Murray McAllister of the Red Hat Security Response Team has discovered a heap-based buffer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing a small number of color map entries but a large number of colors. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.
Created attachment 829128 [details] proposed patch for CVE-2013-1978 The attached patch checks that the number of colormap entries isn't less than the number of colors. While it's not clear if the format specification permits file with a higher number of colormap entries than colors, such files can be constructed and are readable by e.g. ImageMagick tools.
Created attachment 829635 [details] updated patch for CVE-2013-1978
The problem here is that load_image() in file-xwd.c reads XWD image file header. Header contains l_colormap_entries (number of color map entries) and l_ncolors (number of image colors). xwdcolmap buffer used to store color map is allocated to contain space for l_colormap_entries items: https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n469 Subsequently, read_xwd_cols() is called to populate the color map buffer. https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n790 However, this function uses l_ncolors instead of l_colormap_entries as an upper bound when populating xwdcolmap. Image specifying higher value for l_ncolors than l_colormap_entries causes gimp to overflow the heap based buffer.
Acknowledgment: This issue was discovered by Murray McAllister of the Red Hat Security Response Team.
Created gimp tracking bugs for this issue: Affects: fedora-all [bug 1037720]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html
Upstream commit: https://git.gnome.org/browse/gimp/commit/?id=23f685931e5f000dd033a45c60c1e60d7f78caf4