-Status: Assigned
+Status: Closed
[2014-12-13 08:07 UTC] remi@php.net
[2014-12-17 10:02 UTC] remi@php.net
[2015-03-24 09:31 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2014-9709
[2015-03-24 09:31 UTC] kaplan@php.net
[2015-03-28 11:30 UTC] ghedo at debian dot org
[2015-04-06 00:38 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ An ASAN'ified call looks like this: ./giftogd2 asan_stack-oob_53533d_34_adaf0da1764aafb7039440dbe098569b.gif /tmp/null 1 1 ================================================================= ==23529==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff7ca923b8 at pc 0x53533d bp 0x7fff7ca80750 sp 0x7fff7ca80748 READ of size 1 at 0x7fff7ca923b8 thread T0 #0 0x53533c in GetCode_ /libgd-2.1.0_master/master/src/gd_gif_in.c:471 #1 0x5332d1 in GetCode /libgd-2.1.0_master/master/src/gd_gif_in.c:484 #2 0x53044e in LWZReadByte_ /libgd-2.1.0_master/master/src/gd_gif_in.c:538 #3 0x52e7b5 in LWZReadByte /libgd-2.1.0_master/master/src/gd_gif_in.c:627 #4 0x52d5cf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:677 #5 0x52a760 in gdImageCreateFromGifCtx /libgd-2.1.0_master/master/src/gd_gif_in.c:311 #6 0x52822e in gdImageCreateFromGif /libgd-2.1.0_master/master/src/gd_gif_in.c:154 #7 0x47d204 in main /libgd-2.1.0_master/master/src/giftogd2.c:32 #8 0x7f5e313afec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #9 0x47cbcc in _start (/libgd-2.1.0_master/master/f_app_src/giftogd2+0x47cbcc) Address 0x7fff7ca923b8 is located in stack of thread T0 at offset 66744 in frame #0 0x52c6bf in ReadImage /libgd-2.1.0_master/master/src/gd_gif_in.c:638 This frame has 14 object(s): [32, 40) '' [96, 104) '' [160, 164) '' [224, 228) '' [288, 296) '' [352, 356) '' [416, 424) '' [480, 481) 'c' [544, 548) 'xpos' [608, 612) 'ypos' [672, 676) 'pass' [736, 740) 'v' [800, 804) 'i' [864, 66744) 'sd' <== Memory access at offset 66744 overflows this variable SUMMARY: AddressSanitizer: stack-buffer-overflow /libgd-2.1.0_master/master/src/gd_gif_in.c:471 GetCode_ Shadow bytes around the buggy address: 0x10006f94a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006f94a470: 00 00 00 00 00 00 00[f4]f3 f3 f3 f3 00 00 00 00 0x10006f94a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006f94a4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==23529==ABORTING