Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow

Release Date:
April 19th, 2006

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.6 and prior

Overview:
A heap overflow vulnerability exists when processing .gif files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.

Technical Details:
When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function incorrectly parses the malformed data and causes the application to segmentation fault.

Below the crash is triggered on OS X (PPC) 10.4.6 using Safari within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x19191921
[Switching to process 529 thread 0x6a8f]
0x90004688 in szone_malloc ()
(gdb) bt
#0 0x90004688 in szone_malloc ()
#1 0x0180016c in ?? ()
#2 0x907c2aa8 in CFAllocatorAllocate ()
#3 0x907c289c in _CFRuntimeCreateInstance ()
#4 0x903c4288 in createCache ()
#5 0x903c2e90 in initialize ()
#6 0x903c2b80 in create ()
#7 0x9043f120 in CGColorTransformCreateMutable ()
#8 0x9043f0b0 in CGBitmapColorTransformCreate ()
#9 0x9043efc0 in createBitmapContext ()
#10 0x9043e99c in CGBitmapContextCreateWithDictionary ()
#11 0x91a03540 in CGImageCreateCopyWithParameters ()
#12 0x919fffd0 in CGImageSourceCreateThumbnailAtIndex ()
#13 0x0000aac4 in ?? ()
#14 0x0000a858 in ?? ()
#15 0x000037d0 in ?? ()
#16 0x92977194 in forkThreadForFunction ()
#17 0x9002ba68 in _pthread_body ()
(gdb)

Vendor Status:
Apple was notified.

Solution:
This issue has been fixed in Security Update 2006-003

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x28.html
http://www.apple.com/macosx/

Security-Protocols.com :: 1999-2008