Murray McAllister of the Red Hat Security Response Team has discovered a heap-based buffer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing a small number of color map entries but a large number of colors. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.
Created attachment 829128 [details]
proposed patch for CVE-2013-1978
The attached patch checks that the number of colormap entries isn't less than the number of colors. While it's not clear if the format specification permits file with a higher number of colormap entries than colors, such files can be constructed and are readable by e.g. ImageMagick tools.
Created attachment 829635 [details]
updated patch for CVE-2013-1978
The problem here is that load_image() in file-xwd.c reads XWD image file header. Header contains l_colormap_entries (number of color map entries) and l_ncolors (number of image colors). xwdcolmap buffer used to store color map is allocated to contain space for l_colormap_entries items:
Subsequently, read_xwd_cols() is called to populate the color map buffer.
However, this function uses l_ncolors instead of l_colormap_entries as an upper bound when populating xwdcolmap. Image specifying higher value for l_ncolors than l_colormap_entries causes gimp to overflow the heap based buffer.
This issue was discovered by Murray McAllister of the Red Hat Security Response Team.
Created gimp tracking bugs for this issue:
Affects: fedora-all [bug 1037720]
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html