GNOME Bugzilla – Bug 453973
missing input validation in several file plug-ins
Last modified: 2007-09-17 15:40:11 UTC
Victor Stinner has discovered several flaws in file plug-ins using his fuzzyfier tool "fusil" (http://fusil.hachoir.org/). Several modified image files cause the plug-ins to crash or consume excessive amounts of memory due to insufficient input validation. Affected plug-ins: bmp, pcx, psd, psp (*.tub).
Created attachment 91243 [details] test image for the BMP plug-in (gimp-mem.bmp)
Created attachment 91244 [details] another test image for the BMP plug-in (gimp-mem2.bmp)
Created attachment 91245 [details] test image for the PSP plug-in (gimp-doublefree.tub)
Created attachment 91246 [details] test image for the PCX plug-in (gimp-mem.pcx)
Created attachment 91247 [details] another test image for the PCX plug-in (gimp-segfault.pcx)
Created attachment 91248 [details] yet another test image for the PCX plug-in (gimp-segfault2.pcx)
Created attachment 91250 [details] test image for the PSD plug-in (gimp-mem.psd)
Created attachment 91251 [details] test image for the winicon plug-in (gimp-segfault.ico)
Created attachment 91252 [details] another test image for the winicon plug-in (gimp-segfault2.ico)
Fixed in SVN trunk and in the 2.2 branch. All these files are now causing the expected errors to be reported by the corresponding plug-ins, and there are no crashes anymore. 2007-07-05 Raphaël Quinet <raphael@gimp.org> Merged several patches from trunk (written by Sven and myself): * plug-ins/common/psp.c: error handling cleanup. * plug-ins/common/psd.c (do_layer_record): check for invalid number of channels in a layer. * plug-ins/common/pcx.c (load_image): check for invalid image width or height. * plug-ins/bmp/bmpread.c: check for invalid image width or height, return if the image could not be read instead of trying to set the resolution or to flip a non-existing image. Fixes bug #453973.
This is with current SVN (r23572): nils@wombat:~/test/gimp> ~/gimp-trunk/bin/gimp gimp-segfault.pcx /home/nils/gimp-trunk/lib/gimp/2.0/plug-ins/pcx: fatal error: Segmentation fault nils@wombat:~/test/gimp> ~/gimp-trunk/bin/gimp gimp-segfault2.pcx /home/nils/gimp-trunk/lib/gimp/2.0/plug-ins/pcx: fatal error: Segmentation fault I would reopen it, but it seems that I can't do that.
Closing again. New info belongs to separate bug report.
FYI, the new bug is bug #477802.