Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGkswnQeO6oXv+so+DRCMWHqpVKuKYjZ3dTo=gZo2GzycdArhw@mail.gmail.com>
Date: Wed, 13 Jul 2016 14:53:03 -0300
From: Franco Costantini <franco.costantini.20@...il.com>
To: oss-security@...ts.openwall.com
Cc: gustavo.grieco@...g.fr
Subject: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7

This issue was reported to Redhat secalert, they asked me to disclose it
publicly.

A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7.
It's tested in Ubuntu 14.04, other versions can be affected (in Debian 8,
an assert inside gtk3 stops the execution before the crash). This issue can
be reproduced using eog:

 (gdb) run crash.ico
 Starting program: /usr/bin/eog crash.ico
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 [New Thread 0x7fffec58e700 (LWP 3709)]
 [New Thread 0x7fffebd8d700 (LWP 3710)]
 [New Thread 0x7fffe9656700 (LWP 3711)]
 [New Thread 0x7fffe8e55700 (LWP 3712)]

 (eog:3705): EOG-WARNING **: Couldn't load icon: Icon 'image-loading' not
present in theme

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7fffe9656700 (LWP 3711)]
 0x00007fffd83b428c in OneLine32 (context=0x7fffe0029820) at io-ico.c:589
 (gdb) bt
 #0  0x00007fffd83b428c in OneLine32 (context=0x7fffe0029820) at
io-ico.c:589
 #1  OneLine (context=0x7fffe0029820) at io-ico.c:800
 #2  gdk_pixbuf__ico_image_load_increment (data=0x7fffe0029820,
     buf=0x7fffe001b852 "", size=0, error=0x7fffe9655b68) at io-ico.c:891
 #3  0x00007ffff53e2665 in gdk_pixbuf_loader_load_module (
     loader=loader@...ry=0x7df420, image_type=image_type@...ry=0x0,
     error=error@...ry=0x7fffe9655b68) at gdk-pixbuf-loader.c:443
 #4  0x00007ffff53e2ee8 in gdk_pixbuf_loader_close (loader=0x7df420,
     error=0xaa1aa0) at gdk-pixbuf-loader.c:808
 #5  0x00000000004236ab in eog_image_load ()
 #6  0x00000000004275d7 in ?? ()
 #7  0x0000000000425959 in ?? ()
 #8  0x00007ffff43eff05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #9  0x00007ffff3f53184 in start_thread (arg=0x7fffe9656700)
     at pthread_create.c:312
 #10 0x00007ffff3c8037d in clone ()
     at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

The affected function is here:

 static void OneLine32 (struct ico_progressive_state *context)
{
        gint X;
        guchar *Pixels;

        X = 0;
        if (context->Header.Negative == 0)
                Pixels = (context->pixbuf->pixels +
                          context->pixbuf->rowstride *
                          (context->Header.height - context->Lines - 1));
        else
                Pixels = (context->pixbuf->pixels +
                          context->pixbuf->rowstride *
                          context->Lines);
        while (X < context->Header.width) {
                Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2];
                Pixels[X * 4 + 1] = context->LineBuf[X * 4 + 1];
                Pixels[X * 4 + 2] = context->LineBuf[X * 4 + 0];
                Pixels[X * 4 + 3] = context->LineBuf[X * 4 + 3];
                X++;
        }
}

The value of context->Header.height in OneLine32 is a very large number
(probably it wasn't validated correctly). Such value is used to calculate
where to write, resulting in an overflow where Pixels is written.

This issue was found using QuickFuzz, the file to reproduce it is attached.
Please assign a CVE if suitable.

Regards, Franco

Content of type "text/html" skipped

Download attachment "crash.ico.tar.gz" of type "application/x-gzip" (158 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.