oss-sec mailing list archives

Re: autotrace: stack-based buffer overflow in bmp parser

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 16 Apr 2013 02:57:11 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 01:13 AM, Murray McAllister wrote:

Good morning,

There is a stack-based buffer overflow in autotrace 0.31.1 in 
Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates
a buffer on the stack:

91   unsigned char buffer[64];

Later on

169   else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x
*/ 170     { 171       if (!ReadOK (fd, buffer,
Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 
requirements, and 0 - 4 should result in almost 4294967295 bytes
being read into the buffer.

I am told:

"" The same code is in Gimp, it was introduced in commit 
d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in 
57f805a159874107c6c98065f9aa648c3634b8fd:

https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7 
https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98

Similar code can also be found in sam2p. ""

On Fedora 18, the issue was caught by FORTIFY_SOURCE.

Murray.

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458


Please use CVE-2013-1953 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbRJnAAoJEBYNRVNeJnmTyTUQALq73LhHHyNIrOBq4O8ExhGi
k59+nIh2hl4MLY5gTLzLPpJF582BLfcNuEIdsucHj/5heBofhDFe9E6sXqRV1d2o
ymiT7JDzO4NpWnyln/XbBss0aI5TPVflHaax3/SHC44p5hifudLKZae6Rvh8qFGp
8eqY38tH5fIIqAU3g4ZvQnJrVdRFhojHpdMHBLsdNC1fxMPkN/ksywdr2V1u5l38
sl1DEFJZopGQ7VECTT1//5db0urSqMIBtTs2XR9VkBRX5+4QyJczqzk2m88UNi4q
iuaZ3I9pwN/09V3chkD2B1S3EErRvBD/ql26LZIz5WUtRgAQDW4/F7wFPU0ek0T8
bQbaZUmSxgEO7VPYB+FetjPGCe0pa3U51cViRRXYzWcGxhKZIsWAacxIQQUEvhah
75UHuP7UQf61H5aj7u/RygJU2wo8eevEiVlvRFQgEFZWcWUHKPrt4gqAXBJ/OgaG
ugp/eScOqXVwiW31421cKJzFf4+5OpVAZNkX7UC8H4lxd+BIiSgxhigG2zees+pU
yYP81H0I5rkuuG66OddIOdqBQ//X5MDoWDDcGw+pyd4SGcc3TsxV3wcZi8HhbQOd
k0DpNnIT+9RaTf7HZ6Ir3egwv1Q56LmBBeV9+xJmiThHqPEdANRhcGAyAp7zDSYH
F6S18MuKRRaNZ1h0Pdpv
=Ar0e
-----END PGP SIGNATURE-----

Current thread:

autotrace: stack-based buffer overflow in bmp parser Murray McAllister (Apr 16)
- Re: autotrace: stack-based buffer overflow in bmp parser Kurt Seifried (Apr 16)