[NEWS] GIMP Denial Of Service Vulnerability (GIF Zero Width or Height )
From: SecuriTeam (support_at_securiteam.com)
Date: 03/22/05
- Previous message: SecuriTeam: "[NEWS] Buffer Overflow In Soldier Of Fortune II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Mar 2005 18:56:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GIMP Denial Of Service Vulnerability (GIF Zero Width or Height )
------------------------------------------------------------------------
SUMMARY
<http://www.gimp.org/> The GIMP is the GNU Image Manipulation Program. It
is a freely distributed piece of software for such tasks as photo
retouching, image composition and image authoring.
The GIMP gifload plug-in is vulnerable to a denial of service attack when
it processes some GIF files with image width or height value of 0.
DETAILS
Vulnerable Systems:
* The GIMP 2.2.4 for all Operating Systems. Prior versions may be
vulnerable as well.
GIMP use gifload to load GIF files. The gifload does not check the value
of width and height fields of the image descriptor when reading a GIF
file. It generate a size to call g_malloc() and it does not check the
return pointer value from g_malloc() yet before used the pointer. So if
gifload have a value of 0 from the width or height field read from the
image descriptor, it crashes.
Changing any normal GIF file image width value or image height value to 0,
will cause GIMP to crash when trying to open the image.
Vulnerable Code:
source code from gimp-2.2.4/plug-ins/common/gifload.c:
..
// load_image()
// Didn't check the value of width and height fields in image descriptor
// when read from file
..
if (!useGlobalColormap)
{
if (ReadColorMap (fd, bitPixel, localColorMap, &grayScale))
{
g_message ("Error reading local colormap");
return image_ID;
}
image_ID = ReadImage (fd, filename, LM_to_uint (buf[4], buf[5]),
LM_to_uint (buf[6], buf[7]),
localColorMap, bitPixel,
grayScale,
BitSet (buf[8], INTERLACE), imageCount,
(guint) LM_to_uint (buf[0], buf[1]),
(guint) LM_to_uint (buf[2], buf[3]),
GifScreen.Width,
GifScreen.Height
);
}
else
{
image_ID = ReadImage (fd, filename, LM_to_uint (buf[4], buf[5]),
LM_to_uint (buf[6], buf[7]),
GifScreen.ColorMap, GifScreen.BitPixel,
GifScreen.GrayScale,
BitSet (buf[8], INTERLACE), imageCount,
(guint) LM_to_uint (buf[0], buf[1]),
(guint) LM_to_uint (buf[2], buf[3]),
GifScreen.Width,
GifScreen.Height
);
}
.
// ReadImage() len==image width, height==image height
// xpos and ypos are initialized to 0
gint xpos = 0, ypos = 0, pass = 0;
..
if (alpha_frame)
dest = (guchar *) g_malloc (len * height *
(promote_to_rgb ? 4 : 2));
// dest == 0;
else
dest = (guchar *) g_malloc (len * height);
// dest == 0;
..
if (promote_to_rgb)
{
temp = dest + ( (ypos * len) + xpos ) * 4;
// temp = 0 + ( (0 * 0) + 0) * 4;
// temp == 0
// So it cause write access exception!
*(temp ) = (guchar) cmap[0][v];
*(temp+1) = (guchar) cmap[1][v];
*(temp+2) = (guchar) cmap[2][v];
*(temp+3) = (guchar) ((v == Gif89.transparent) ? 0 : 255);
}
else
{
temp = dest + ( (ypos * len) + xpos ) * 2;
// temp = 0 + ( (0 * 0) + 0) * 2;
*temp = (guchar) v;
*(temp+1) = (guchar) ((v == Gif89.transparent) ? 0 : 255);
}
EOF
Vender Status:
The vendor has fixed the bug:
<http://bugzilla.gnome.org/show_bug.cgi?id=169113>
http://bugzilla.gnome.org/show_bug.cgi?id=169113
Disclosure Timeline:
2005-03-03 Reported To Vendor, And the vendor has fixed the bug.
ADDITIONAL INFORMATION
The information has been provided by <mailto:felix__zhou@hotmail.com>
Hongzhen Zhou.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Buffer Overflow In Soldier Of Fortune II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor GIMP Multiple
Integer Overflow Vulnerabilities ... The GNU Image Manipulation Program is "commonly known
as the GIMP. ... 08/17/2006 - Initial vendor notification ... (Securiteam) - [NEWS] GIMP XCF Parsing xcf_load_vector() Function Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... GIMP XCF Parsing xcf_load_vectorFunction
Overflow ... from the XCF file into the variable num_axes, ... The attack
is in the VECTORS property of an XCF file which pure XCF ... (Securiteam)
