oss-sec mailing list archives
Re: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7
From: cve-assign () mitre org
Date: Tue, 26 Jul 2016 17:32:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7. #0 0x00007fffd83b428c in OneLine32 (context=0x7fffe0029820) at io-ico.c:589 #1 OneLine (context=0x7fffe0029820) at io-ico.c:800 #2 gdk_pixbuf__ico_image_load_increment (data=0x7fffe0029820, buf=0x7fffe001b852 "", size=0, error=0x7fffe9655b68) at io-ico.c:891 The affected function is here: static void OneLine32 (struct ico_progressive_state *context) { gint X; guchar *Pixels; X = 0; if (context->Header.Negative == 0) Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * (context->Header.height - context->Lines - 1)); else Pixels = (context->pixbuf->pixels + context->pixbuf->rowstride * context->Lines); while (X < context->Header.width) { Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2]; Pixels[X * 4 + 1] = context->LineBuf[X * 4 + 1]; Pixels[X * 4 + 2] = context->LineBuf[X * 4 + 0]; Pixels[X * 4 + 3] = context->LineBuf[X * 4 + 3]; X++; } } The value of context->Header.height in OneLine32 is a very large number (probably it wasn't validated correctly). Such value is used to calculate where to write, resulting in an overflow where Pixels is written.
Use CVE-2016-6352. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXl9U9AAoJEHb/MwWLVhi28xQP/1zBqPYG123HPUFPnXTWGwze sGFujS/ujI5pnHeSG4mQtDVQmAbVwzhBFzzs1OfIsDFNDCvLiZdOJd7EJaTjnjK0 S4yLI65ch0WFZj5ryloElr8Fz3SpPG0fe1pMP7Ozy+XcZQuk6DhWvfXoh7hT1L3g H2+Tk6VLnFukQ14+wFo0QrSg/sYdXnZw1bO7sD6RVuV0Kq/hNeZkk30pAElTe8j4 DmdvGk24KYz7kEjJ7oBH12lLk+fkCar0p6ns34xqjxHmlwH/ZyQv/CFGyONiDuS0 nKQ8sXAYdDUWNZXL+gCksa3xP7RrNckEU1tR7sgxJ05gYtJc2ynmtIzaKcNnPBqQ HZFsdCNH5Jhps7TQgKDO7P5ODfn4TV+npbk0m+9bMycm32ZQIMaJN3ogGCol9fMl HSSReoF8vqp8MN2jXk7/sSeethQBdQGztq0DumaTqAZQgT+hCbCuRGBHKjPWuKDc KJSmjYr6S0vh2uKPgpKp5K2YaFp7wyrFunpYpAlY39OoKmBAvfnH61Ot9zAPNwZk OVn6cXRKNALZvJcYQWpovJQafYXkQjvDZDNSFmf+2IlG63L+xe59s4wyDDFMrfdH NuVT245u/Tzry++Zpd7ngllQnmnXgU9/afi3BJ8kSbYtD4Yv7IBD4jL5BuE7IjUv RZAyaUwhZ7VlgAGBBpN/ =7A2U -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7 Franco Costantini (Jul 13)
- Re: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7 Gustavo Grieco (Jul 26)
- Re: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7 cve-assign (Jul 26)
- Re: Re: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7 Gustavo Grieco (Jul 27)