lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050304095434.26347.qmail@www.securityfocus.com>
Date: 4 Mar 2005 09:54:34 -0000
From: Hongzhen Zhou <felix__zhou@...mail.com>
To: bugtraq@...urityfocus.com
Subject: GIMP gifload.exe GIF file (image width)*(image height)==0 DOS
    vulnerability





GIMP gifload.exe GIF file (image width)*(image height)==0 DOS vulnerability

******
Author
******

Hongzhen Zhou ( Fortinet,inc )
{
  felix__zhou _at_ hotmail _dot_ com
  hzhou _at_ fortinet _dot_ com
}

********************
vulnerable version
********************

Just tested on GIMP version 2.2.3 & 2.0.5 for windows
But the laster version 2.2.4 for all platform should be vulnerable.

**********
descriptor
**********

The GIMP is the GNU Image Manipulation Program. It is a freely distributed
piece of software for such tasks as photo retouching, image composition 
and image authoring. It works on many operating systems, in many languages.
Thge GIMP uses a plugin (gifload) to parse the GIF file format. The gifload
has a DOS vulnerability when it processes some special GIF files.

*********************
vulnerability details
*********************

GIMP use gifload.exe to load a GIF file. The gifload.exe did't check the 
value of width and height fields in image descriptor when read from GIF 
file(not the screen width and height field), it used its to 
generate a size to call g_malloc() and it did't check the return pointer 
value from g_malloc() yet before used the pointer. So if gifload.exe got 
0 from the width or height field of image descriptor which read from the 
GIF file, it crashed.

Change a normal gif file's image width value or image height value to 0 
and open it using GIMP.exe to see the gifload.exe die! I tested it on
GIMP version 2.2.3 & 2.0.5 for windows. But the laster version 2.2.4 for all
platform should be vulnerable.

Reported to vendor in Mar 2, 2005.

==============================================
source code from gimp-2.2.4\plug-ins\common\gifload.c
==============================================
----------------------------------------------
// load_image()
----------------------------------------------
// Didn't check the value of width and height fields in image descriptor 
// when read from file
---------------
if (!useGlobalColormap)
	{
	  if (ReadColorMap (fd, bitPixel, localColorMap, &grayScale))
	    {
	      g_message ("Error reading local colormap");
	      return image_ID; 
	    }
	  image_ID = ReadImage (fd, filename, LM_to_uint (buf[4], buf[5]),
				LM_to_uint (buf[6], buf[7]),
				localColorMap, bitPixel,
				grayScale,
				BitSet (buf[8], INTERLACE), imageCount,
				(guint) LM_to_uint (buf[0], buf[1]),
				(guint) LM_to_uint (buf[2], buf[3]),
				GifScreen.Width,
				GifScreen.Height
				);
	}
      else
	{
	  image_ID = ReadImage (fd, filename, LM_to_uint (buf[4], buf[5]),
				LM_to_uint (buf[6], buf[7]),
				GifScreen.ColorMap, GifScreen.BitPixel,
				GifScreen.GrayScale,
				BitSet (buf[8], INTERLACE), imageCount,
				(guint) LM_to_uint (buf[0], buf[1]),
				(guint) LM_to_uint (buf[2], buf[3]),
				GifScreen.Width,
				GifScreen.Height
				);
	}
-----------------------------------------------
// ReadImage()  len==image width, height==image height 
-----------------------------------------------
// xpos and ypos are initialized to 0
gint xpos = 0, ypos = 0, pass = 0;

---------------
  if (alpha_frame)
    dest = (guchar *) g_malloc (len * height *
				(promote_to_rgb ? 4 : 2));
    // dest == 0;
  else
    dest = (guchar *) g_malloc (len * height);
    // dest == 0;
---------------
	  if (promote_to_rgb)
	    {
	      temp = dest + ( (ypos * len) + xpos ) * 4;
              // temp = 0 + ( (0 * 0) + 0) * 4;
              // temp == 0
              // So it cause write access exception!
	      *(temp  ) = (guchar) cmap[0][v];
	      *(temp+1) = (guchar) cmap[1][v];
	      *(temp+2) = (guchar) cmap[2][v];
	      *(temp+3) = (guchar) ((v == Gif89.transparent) ? 0 : 255);
	    }
	  else
	    {
	      temp = dest + ( (ypos * len) + xpos ) * 2;
              // temp = 0 + ( (0 * 0) + 0) * 2;
	      *temp = (guchar) v;
	      *(temp+1) = (guchar) ((v == Gif89.transparent) ? 0 : 255);
	    }
-------------------------------------------------
That's all:)
=================================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ