Red Hat Bugzilla – Bug 727081
CVE-2011-2897 gdk-pixbuf: GIF loader buffer overflow when initializing decompression tables
Last modified: 2013-04-30 18:56:45 EDT
GDK's GIF image reader is based on David Koblas' code that is also used in several other GIF image readers. This code contained an input validation flaw. Input code size was read from input GIF file and used to initialize decoding tables without checking the value, leading to buffer overflow. Relevant GDK code is: 941 static int 942 gif_prepare_lzw (GifContext *context) 943 { ... 946 if (!gif_read (context, &(context->lzw_set_code_size), 1)) { 947 /*g_message (_("GIF: EOF / read error on image data\n"));*/ 948 return -1; 949 } ... 952 context->lzw_clear_code = 1 << context->lzw_set_code_size; ... 962 for (i = 0; i < context->lzw_clear_code; ++i) { 963 context->lzw_table[0][i] = 0; 964 context->lzw_table[1][i] = i; 965 } The same flaw was previously reported for several other components that include GIF reading code based on David Koblas' parser, such as: gd (CVE-2006-4484), SDL_image (CVE-2007-6697), tk (CVE-2008-0553), netbpm (CVE-2008-0554), cups (CVE-2008-1373). This problem was corrected upstream long ago: http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea The fix can be found in all gdk-pixbuf versions embedded in gtk2 packages, but it seems it never got it to stand-alone gdk-pixbuf version for gtk+ 1.x. Gimp corrected this bug ~2 years after GDK: http://git.gnome.org/browse/gimp/commit/plug-ins/common/gifload.c?id=cac290d093d0c318bbe33a4ff290c2abbd9698d3
Created attachment 516104 [details] Load image using gdk-pixbuf This only calls gdk_pixbuf_new_from_file() to have specified image file parsed by gdk-pixbuf. Crash can be reproduced using the reproducer for SDL_image, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697#c1
CVE-2011-2897 was assigned here: http://thread.gmane.org/gmane.comp.security.oss.general/5646
(In reply to comment #0) > This problem was corrected upstream long ago: > > http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea Relevant part is addition of this check to gif_prepare_lzw(): + if (context->lzw_set_code_size > MAX_LZW_BITS) { It may need some different way to report error in older gdk-pixbuf version. This issue affects gdk-pixbuf packages shipped with Red Hat Enterprise Linux 4 and 5. The code is not used by other packages in the distribution. The data written past the end of the buffer is not attacker controlled, which makes it more difficult to exploit for anything bug crash. Hence we do not plan to address this problem immediately. It may be fixed in the future gdk-pixbuf package updates.
Created gdk-pixbuf tracking bugs for this issue Affects: fedora-all [bug 731308]