After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 687392 - Memory corruption vulnerability when reading XWD files
Memory corruption vulnerability when reading XWD files
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
2.8.2
Other All
: Normal critical
: 2.8
Assigned To: GIMP Bugs
GIMP Bugs
Depends on:
Blocks:
 
 
Reported: 2012-11-02 02:08 UTC by andres
Modified: 2012-11-07 23:23 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
test file (593.07 KB, image/x-xwindowdump)
2012-11-02 02:23 UTC, andres 		  Details
patch for gimp 2.8.2 (799 bytes, patch)
2012-11-03 20:28 UTC, andres 		none Details | Review

Description andres 2012-11-02 02:08:12 UTC 
GIMP 2.8.2 is vulnerable to memory corruption when reading XWD files, which could lead even to arbitrary code execution. 

In file-xwd.c user controlled values:

 L_CARD32 l_red_mask;       /* Red mask */
 L_CARD32 l_green_mask;     /* Green mask */
 L_CARD32 l_blue_mask;      /* Blue mask */ 

determine the number of iterations on:

/* Set map-arrays for red, green, blue */
  for (red = 0; red <= maxred; red++)
    redmap[red] = (red * 255) / maxred;
  for (green = 0; green <= maxgreen; green++)
    greenmap[green] = (green * 255) / maxgreen;
  for (blue = 0; blue <= maxblue; blue++)
    bluemap[blue] = (blue * 255) / maxblue;

due to the fact that there is not limit check, these operations can write beyond buffer size, overwriting return address and seh handler on windows.

I attached a test file, the corresponding output from cdb debugger is:

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE

Exception Faulting Address: 0x1d1d1d1d
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

eax=00000000 ebx=00000000 ecx=1d1d1d1d edx=7c9132bc esi=00000000 edi=00000000
eip=1d1d1d1d esp=0022dd30 ebp=0022dd50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
1d1d1d1d ??              ???

Andres Gomez
Comment 1 andres 2012-11-02 02:23:07 UTC 
Created attachment 227862 [details]
test file
Comment 2 Michael Natterer 2012-11-02 07:41:54 UTC 
Thanks, can you cook up a patch?
Comment 3 andres 2012-11-03 20:28:20 UTC 
Created attachment 227982 [details] [review]
patch for gimp 2.8.2

ok please check if it works.
Comment 4 Michael Natterer 2012-11-07 23:23:56 UTC 
Thanks for the patch, fixed in master and gimp-2-8:

commit 2873262fccba12af144ed96ed91be144d92ff2e1
Author: Michael Natterer <mitch@gimp.org>
Date:   Thu Nov 8 00:16:31 2012 +0100

    Bug 687392 - Memory corruption vulnerability when reading XWD files
    
    Applied and enhanced patch from andres which makes file-xwd detect
    this kind of file corruption and abort loading with an error message.
    (cherry picked from commit 0b35f6a082a0b3c372c568ea6bde39a4796acde2)

 plug-ins/common/file-xwd.c |   78 +++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 52 insertions(+), 26 deletions(-)