GNOME Bugzilla – Bug 790783
buffer overread in XCF parser if version field has no null terminator
Last modified: 2017-12-26 14:52:07 UTC
Created attachment 364313 [details]
sample file triggering overread.
I'll attach a file that will cause a stack overread in the XCF file import. This was discovered by fuzzing with american fuzzy lop and address sanitizer. I'll also attach the stack trace from asan. The overread can be detected by compiling gimp with address sanitizer.
The bug is in xcf.c when reading the file version. According to the inofficial XCF spec  the version is a string starting at offset 9 with a null terminator at offset 13.
The code in xcf.c assumes that this null terminator is there and passes the version string to atoi. So if you craft a file where it's missing then atoi will overread. This can be fixed by checking that the null terminator is really set to 0 and returning an error if it's not. Patch also attached.
Created attachment 364314 [details]
stack trace / asan
Created attachment 364315 [details] [review]
patch / fix
The added condition in the patch was always TRUE, I fixed this and pushed:
Author: Hanno Boeck <email@example.com>
Date: Mon Nov 27 00:37:29 2017 +0100
790783 - buffer overread in XCF parser if version field...
...has no null terminator
Check for the presence of '\0' before using atoi() on the version
string. Patch slightly modified (mitch).
app/xcf/xcf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Maybe this should be backported to gimp-2-8 ? 2.8.x seems affected, though the function there is called xcf_load_invoker().
FTR: The xcf_load_stream was factored out in 63bcc698270bea1c4daa61c94da2c6c23dab87c5 .