After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 453973 - missing input validation in several file plug-ins
missing input validation in several file plug-ins
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
git master
Other All
: Normal major
: ---
Assigned To: GIMP Bugs
GIMP Bugs
Depends on:
Blocks:
 
 
Reported: 2007-07-05 15:08 UTC by Raphaël Quinet
Modified: 2007-09-17 15:40 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
test image for the BMP plug-in (gimp-mem.bmp) (8.38 KB, application/octet-stream)
2007-07-05 15:10 UTC, Raphaël Quinet
Details
another test image for the BMP plug-in (gimp-mem2.bmp) (8.42 KB, application/octet-stream)
2007-07-05 15:10 UTC, Raphaël Quinet
Details
test image for the PSP plug-in (gimp-doublefree.tub) (503.06 KB, application/octet-stream)
2007-07-05 15:11 UTC, Raphaël Quinet
Details
test image for the PCX plug-in (gimp-mem.pcx) (40.10 KB, application/octet-stream)
2007-07-05 15:12 UTC, Raphaël Quinet
Details
another test image for the PCX plug-in (gimp-segfault.pcx) (40.17 KB, application/octet-stream)
2007-07-05 15:13 UTC, Raphaël Quinet
Details
yet another test image for the PCX plug-in (gimp-segfault2.pcx) (40.14 KB, application/octet-stream)
2007-07-05 15:13 UTC, Raphaël Quinet
Details
test image for the PSD plug-in (gimp-mem.psd) (875.85 KB, application/octet-stream)
2007-07-05 15:15 UTC, Raphaël Quinet
Details
test image for the winicon plug-in (gimp-segfault.ico) (1.12 KB, application/octet-stream)
2007-07-05 15:19 UTC, Raphaël Quinet
Details
another test image for the winicon plug-in (gimp-segfault2.ico) (1.12 KB, application/octet-stream)
2007-07-05 15:19 UTC, Raphaël Quinet
Details

Description Raphaël Quinet 2007-07-05 15:08:55 UTC
Victor Stinner has discovered several flaws in file plug-ins using his fuzzyfier tool "fusil" (http://fusil.hachoir.org/).  Several modified image files cause the plug-ins to crash or consume excessive amounts of memory due to insufficient input validation.

Affected plug-ins: bmp, pcx, psd, psp (*.tub).
Comment 1 Raphaël Quinet 2007-07-05 15:10:17 UTC
Created attachment 91243 [details]
test image for the BMP plug-in (gimp-mem.bmp)
Comment 2 Raphaël Quinet 2007-07-05 15:10:49 UTC
Created attachment 91244 [details]
another test image for the BMP plug-in (gimp-mem2.bmp)
Comment 3 Raphaël Quinet 2007-07-05 15:11:48 UTC
Created attachment 91245 [details]
test image for the PSP plug-in (gimp-doublefree.tub)
Comment 4 Raphaël Quinet 2007-07-05 15:12:42 UTC
Created attachment 91246 [details]
test image for the PCX plug-in (gimp-mem.pcx)
Comment 5 Raphaël Quinet 2007-07-05 15:13:26 UTC
Created attachment 91247 [details]
another test image for the PCX plug-in (gimp-segfault.pcx)
Comment 6 Raphaël Quinet 2007-07-05 15:13:55 UTC
Created attachment 91248 [details]
yet another test image for the PCX plug-in (gimp-segfault2.pcx)
Comment 7 Raphaël Quinet 2007-07-05 15:15:16 UTC
Created attachment 91250 [details]
test image for the PSD plug-in (gimp-mem.psd)
Comment 8 Raphaël Quinet 2007-07-05 15:19:14 UTC
Created attachment 91251 [details]
test image for the winicon plug-in (gimp-segfault.ico)
Comment 9 Raphaël Quinet 2007-07-05 15:19:40 UTC
Created attachment 91252 [details]
another test image for the winicon plug-in (gimp-segfault2.ico)
Comment 10 Raphaël Quinet 2007-07-05 18:00:07 UTC
Fixed in SVN trunk and in the 2.2 branch.  All these files are now causing the expected errors to be reported by the corresponding plug-ins, and there are no crashes anymore.

2007-07-05  Raphaël Quinet  <raphael@gimp.org>

	Merged several patches from trunk (written by Sven and myself):

	* plug-ins/common/psp.c: error handling cleanup.

	* plug-ins/common/psd.c (do_layer_record): check for invalid
	number of channels in a layer.

	* plug-ins/common/pcx.c (load_image): check for invalid image
	width or height.

	* plug-ins/bmp/bmpread.c: check for invalid image width or height,
	return if the image could not be read instead of trying to set the
	resolution or to flip a non-existing image.  Fixes bug #453973.
Comment 11 Nils Philippsen 2007-09-17 15:18:46 UTC
This is with current SVN (r23572):

nils@wombat:~/test/gimp> ~/gimp-trunk/bin/gimp gimp-segfault.pcx 
/home/nils/gimp-trunk/lib/gimp/2.0/plug-ins/pcx: fatal error: Segmentation fault
nils@wombat:~/test/gimp> ~/gimp-trunk/bin/gimp gimp-segfault2.pcx 
/home/nils/gimp-trunk/lib/gimp/2.0/plug-ins/pcx: fatal error: Segmentation fault

I would reopen it, but it seems that I can't do that.
Comment 12 Raphaël Quinet 2007-09-17 15:27:30 UTC
Closing again.  New info belongs to separate bug report.
Comment 13 Raphaël Quinet 2007-09-17 15:40:11 UTC
FYI, the new bug is bug #477802.