After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 451379 - Multiple integer overflow vulnerabilities in load plug-ins
Multiple integer overflow vulnerabilities in load plug-ins
Product: GIMP
Classification: Other
Component: Plugins
Other All
: Normal major
: 2.2
Assigned To: GIMP Bugs
Depends on:
Reported: 2007-06-26 20:23 UTC by Sven Neumann
Modified: 2008-01-15 13:28 UTC
See Also:
GNOME target: ---
GNOME version: ---

Description Sven Neumann 2007-06-26 20:23:40 UTC
It has been brought to my attention that Sean Larsson of iDefense Labs has identified a number of integer overflow vulnerabilities in our load plug-ins. We need to close these holes in both branches and make a GIMP 2.2 release available with the fixed plug-ins as soon as possible.

Remote exploitation of multiple integer overflow vulnerabilities in 
several of the image loader plugins included with distributions of 'The 
GIMP' allow attackers to crash GIMP or potentially execute arbitrary 
code with the privileges of the user.

The following lines show the location of some vulnerabilties within 
the following file formats: 

    * DICOM
    * PNM 
    * PSD
    * PSP
    * Sun RAS
    * XBM
    * XWD

The follow code shows the lines which cause the vulnerabilities. Each of 
these files are in from plug-ins/common/

dicom.c:391:      value = g_new0 (guint8, element_length + 4);  /* HOLE */
pnm.c:566:  data = g_new (guchar, gimp_tile_height () * info->xres * np); /* HOLE */
pnm.c:628:  data = g_new (guchar, gimp_tile_height () * info->xres * info->np);   /* HOLE */
pnm.c:681:  data = g_new (guchar, gimp_tile_height () * info->xres);  /* HOLE */
psd.c:2969:     PSDheader.rowlength = g_malloc (PSDheader.rows *    /* HOLE */
psp.c:1225:      pixel = g_malloc0 (height * width * bytespp); /* HOLE */
sunras.c:955:  data = g_malloc (tile_height * width);    /* HOLE */
sunras.c:1076:  data = g_malloc (tile_height * width);    /* HOLE */
sunras.c:1146:  data = g_malloc (tile_height * width * 3);    /* HOLE */
sunras.c:1231:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xbm.c:879:  data = (guchar *) g_malloc (width * tileheight);    /* HOLE */
xwd.c:1193:  data = g_malloc (tile_height * width);    /* HOLE */
xwd.c:1195:  scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8);  /* HOLE */
xwd.c:1352:  data = g_malloc (tile_height * width);    /* HOLE */
xwd.c:1441:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xwd.c:1601:  data = g_malloc (tile_height * width * 3);    /* HOLE */
xwd.c:1812:  data = g_malloc (tile_height * width * bytes_per_pixel);  /* HOLE */

In each of these cases a integer value from a untrused input source has 
arithmetic operations performed upon it to calculate the length to 
allocate. As there is not checking of the result for integer overflows, 
an overflow which may be exploitable on some platforms can be triggered.
Comment 1 Raphaël Quinet 2007-07-04 08:59:49 UTC
Temporarily setting this bug to "GNOME Hackers" only until the code is fixed.
Comment 2 Raphaël Quinet 2007-07-04 23:35:14 UTC
This bug should now be fixed by the recent commits from Mukund and myself.  If nobody complains about these patches, I will backport my changes to the 2.2 branch tomorrow and un-hide this bug soon afterwards.

2007-07-05  Raphaël Quinet  <>

	* plug-ins/common/pnm.c (load_image)
	* plug-ins/common/psp.c (read_layer_block)
	* plug-ins/common/sunras.c (load_image)
	* plug-ins/common/xbm.c (load_image)
	* plug-ins/common/xwd.c (load_image): validate size values read
	from files before using them to allocate memory (bug #451379).

2007-07-04  Mukund Sivaraman  <>

	* plug-ins/common/psd-load.c: validate size values read from files
	before using them to allocate memory.

2007-07-04  Mukund Sivaraman  <>

	* plug-ins/common/dicom.c: validate size values read from files
	before using them to allocate memory.

Comment 3 Raphaël Quinet 2007-07-05 13:21:31 UTC
Backported to the 2.2 branch, closing this bug:

2007-07-05  Raphaël Quinet  <>

	Merged several patches from trunk (written by Mukund Sivaraman and
	* plug-ins/common/dicom.c
	* plug-ins/common/pnm.c
	* plug-ins/common/psd.c
	* plug-ins/common/psp.c
	* plug-ins/common/sunras.c
	* plug-ins/common/xbm.c
	* plug-ins/common/xwd.c: validate size values read from files
	before using them to allocate memory.  Fixes bug #451379, brought
	to our attention by Sean Larsson of iDefense Labs.
Comment 4 Raphaël Quinet 2007-07-10 11:55:04 UTC
Just for the sake of cross-references:
Unfortunately, the disclosure timeline on that page shows that two previous attempts at notifying us about these problems never reached us because they were sent by e-mail instead of bugzilla.  I have now updated to give some recommendations.