GNOME Bugzilla – Bug 451379
Multiple integer overflow vulnerabilities in load plug-ins
Last modified: 2008-01-15 13:28:24 UTC
It has been brought to my attention that Sean Larsson of iDefense Labs has identified a number of integer overflow vulnerabilities in our load plug-ins. We need to close these holes in both branches and make a GIMP 2.2 release available with the fixed plug-ins as soon as possible. Remote exploitation of multiple integer overflow vulnerabilities in several of the image loader plugins included with distributions of 'The GIMP' allow attackers to crash GIMP or potentially execute arbitrary code with the privileges of the user. The following lines show the location of some vulnerabilties within the following file formats: * DICOM * PNM * PSD * PSP * Sun RAS * XBM * XWD The follow code shows the lines which cause the vulnerabilities. Each of these files are in from plug-ins/common/ dicom.c:391: value = g_new0 (guint8, element_length + 4); /* HOLE */ pnm.c:566: data = g_new (guchar, gimp_tile_height () * info->xres * np); /* HOLE */ pnm.c:628: data = g_new (guchar, gimp_tile_height () * info->xres * info->np); /* HOLE */ pnm.c:681: data = g_new (guchar, gimp_tile_height () * info->xres); /* HOLE */ psd.c:2969: PSDheader.rowlength = g_malloc (PSDheader.rows * /* HOLE */ psp.c:1225: pixel = g_malloc0 (height * width * bytespp); /* HOLE */ sunras.c:955: data = g_malloc (tile_height * width); /* HOLE */ sunras.c:1076: data = g_malloc (tile_height * width); /* HOLE */ sunras.c:1146: data = g_malloc (tile_height * width * 3); /* HOLE */ sunras.c:1231: data = g_malloc (tile_height * width * 3); /* HOLE */ xbm.c:879: data = (guchar *) g_malloc (width * tileheight); /* HOLE */ xwd.c:1193: data = g_malloc (tile_height * width); /* HOLE */ xwd.c:1195: scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8); /* HOLE */ xwd.c:1352: data = g_malloc (tile_height * width); /* HOLE */ xwd.c:1441: data = g_malloc (tile_height * width * 3); /* HOLE */ xwd.c:1601: data = g_malloc (tile_height * width * 3); /* HOLE */ xwd.c:1812: data = g_malloc (tile_height * width * bytes_per_pixel); /* HOLE */ In each of these cases a integer value from a untrused input source has arithmetic operations performed upon it to calculate the length to allocate. As there is not checking of the result for integer overflows, an overflow which may be exploitable on some platforms can be triggered.
Temporarily setting this bug to "GNOME Hackers" only until the code is fixed.
This bug should now be fixed by the recent commits from Mukund and myself. If nobody complains about these patches, I will backport my changes to the 2.2 branch tomorrow and un-hide this bug soon afterwards. 2007-07-05 Raphaël Quinet <raphael@gimp.org> * plug-ins/common/pnm.c (load_image) * plug-ins/common/psp.c (read_layer_block) * plug-ins/common/sunras.c (load_image) * plug-ins/common/xbm.c (load_image) * plug-ins/common/xwd.c (load_image): validate size values read from files before using them to allocate memory (bug #451379). 2007-07-04 Mukund Sivaraman <muks@mukund.org> * plug-ins/common/psd-load.c: validate size values read from files before using them to allocate memory. 2007-07-04 Mukund Sivaraman <muks@mukund.org> * plug-ins/common/dicom.c: validate size values read from files before using them to allocate memory.
Backported to the 2.2 branch, closing this bug: 2007-07-05 Raphaël Quinet <raphael@gimp.org> Merged several patches from trunk (written by Mukund Sivaraman and myself): * plug-ins/common/dicom.c * plug-ins/common/pnm.c * plug-ins/common/psd.c * plug-ins/common/psp.c * plug-ins/common/sunras.c * plug-ins/common/xbm.c * plug-ins/common/xwd.c: validate size values read from files before using them to allocate memory. Fixes bug #451379, brought to our attention by Sean Larsson of iDefense Labs.
Just for the sake of cross-references: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=551 Unfortunately, the disclosure timeline on that page shows that two previous attempts at notifying us about these problems never reached us because they were sent by e-mail instead of bugzilla. I have now updated http://www.gimp.org/bugs/ to give some recommendations.