Crash on loading XPM file

Debian Bug report logs - #505714
Crash on loading XPM file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Julien Danjou <acid@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Crash on loading XPM file

Date: Fri, 14 Nov 2008 16:06:33 +0100

[Message part 1 (text/plain, inline)]

Package: libimlib2
Version: 1.4.0-1.1
Severity: grave

Hi,

imlib2 crashes with the following backtrace when loading the attached
XPM file.

#0  0x00007fdcf6288166 in load (im=0x7fdcf19d3f90, progress=0, progress_granularity=0 '\0', immediate_load=1 '\001') at loader_xpm.c:475
        ptr = (unsigned int *) 0x7fdcf280200c
        end = (unsigned int *) 0x7fdcf2805000
        f = (FILE *) 0x7fdcf1e89dc8
        c = 34
        i = 2
        j = 146
        k = <value optimized out>
        w = 32
        h = 32
        ncolors = 146
        cpp = 2
        comment = 0
        transp = 1
        quote = <value optimized out>
        context = 2
        len = 12
        done = 0
        r = 255
        g = 0
        b = 0
        backslash = 0
        line = 0x7fdcf3acaf00 ' ' <repeats 66 times>
        s = "#FFFFFF\000/", '\0' <repeats 136 times>, "\001", '\0'
<repeats 38 times>,
"GG�002�177\000\000\000�000\000\000\000\000\000`\000\004\000\000\000\000\000\002\000\000\000\000\000\000\000�",
'\0' <repeats 14 times>,
"[\177�005�177\000\000\000\020\000\000\000\000\000\000��005�177\000"
        tok =
"#FFFFFF\000�237��177\000\000�237��177\000\000\234�\r�\177\000\000\001\000\000\000\000\000\000\000[\177�005�177\000\000�226��177\000\000��005�177\000\000�\016�002�177\000\000\004\000\000\000\000\000\000\000�237��177\000\000���\177\000\000د��\177\000\000\234�\r�\177\000\000\001",
'\0' <repeats 14 times>
        col = "
FFFFF\000[\177�005�177\000\000�P��177\000\000��005�177\000\000`�\r�\177\000\000[\177�005�177\000\000���177\000\000��005�177\000\000\000\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000
\000\000\000\000\000\000\000�\031�\177", '\0' <repeats 18 times>,
"`\000\000\000\000\000\000\000�|�005�177\000\000�P��177\000\000�\236\005�177\000\000��r�\177\000\000xnP��177\000\000\000oP��177\000\000�P��177\000\000\001\000\t\034",
'\0' <repeats 12 times>,
"��\r�\177\000\000\001\000\000\000\000\000\000\000�"...
        lsz = 256
        cmap = (struct _cmap *) 0x7fdcf27ff804
        lookup = {{0 <repeats 14 times>, 92, 0 <repeats 81 times>}, {16,
0 <repeats 13 times>, 108, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}, {4, 0 <repeats 13
times>, 96, 0 <repeats 81 times>}, 
  {5, 0 <repeats 13 times>, 97, 0 <repeats 81 times>}, {6, 0 <repeats 13
times>, 98, 
    0 <repeats 81 times>}, {7, 0 <repeats 13 times>, 99, 0 <repeats 81
times>}, {14, 
    0 <repeats 13 times>, 106, 0 <repeats 81 times>}, {22, 0 <repeats 13
times>, 114, 
    0 <repeats 81 times>}, {15, 0 <repeats 13 times>, 107, 0 <repeats 81
times>}, {8, 
    0 <repeats 13 times>, 100, 0 <repeats 81 times>}, {2, 0 <repeats 13
times>, 94, 
    0 <repeats 81 times>}, {13, 0 <repeats 13 times>, 105, 0 <repeats 81
times>}, {10, 
    0 <repeats 13 times>, 102, 0 <repeats 81 times>}, {1, 0 <repeats 13
times>, 93, 
    0 <repeats 81 times>}, {21, 0 <repeats 13 times>, 113, 0 <repeats 81
times>}, {38, 
    0 <repeats 13 times>, 130, 0 <repeats 81 times>}, {29, 0 <repeats 13
times>, 121, 
    0 <repeats 81 times>}, {30, 0 <repeats 13 times>, 122, 0 <repeats 81
times>}, {31, 
    0 <repeats 13 times>, 123, 0 <repeats 81 times>}, {32, 0 <repeats 13
times>, 124, 
    0 <repeats 81 times>}, {33, 0 <repeats 13 times>, 125, 0 <repeats 81
times>}, {34, 
    0 <repeats 13 times>, 126, 0 <repeats 81 times>}, {35, 0 <repeats 13
times>, 127, 
    0 <repeats 81 times>}, {36, 0 <repeats 13 times>, 128, 0 <repeats 81
times>}, {37, 
    0 <repeats 13 times>, 129, 0 <repeats 81 times>}, {24, 0 <repeats 13
times>, 116, 
    0 <repeats 81 times>}, {11, 0 <repeats 13 times>, 103, 0 <repeats 81
times>}, {25, 
    0 <repeats 13 times>, 117, 0 <repeats 81 times>}, {9, 0 <repeats 13
times>, 101, 
    0 <repeats 81 times>}, {12, 0 <repeats 13 times>, 104, 0 <repeats 81
times>}, {
    0 <repeats 96 times>}, {3, 0 <repeats 13 times>, 95, 0 <repeats 81
times>}, {65, 
    0 <repeats 95 times>}, {66, 0 <repeats 95 times>}, {67, 0 <repeats
95 times>}, {68, 
    0 <repeats 95 times>}, {69, 0 <repeats 95 times>}, {70, 0 <repeats
95 times>}, {71, 
    0 <repeats 95 times>}, {72, 0 <repeats 95 times>}, {73, 0 <repeats
95 times>}, {74, 
    0 <repeats 95 times>}, {75, 0 <repeats 95 times>}, {76, 0 <repeats
95 times>}, {77, 
    0 <repeats 95 times>}, {78, 0 <repeats 95 times>}, {79, 0 <repeats
95 times>}, {80, 
    0 <repeats 95 times>}, {81, 0 <repeats 95 times>}, {82, 0 <repeats
95 times>}, {83, 
    0 <repeats 95 times>}, {84, 0 <repeats 95 times>}, {85, 0 <repeats
95 times>}, {86, 
    0 <repeats 95 times>}, {87, 0 <repeats 95 times>}, {88, 0 <repeats
95 times>}, {89, 
    0 <repeats 95 times>}, {90, 0 <repeats 95 times>}, {26, 0 <repeats
13 times>, 118, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}, {19, 0 <repeats 13
times>, 111, 
    0 <repeats 81 times>}, {20, 0 <repeats 13 times>, 112, 0 <repeats 81
times>}, {23, 
    0 <repeats 13 times>, 115, 0 <repeats 81 times>}, {91, 0 <repeats 95
times>}, {39, 
    0 <repeats 13 times>, 131, 0 <repeats 81 times>}, {40, 0 <repeats 13
times>, 132, 
    0 <repeats 81 times>}, {41, 0 <repeats 13 times>, 133, 0 <repeats 81
times>}, {42, 
    0 <repeats 13 times>, 134, 0 <repeats 81 times>}, {43, 0 <repeats 13
times>, 135, 
    0 <repeats 81 times>}, {44, 0 <repeats 13 times>, 136, 0 <repeats 81
times>}, {45, 
    0 <repeats 13 times>, 137, 0 <repeats 81 times>}, {46, 0 <repeats 13
times>, 138, 
    0 <repeats 81 times>}, {47, 0 <repeats 13 times>, 139, 0 <repeats 81
times>}, {48, 
    0 <repeats 13 times>, 140, 0 <repeats 81 times>}, {49, 0 <repeats 13
times>, 141, 
    0 <repeats 81 times>}, {50, 0 <repeats 13 times>, 142, 0 <repeats 81
times>}, {51, 
    0 <repeats 13 times>, 143, 0 <repeats 81 times>}, {52, 0 <repeats 13
times>, 144, 
    0 <repeats 81 times>}, {53, 0 <repeats 13 times>, 145, 0 <repeats 81
times>}, {54, 
    0 <repeats 95 times>}, {55, 0 <repeats 95 times>}, {56, 0 <repeats
95 times>}, {57, 
    0 <repeats 95 times>}, {58, 0 <repeats 95 times>}, {59, 0 <repeats
95 times>}, {60, 
    0 <repeats 95 times>}, {61, 0 <repeats 95 times>}, {62, 0 <repeats
95 times>}, {63, 
    0 <repeats 95 times>}, {64, 0 <repeats 95 times>}, {18, 0 <repeats
13 times>, 110, 
    0 <repeats 81 times>}, {28, 0 <repeats 13 times>, 120, 0 <repeats 81
times>}, {27, 
    0 <repeats 13 times>, 119, 0 <repeats 81 times>}, {17, 0 <repeats 13
times>, 109, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}}
        per = 3.02734375
        per_inc = 0.09765625
        last_per = 0
        last_y = 0
        count = 1025
        pixels = 1024
#1  0x00007fdd02e9da38 in __imlib_LoadImage (
    file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
progress=0, 
    progress_granularity=0 '\0', immediate_load=0 '\0', dont_cache=0
'\0', er=0x7fff0de1c99c)
    at image.c:1027
        im = <value optimized out>
        best_loader = (ImlibLoader *) 0x7fdcf673cfc8
        loader_ret = <value optimized out>
#2  0x00007fdd02e89b24 in imlib_load_image_with_error_return (
    file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
error_return=0x7fff0de1c9dc)
    at api.c:1328
        im = <value optimized out>
        er = <value optimized out>
        prev_ctxt_image = (Imlib_Image) 0x7fdcf2555f90
#3  0x000000000042ea3c in image_new_from_file (
    filename=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm")
    at /home/jdanjou/Work/src/awesome/src/image.c:141
        imimage = (Imlib_Image) 0x7fdcefeb96f0
        e = IMLIB_LOAD_ERROR_NONE
        image = (image_t *) 0x7fff0de1ca40
        __FUNCTION__ = "image_new_from_file"
#4  0x000000000042eadd in luaA_image_new (L=0x7fdcffad4d98)
    at /home/jdanjou/Work/src/awesome/src/image.c:172
        image = (image_t *) 0x7fdcffad4d98
        filename = 0x7fdcf9024fd8
"/usr/share/pixmaps/atlantikdesigner.xpm"
[…]

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libimlib2 depends on:
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libgif4                4.1.6-6           library for GIF images (library)
ii  libid3tag0             0.15.1b-10        ID3 tag reading library from the M
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) libra
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxext6               2:1.0.4-1         X11 miscellaneous extension librar
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libimlib2 recommends no packages.

libimlib2 suggests no packages.

-- no debconf information

-- 
Julien Danjou
// ᐰ <julien@danjou.info>   http://julien.danjou.info
// 9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
// Don't give up.

[atlantikdesigner.xpm (image/x-xpixmap, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Julien Danjou <acid@debian.org>

To: 505714@bugs.debian.org

Subject: Re: Bug#505714: Acknowledgement (Crash on loading XPM file)

Date: Fri, 14 Nov 2008 16:41:15 +0100

[Message part 1 (text/plain, inline)]

I opened bug #547 on bugs.enlightenment.org.

Cheers,
-- 
Julien Danjou
.''`.  Debian Developer
: :' : http://julien.danjou.info
`. `'  http://people.debian.org/~acid
  `-   9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Peter De Wachter <pdewacht@gmail.com>

To: Debian Bug Tracking System <505714@bugs.debian.org>

Subject: libimlib2-dev: another imlib2 xpm buffer overflow

Date: Wed, 19 Nov 2008 21:39:50 +0100

Package: libimlib2-dev
Version: 1.4.0-1.1
Tags: security
Followup-For: Bug #505714

This is another buffer overflow in the XPM loader. (The xpm attached
to this bug report is a 32x32 image according to the header, but
contains 33x32 pixels.)

--- a/src/modules/loaders/loader_xpm.c
+++ b/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
                                  return 0;
                               }
                             ptr = im->data;
-                            end = ptr + (sizeof(DATA32) * w * h);
                             pixels = w * h;
+                            end = ptr + pixels;
                          }
                        else
                          {

Message #22 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 505714@bugs.debian.org

Subject: imlib2: diff for NMU version 1.4.0-1.2

Date: Sat, 22 Nov 2008 11:18:22 +0100

tags 505714 + patch pending
thanks

Hi Laurance,

Here is the NMU for imlib2 (versioned as 1.4.0-1.2) and to be uploaded.

Kind regards

T.

diff -u imlib2-1.4.0/debian/control imlib2-1.4.0/debian/control
--- imlib2-1.4.0/debian/control
+++ imlib2-1.4.0/debian/control
@@ -2,7 +2,7 @@
 Section: libs
 Priority: optional
 Maintainer: Laurence J. Lane <ljlane@debian.org>
-Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
+Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
 Standards-Version: 3.7.2
 
 Package: libimlib2
@@ -22,7 +22,7 @@
 Architecture: any
 Section: libdevel
 Replaces: libimlib2
-Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
+Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
 Description: Imlib2 development files
  Headers, static libraries and documentation for developing
  software that uses Imlib2.
diff -u imlib2-1.4.0/debian/libimlib2-dev.doc-base imlib2-1.4.0/debian/libimlib2-dev.doc-base
--- imlib2-1.4.0/debian/libimlib2-dev.doc-base
+++ imlib2-1.4.0/debian/libimlib2-dev.doc-base
@@ -3,7 +3,7 @@
 Author: Carsten Haitzler
 Abstract: This document describes Imlib2 API
  and provides sample C code.
-Section: Apps/Programming
+Section: Programming
 
 Format: HTML
 Index: /usr/share/doc/libimlib2-dev/html/index.html
diff -u imlib2-1.4.0/debian/changelog imlib2-1.4.0/debian/changelog
--- imlib2-1.4.0/debian/changelog
+++ imlib2-1.4.0/debian/changelog
@@ -1,3 +1,13 @@
+imlib2 (1.4.0-1.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
+    Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
+  * Change libungif4-dev to libgif-dev in (Build-)Depends.
+  * Fix doc-base section to drop Apps/.
+
+ -- Thomas Viehmann <tv@beamnet.de>  Sat, 22 Nov 2008 10:45:27 +0100
+
 imlib2 (1.4.0-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
--- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
+++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
                                  return 0;
                               }
                             ptr = im->data;
-                            end = ptr + (sizeof(DATA32) * w * h);
                             pixels = w * h;
+                            end = ptr + pixels;
                          }
                        else
                          {

Message #29 received at 505714-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 505714-close@bugs.debian.org

Subject: Bug#505714: fixed in imlib2 1.4.0-1.2

Date: Sat, 22 Nov 2008 10:32:06 +0000

Source: imlib2
Source-Version: 1.4.0-1.2

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:

imlib2_1.4.0-1.2.diff.gz
  to pool/main/i/imlib2/imlib2_1.4.0-1.2.diff.gz
imlib2_1.4.0-1.2.dsc
  to pool/main/i/imlib2/imlib2_1.4.0-1.2.dsc
libimlib2-dev_1.4.0-1.2_amd64.deb
  to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.2_amd64.deb
libimlib2_1.4.0-1.2_amd64.deb
  to pool/main/i/imlib2/libimlib2_1.4.0-1.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Nov 2008 10:45:27 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.2
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description: 
 libimlib2  - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 505714
Changes: 
 imlib2 (1.4.0-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
     Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
   * Change libungif4-dev to libgif-dev in (Build-)Depends.
   * Fix doc-base section to drop Apps/.
Checksums-Sha1: 
 0ac5b27856033fe044dda2d157ca48e70f33a26a 1123 imlib2_1.4.0-1.2.dsc
 8462b934a996ebd9814d086b40b09ac5bebd281e 56377 imlib2_1.4.0-1.2.diff.gz
 c4c49877be44061131655510849f256676ec82c4 220114 libimlib2_1.4.0-1.2_amd64.deb
 00b041b75b8c98d94cf18e6eb265b265b0ed52f8 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Checksums-Sha256: 
 99cae7fbe6426c130a808662a35976129a648b604e574e29ed08fbf8e3d11251 1123 imlib2_1.4.0-1.2.dsc
 ea0b668fd7a55756ae1d41baccbe5cea5135f598069b09cad2664fa492c0d447 56377 imlib2_1.4.0-1.2.diff.gz
 af6d7c11f3ef06c7b62a4763f2f5f6e3ec80d95aa894a4378cdef8117110dbce 220114 libimlib2_1.4.0-1.2_amd64.deb
 96bf4018e57ce49e7a035efae20eeda88fa8763b394d300a3a467ef28c86d7ab 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Files: 
 45a9571b3454a8a56cf50e8eddc8406f 1123 libs optional imlib2_1.4.0-1.2.dsc
 ea54608fda300822f84e8d245dae21d9 56377 libs optional imlib2_1.4.0-1.2.diff.gz
 6306baa5fed31c0872d6c2912e202639 220114 libs optional libimlib2_1.4.0-1.2_amd64.deb
 b777111fd09c13eb939464f230cc9080 371766 libdevel optional libimlib2-dev_1.4.0-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkn3KwACgkQriZpaaIa1PmTtQCggejcP52dSEY/zCsejEYzD0+s
Qw8AoLdEois+BD7V4NaJ/nAG0viyG0uA
=nG7Y
-----END PGP SIGNATURE-----

Message #34 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Bas Zoetekouw <bas@debian.org>

To: Thomas Viehmann <tv@beamnet.de>, 505714@bugs.debian.org

Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2

Date: Sun, 23 Nov 2008 20:00:36 +0100

Hi!

> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> @@ -246,8 +246,8 @@
>                                   return 0;
>                                }
>                              ptr = im->data;
> -                            end = ptr + (sizeof(DATA32) * w * h);
>                              pixels = w * h;
> +                            end = ptr + pixels;
>                           }
>                         else
>                           {

Are you sure this patch actually fixes the bug reported here?  I agree
that the use of sizeof(DATA32) here is definately a bug and should be
fixed, but I'm not sure that that's all there is to it.

The reporter of the bug as well as the CVE say the actual problem here
is that the height and width are read from the header, and might not be
the actual size of the picture being loaded.  I don't see how this patch
fixes that issue (although must confess I haven't looked at the code in
detail).

Concretely: can't w*h still overflow in the code above, for a suitably crafted
header?

Kind regards,
Bas.

-- 
+--------------------------------------------------------------+
| Bas Zoetekouw      | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie:      |
| bas@zoetekouw.net  | The dew shall weep thy fall tonight;    |
+--------------------|                    For thou must die.   |
                     +-----------------------------------------+

Message #39 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: Bas Zoetekouw <bas@debian.org>

Cc: 505714@bugs.debian.org

Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2

Date: Sun, 23 Nov 2008 20:22:27 +0100

Hi,

thanks for your attention to this.

Bas Zoetekouw wrote:
>> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> @@ -246,8 +246,8 @@
>>                                   return 0;
>>                                }
>>                              ptr = im->data;
>> -                            end = ptr + (sizeof(DATA32) * w * h);
>>                              pixels = w * h;
>> +                            end = ptr + pixels;
>>                           }
>>                         else
>>                           {
> 
> Are you sure this patch actually fixes the bug reported here?  I agree
> that the use of sizeof(DATA32) here is definately a bug and should be
> fixed, but I'm not sure that that's all there is to it.
> 
> The reporter of the bug as well as the CVE say the actual problem here
> is that the height and width are read from the header, and might not be
> the actual size of the picture being loaded.  I don't see how this patch
> fixes that issue (although must confess I haven't looked at the code in
> detail).
> 
> Concretely: can't w*h still overflow in the code above, for a suitably crafted
> header?
ptr and end are both DATA32*.

ptr is initialized to
  im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);

(im->w and im->h are equal to w and h, respectively) and later on this
is used as

for (i = 0;
     ((i < 65536) && (ptr < end) && (line[i]));
     i++)
{
...
  *ptr++ = ...
}

I think this should be OK even end ends up < ptr because some one of w,h
is negative for some reason or an overflow, but I'm more happy to be
corrected than have imlib2 in the release with an incorrect patch. :)

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #44 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Peter De Wachter <pdewacht@gmail.com>

To: Thomas Viehmann <tv@beamnet.de>, Bas Zoetekouw <bas@debian.org>

Cc: 505714@bugs.debian.org

Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2

Date: Sun, 23 Nov 2008 22:31:43 +0100

On Sun, 23 Nov 2008 20:22:27 +0100
Thomas Viehmann <tv@beamnet.de> wrote:

> > Concretely: can't w*h still overflow in the code above, for a
> > suitably crafted header?
> ptr and end are both DATA32*.
> 
> ptr is initialized to
>   im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
> 
> (im->w and im->h are equal to w and h, respectively) and later on this
> is used as
> 
> for (i = 0;
>      ((i < 65536) && (ptr < end) && (line[i]));
>      i++)
> {
> ...
>   *ptr++ = ...
> }
> 
> I think this should be OK even end ends up < ptr because some one of
> w,h is negative for some reason or an overflow, but I'm more happy to
> be corrected than have imlib2 in the release with an incorrect
> patch. :)

The code also checks that w and h are positive and at most 8192.

-- 
Peter De Wachter

Message #49 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Bas Zoetekouw <bas@debian.org>

To: Thomas Viehmann <tv@beamnet.de>

Cc: 505714@bugs.debian.org

Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2

Date: Tue, 25 Nov 2008 12:48:14 +0100

Hi Thomas!

You wrote:

> I think this should be OK even end ends up < ptr because some one of w,h
> is negative for some reason or an overflow, but I'm more happy to be
> corrected than have imlib2 in the release with an incorrect patch. :)

Isee.
Thanks for your analysis, and sorry for the noise.

Regards,
Bas.

-- 
+--------------------------------------------------------------+
| Bas Zoetekouw      | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie:      |
| bas@zoetekouw.net  | The dew shall weep thy fall tonight;    |
+--------------------|                    For thou must die.   |
                     +-----------------------------------------+

Message #60 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 505714@bugs.debian.org

Subject: handling of NMUs and reintroducing #505714

Date: Mon, 12 Jan 2009 15:51:04 +0100

Hi Laurence,

apologies for misspelling your name in my communication of this bug
report. Nonetheless I would suggest to not drop the security bug fix for
#505714. Generally, it might be a good idea to make a habit out of
incorporating NMUs as per Developer's Reference 5.11.6.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #65 received at 505714@bugs.debian.org (full text, mbox, reply):

From: "Laurence J. Lane" <ljlane@debian.org>

To: "Thomas Viehmann" <tv@beamnet.de>, 505714@bugs.debian.org

Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714

Date: Mon, 12 Jan 2009 12:14:48 -0500

On Mon, Jan 12, 2009 at 9:51 AM, Thomas Viehmann <tv@beamnet.de> wrote:

> apologies for misspelling your name in my communication of this bug
> report. Nonetheless I would suggest to not drop the security bug fix for
> #505714. Generally, it might be a good idea to make a habit out of
> incorporating NMUs as per Developer's Reference 5.11.6.

Oops.

Message #70 received at 505714@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: "Laurence J. Lane" <ljlane@debian.org>

Cc: 505714@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714

Date: Mon, 12 Jan 2009 20:01:59 +0100

# nitpicking the version tracking for Daniel Holbach's reference :)...
found 505714 1.4.2-1
fixed 505714 1.4.2-2
thanks

Hi,

Thanks for the quick fix!

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #79 received at 505714-done@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 505714-done@bugs.debian.org

Subject: Re: Bug#505714: Crash on loading XPM file

Date: Sat, 28 Apr 2012 14:22:00 +0200

This bug is marked as fixed in stable, testing and unstable. There's no 
reason to keep it open. Closing.

-- 
Jakub Wilk

Send a report that this bug log contains spam.