GNOME Bugzilla – Bug 790849
CVE-2017-17789 Heap buffer overflow in PSP importer, function read_channel_data
Last modified: 2017-12-21 08:31:11 UTC
Created attachment 364422 [details] poc file The attached file will cause a heap buffer overflow in the PSP import plugin. Stack trace from address sanitizer: ==29046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f64a922d100 at pc 0x0000004c3668 bp 0x7ffc2baf8a50 sp 0x7ffc2baf8200 WRITE of size 48 at 0x7f64a922d100 thread T0 #0 0x4c3667 in __asan_memmove (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4c3667) #1 0x513628 in read_channel_data /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1237:17 #2 0x513628 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1593 #3 0x513628 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843 #4 0x513628 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949 #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7 #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997 #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618 #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc) #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479) 0x7f64a922d100 is located 0 bytes to the right of 152176896-byte region [0x7f64a010c800,0x7f64a922d100) allocated by thread T0 here: #0 0x4da260 in calloc (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4da260) #1 0x7f64bd073710 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x4f710) #2 0x512af1 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1510:15 #3 0x512af1 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843 #4 0x512af1 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949 #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7 #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997 #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618 #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc) #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)
FYI this security issue has been given the following CVE number: CVE-2017-17789
Fixed. Thanks for the report! commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8 (HEAD -> master, origin/master, origin/HEAD) Author: Jehan <jehan@girinstud.io> Date: Wed Dec 20 16:44:20 2017 +0100 Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow... ... in PSP importer. Check if declared block length is valid (i.e. within the actual file) before going further. Consider the file as broken otherwise and fail loading it. plug-ins/common/file-psp.c | 9 +++++++++ 1 file changed, 9 insertions(+)
Also pushed to gimp-2-8: commit 01898f10f87a094665a7fdcf7153990f4e511d3f (HEAD -> gimp-2-8, origin/gimp-2-8) Author: Jehan <jehan@girinstud.io> Date: Wed Dec 20 16:44:20 2017 +0100 Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow... ... in PSP importer. Check if declared block length is valid (i.e. within the actual file) before going further. Consider the file as broken otherwise and fail loading it. (cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
Of course, if I missed something, feel free to reopen the bug report. But I tested it with your file, and it is properly rejected as it should.
P.S.: by the way, I searched the web but have been unable to find any valid PSP sample. I think I understood correctly the current code logics, and therefore my commit should not break importing valid PSP files. Yet this is untested with valid PSP files. So if I did a mistake and actually broke normal PSP import, please reopen and provide me with a PSP sample so that I can better understand what went wrong and test appropriately. :-)
here are some psp files: https://files.fuzzing-project.org/graphics/bitmap/ I think only the psp5 file is supported and I think it's only a few pixels. I guess this confirmes my point of having a test suite with rendering examples :-)
Well it all looks fine. The PSP 5 looks like it is loaded fine like before. PSP7 and 13 won't load but that was the same without the commit. So I assume there are no regression.