Control: retitle -1 imlib2: CVE-2016-3994: GIF loader: out-of-bounds read Hi,
On Fri, May 15, 2015 at 01:23:05PM +0200, Jakub Wilk wrote: > Package: libimlib2 > Version: 1.4.7-1 > Usertags: afl > > Loading the attached image causes out-of-bounds reads: > > $ valgrind ./debian/tmp/usr/bin/imlib2_conv oob.gif oob.ppm > ==8382== Memcheck, a memory error detector > ==8382== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. > ==8382== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info > ==8382== Command: ./debian/tmp/usr/bin/imlib2_conv oob.gif oob.ppm > ==8382== ==8382== Invalid read of size 1 > ==8382== at 0x495CABE: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) > ==8382== Address 0x456cc66 is 2 bytes after a block of size 12 alloc'd > ==8382== at 0x402B0D5: calloc (in > /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) > ==8382== by 0x4AB329E: MakeMapObject (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFE2A: DGifGetScreenDesc (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFFF6: DGifOpenFileHandle (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x495C93A: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) > ==8382== ==8382== Invalid read of size 1 > ==8382== at 0x495CAC2: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) > ==8382== Address 0x456cc64 is 0 bytes after a block of size 12 alloc'd > ==8382== at 0x402B0D5: calloc (in > /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) > ==8382== by 0x4AB329E: MakeMapObject (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFE2A: DGifGetScreenDesc (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFFF6: DGifOpenFileHandle (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x495C93A: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) > ==8382== ==8382== Invalid read of size 1 > ==8382== at 0x495CAD0: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) > ==8382== Address 0x456cc65 is 1 bytes after a block of size 12 alloc'd > ==8382== at 0x402B0D5: calloc (in > /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) > ==8382== by 0x4AB329E: MakeMapObject (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFE2A: DGifGetScreenDesc (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x4AAFFF6: DGifOpenFileHandle (in > /usr/lib/i386-linux-gnu/libgif.so.4.1.6) > ==8382== by 0x495C93A: load (in > /usr/lib/i386-linux-gnu/imlib2/loaders/gif.so) > ==8382== by 0x405DB36: imlib_save_image (in > /usr/lib/i386-linux-gnu/libImlib2.so.1.4.7) > ==8382== by 0x8048893: main (imlib2_conv.c:76) CVE-2016-3994 has been assigned for this issue. Regards, Salvatore
