Bug 451379 – Multiple integer overflow vulnerabilities in load plug-ins

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 451379 - Multiple integer overflow vulnerabilities in load plug-ins


Summary:	Multiple integer overflow vulnerabilities in load plug-ins


Status:	RESOLVED FIXED

Product:	GIMP
Classification:	Other
Component:	Plugins
Version:	2.2.x
Hardware:	Other All

Importance:	Normal major
Target Milestone:	2.2
Assigned To:	GIMP Bugs
QA Contact:	GIMP Bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2007-06-26 20:23 UTC by Sven Neumann
Modified:	2008-01-15 13:28 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Sven Neumann 2007-06-26 20:23:40 UTC

It has been brought to my attention that Sean Larsson of iDefense Labs has identified a number of integer overflow vulnerabilities in our load plug-ins. We need to close these holes in both branches and make a GIMP 2.2 release available with the fixed plug-ins as soon as possible.

Remote exploitation of multiple integer overflow vulnerabilities in 
several of the image loader plugins included with distributions of 'The 
GIMP' allow attackers to crash GIMP or potentially execute arbitrary 
code with the privileges of the user.

The following lines show the location of some vulnerabilties within 
the following file formats: 

    * DICOM
    * PNM 
    * PSD
    * PSP
    * Sun RAS
    * XBM
    * XWD

The follow code shows the lines which cause the vulnerabilities. Each of 
these files are in from plug-ins/common/

dicom.c:391:      value = g_new0 (guint8, element_length + 4);  /* HOLE */
pnm.c:566:  data = g_new (guchar, gimp_tile_height () * info->xres * np); /* HOLE */
pnm.c:628:  data = g_new (guchar, gimp_tile_height () * info->xres * info->np);   /* HOLE */
pnm.c:681:  data = g_new (guchar, gimp_tile_height () * info->xres);  /* HOLE */
psd.c:2969:     PSDheader.rowlength = g_malloc (PSDheader.rows *    /* HOLE */
psp.c:1225:      pixel = g_malloc0 (height * width * bytespp); /* HOLE */
sunras.c:955:  data = g_malloc (tile_height * width);    /* HOLE */
sunras.c:1076:  data = g_malloc (tile_height * width);    /* HOLE */
sunras.c:1146:  data = g_malloc (tile_height * width * 3);    /* HOLE */
sunras.c:1231:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xbm.c:879:  data = (guchar *) g_malloc (width * tileheight);    /* HOLE */
xwd.c:1193:  data = g_malloc (tile_height * width);    /* HOLE */
xwd.c:1195:  scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8);  /* HOLE */
xwd.c:1352:  data = g_malloc (tile_height * width);    /* HOLE */
xwd.c:1441:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xwd.c:1601:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xwd.c:1812:  data = g_malloc (tile_height * width * bytes_per_pixel);  /* HOLE */

In each of these cases a integer value from a untrused input source has 
arithmetic operations performed upon it to calculate the length to 
allocate. As there is not checking of the result for integer overflows, 
an overflow which may be exploitable on some platforms can be triggered.

Comment 1 Raphaël Quinet 2007-07-04 08:59:49 UTC

Temporarily setting this bug to "GNOME Hackers" only until the code is fixed.

Comment 2 Raphaël Quinet 2007-07-04 23:35:14 UTC

This bug should now be fixed by the recent commits from Mukund and myself.  If nobody complains about these patches, I will backport my changes to the 2.2 branch tomorrow and un-hide this bug soon afterwards.

2007-07-05  Raphaël Quinet  <raphael@gimp.org>

	* plug-ins/common/pnm.c (load_image)
	* plug-ins/common/psp.c (read_layer_block)
	* plug-ins/common/sunras.c (load_image)
	* plug-ins/common/xbm.c (load_image)
	* plug-ins/common/xwd.c (load_image): validate size values read
	from files before using them to allocate memory (bug #451379).

2007-07-04  Mukund Sivaraman  <muks@mukund.org>

	* plug-ins/common/psd-load.c: validate size values read from files
	before using them to allocate memory.

2007-07-04  Mukund Sivaraman  <muks@mukund.org>

	* plug-ins/common/dicom.c: validate size values read from files
	before using them to allocate memory.

Comment 3 Raphaël Quinet 2007-07-05 13:21:31 UTC

Backported to the 2.2 branch, closing this bug:

2007-07-05  Raphaël Quinet  <raphael@gimp.org>

	Merged several patches from trunk (written by Mukund Sivaraman and
	myself):
	
	* plug-ins/common/dicom.c
	* plug-ins/common/pnm.c
	* plug-ins/common/psd.c
	* plug-ins/common/psp.c
	* plug-ins/common/sunras.c
	* plug-ins/common/xbm.c
	* plug-ins/common/xwd.c: validate size values read from files
	before using them to allocate memory.  Fixes bug #451379, brought
	to our attention by Sean Larsson of iDefense Labs.

Comment 4 Raphaël Quinet 2007-07-10 11:55:04 UTC

Just for the sake of cross-references:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=551
Unfortunately, the disclosure timeline on that page shows that two previous attempts at notifying us about these problems never reached us because they were sent by e-mail instead of bugzilla.  I have now updated http://www.gimp.org/bugs/ to give some recommendations.