After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 151034 - buffer overflow in bmp handling
buffer overflow in bmp handling
Status: RESOLVED WONTFIX
Product: imlib1
Classification: Deprecated
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Mark Crichton
Mark Crichton
gnome[unmaintained]
Depends on:
Blocks:
 
 
Reported: 2004-08-25 15:34 UTC by Marcus Meissner
Modified: 2012-02-24 15:30 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
crash.bmp (3.05 KB, image/bmp)
2004-08-25 15:35 UTC, Marcus Meissner 		  Details
imlib-1.9.14-fix.patch (906 bytes, patch)
2004-08-25 15:35 UTC, Marcus Meissner 		none Details | Review
imlib-1.9.14-suse-alt-bound.patch (5.46 KB, patch)
2004-08-31 11:59 UTC, Dmitry V. Levin 		none Details | Review
imlib strace output (3.16 KB, text/plain)
2004-09-06 17:18 UTC, Sune Kloppenborg Jeppesen 		  Details
imlib-1.9.14-suse-alt-bound.patch (11.49 KB, patch)
2004-09-06 17:26 UTC, Dmitry V. Levin 		none Details | Review

Description Marcus Meissner 2004-08-25 15:34:34 UTC 
view the attached BMP in a imlib 1 based viewer. see it crash.
Comment 1 Marcus Meissner 2004-08-25 15:35:14 UTC 
Created attachment 30933 [details]
crash.bmp
Comment 2 Marcus Meissner 2004-08-25 15:35:40 UTC 
Created attachment 30934 [details] [review]
imlib-1.9.14-fix.patch

patch that fixes the problem.
Comment 3 Mark Crichton 2004-08-27 15:34:04 UTC 
Not a security issue.  WONTFIX.  Please use something written in this century.
Comment 4 Mark Crichton 2004-08-27 15:43:47 UTC 
Ok, actually, it could be bad.
Comment 5 Dmitry V. Levin 2004-08-31 11:59:02 UTC 
Created attachment 31137 [details] [review]
imlib-1.9.14-suse-alt-bound.patch

Here is a patch I'm going to use for updates.
While I'm not sure that result image will be correct, this patch addresses all
potential heap corruption problems found in loader_bmp() so far, and allows to
load as much bmp data as possible.
Comment 6 Sune Kloppenborg Jeppesen 2004-09-06 17:16:50 UTC 
Downstream we tried patch from comment #2 without luck. 
 
Pasting comment: 
 
Chris White 2004-09-06 09:47 PST -------  
Something seems wrong here. 
 
I tried with xzgv ( which depends on imlib ) and tried the exploit, which gave 
the correct effect ( xzgv took the big one ).  However, after applying the  
patch, re-emerging imlib, and even re-emerging xzgv, it still bites the big 
one while loading the exploit file. 
 
I did an strace to make sure, and sure enough it bites the big one shortly 
after accessing imlib.  I think we should probably upstream this, and I'll 
attach the relevant strace output for upstream to look at.
Comment 7 Sune Kloppenborg Jeppesen 2004-09-06 17:18:32 UTC 
Created attachment 31333 [details]
imlib strace output
Comment 8 Dmitry V. Levin 2004-09-06 17:26:44 UTC 
Created attachment 31335 [details] [review]
imlib-1.9.14-suse-alt-bound.patch

Proposed patch, take 2.
Patching gdk_imlib/io-bmp.c is not sufficient, Imlib/load.c also requires same
fix.
Comment 9 Sune Kloppenborg Jeppesen 2004-09-06 18:58:07 UTC 
Patch from #8 works fine.
Comment 10 André Klapper 2012-02-24 15:30:18 UTC 
According to http://ftp.gnome.org/pub/GNOME/sources/imlib/ the last tarball release was on 24-Sep-2004.
Same for the last code commit: http://git.gnome.org/browse/archive/imlib/log/

Hence this application has been unmaintained for quite a while and its maintainer will not work on it soon. Please feel free to reopen this bug report
in the future if anyone takes the responsibility for active development.