oss-sec mailing list archives

autotrace: stack-based buffer overflow in bmp parser

From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 16 Apr 2013 17:13:59 +1000

Good morning,

There is a stack-based buffer overflow in autotrace 0.31.1 in
Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates a
buffer on the stack:

91   unsigned char buffer[64];

Later on

169   else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170     {
171       if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64
requirements, and 0 - 4 should result in almost 4294967295 bytes being
read into the buffer.

I am told:

""
The same code is in Gimp, it was introduced in commit
d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in
57f805a159874107c6c98065f9aa648c3634b8fd:

https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7
https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98

Similar code can also be found in sam2p.
""

On Fedora 18, the issue was caught by FORTIFY_SOURCE.

Murray.

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458

Current thread:

autotrace: stack-based buffer overflow in bmp parser Murray McAllister (Apr 16)
- Re: autotrace: stack-based buffer overflow in bmp parser Kurt Seifried (Apr 16)