oss-sec mailing list archives
autotrace: stack-based buffer overflow in bmp parser
From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 16 Apr 2013 17:13:59 +1000
Good morning, There is a stack-based buffer overflow in autotrace 0.31.1 in Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates a buffer on the stack: 91 unsigned char buffer[64]; Later on 169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */ 170 { 171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4)) We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 requirements, and 0 - 4 should result in almost 4294967295 bytes being read into the buffer. I am told: "" The same code is in Gimp, it was introduced in commit d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in 57f805a159874107c6c98065f9aa648c3634b8fd: https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7 https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98 Similar code can also be found in sam2p. "" On Fedora 18, the issue was caught by FORTIFY_SOURCE. Murray. [1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458
Current thread:
- autotrace: stack-based buffer overflow in bmp parser Murray McAllister (Apr 16)
- Re: autotrace: stack-based buffer overflow in bmp parser Kurt Seifried (Apr 16)