Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <516CFA37.7060606@redhat.com>
Date: Tue, 16 Apr 2013 17:13:59 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: autotrace: stack-based buffer overflow in bmp parser

Good morning,

There is a stack-based buffer overflow in autotrace 0.31.1 in
Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates a
buffer on the stack:

91   unsigned char buffer[64];

Later on

169   else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170     {
171       if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64
requirements, and 0 - 4 should result in almost 4294967295 bytes being
read into the buffer.

I am told:

""
The same code is in Gimp, it was introduced in commit
d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in
57f805a159874107c6c98065f9aa648c3634b8fd:

https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7
https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98

Similar code can also be found in sam2p.
""

On Fedora 18, the issue was caught by FORTIFY_SOURCE.

Murray.

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.