GIMP 2.8.2 XWD files memory corruption

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1046107 漏洞类型
发布时间 2012-11-23 更新时间 2012-11-23
漏洞平台 N/A CVSS评分 N/A
GIMP 2.8.2 is vulnerable to memory corruption when reading XWD files, which
could lead even to arbitrary code execution. 

In file-xwd.c user controlled values:

 L_CARD32 l_red_mask;       /* Red mask */
 L_CARD32 l_green_mask;     /* Green mask */
 L_CARD32 l_blue_mask;      /* Blue mask */ 

determine the number of iterations on:

/* Set map-arrays for red, green, blue */
  for (red = 0; red <= maxred; red++)
    redmap[red] = (red * 255) / maxred;
  for (green = 0; green <= maxgreen; green++)
    greenmap[green] = (green * 255) / maxgreen;
  for (blue = 0; blue <= maxblue; blue++)
    bluemap[blue] = (blue * 255) / maxblue;

due to the fact that there is not limit check, these operations can write
beyond buffer size, overwriting return address and seh handler on windows.

I attached a test file, the corresponding output from cdb debugger is:

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE

Exception Faulting Address: 0x1d1d1d1d
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

eax=00000000 ebx=00000000 ecx=1d1d1d1d edx=7c9132bc esi=00000000 edi=00000000
eip=1d1d1d1d esp=0022dd30 ebp=0022dd50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
1d1d1d1d ??              ???

Andres Gomez