GIMP 2.8.2 XWD files memory corruption

2012.11.23
Credit: Andres Gomez
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

GIMP 2.8.2 is vulnerable to memory corruption when reading XWD files, which could lead even to arbitrary code execution. In file-xwd.c user controlled values: L_CARD32 l_red_mask; /* Red mask */ L_CARD32 l_green_mask; /* Green mask */ L_CARD32 l_blue_mask; /* Blue mask */ determine the number of iterations on: /* Set map-arrays for red, green, blue */ for (red = 0; red <= maxred; red++) redmap[red] = (red * 255) / maxred; for (green = 0; green <= maxgreen; green++) greenmap[green] = (green * 255) / maxgreen; for (blue = 0; blue <= maxblue; blue++) bluemap[blue] = (blue * 255) / maxblue; due to the fact that there is not limit check, these operations can write beyond buffer size, overwriting return address and seh handler on windows. I attached a test file, the corresponding output from cdb debugger is: Description: Read Access Violation at the Instruction Pointer Short Description: ReadAVonIP Exploitability Classification: EXPLOITABLE Exception Faulting Address: 0x1d1d1d1d First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation eax=00000000 ebx=00000000 ecx=1d1d1d1d edx=7c9132bc esi=00000000 edi=00000000 eip=1d1d1d1d esp=0022dd30 ebp=0022dd50 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 1d1d1d1d ?? ??? Andres Gomez

References:

https://bugzilla.gnome.org/show_bug.cgi?id=687392
https://bugzilla.gnome.org/attachment.cgi?id=227862&action=edit


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top