Bug 286411 (CVE-2008-1096) - CVE-2008-1096 Out of bound write in ImageMagick's XCF coder
Summary: CVE-2008-1096 Out of bound write in ImageMagick's XCF coder
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Depends On: 411341 411361 411371 411381 411391
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-11 17:22 UTC by Red Hat Product Security
Modified: 2019-09-29 12:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-10 20:37:25 UTC
Embargoed:

Attachments (Terms of Use)
The reproducer for the out-of-bound write to ImageMagick's heap (81.99 KB, application/octet-stream)
2007-09-11 17:24 UTC, Lubomir Kundrak 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0145 0 normal SHIPPED_LIVE Moderate: ImageMagick security update 2008-04-17 01:32:11 UTC

Description Lubomir Kundrak 2007-09-11 17:22:42 UTC 
Description of problem:

A fuzzed XCF file causes this to happen:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208990016 (LWP 5846)]
0x00416f49 in load_tile (image=0x8d57e30, tile_image=0x8d60320,
inDocInfo=0xbfbd5450, inLayerInfo=0x8d4bc90, data_length=8389203) at
coders/xcf.c:327
327           q->red    = ScaleCharToQuantum(xcfdata->red);
(gdb) 

I tend to thing that this might be exploitable. Norm, could you please have a
closer look?

Additional info:

This is the cycle where the overflow happens.

 313   q=SetImagePixels(tile_image,0,0,tile_image->columns,tile_image->rows);
 314 
 315   /* we have to copy the pixels individually since IM uses a different
 316      format PixelPacket on different platforms - not to mention
 317      different QuantumDepths!
 318   */
 319   for ( i=0; i < (long) nmemb_read_successfully;i++ ) {
 320     if ( inDocInfo->image_type == GIMP_GRAY ) {
 321       q->red    = ScaleCharToQuantum(*graydata);
 322       q->green  = ScaleCharToQuantum(*graydata);
 323       q->blue    = ScaleCharToQuantum(*graydata);
 324       q->opacity  = ScaleCharToQuantum((Quantum) (255-inLayerInfo->opacity));
 325       graydata++;
 326     } else if ( inDocInfo->image_type == GIMP_RGB ) {
 327       q->red    = ScaleCharToQuantum(xcfdata->red);
 328       q->green  = ScaleCharToQuantum(xcfdata->green);
 329       q->blue    = ScaleCharToQuantum(xcfdata->blue);
 330       q->opacity  = (Quantum) ((int) xcfdata->opacity==0 ?
TransparentOpacity : ScaleCharToQuantum((Quantum) (255-inLayerInfo->opacity)));
 331 
 332       xcfdata++;
 333     };
 334 
 335     q++;
 336   }

Version-Release number of selected component (if applicable):

ImageMagick-6.2.8.0-3.el5.4
Comment 1 Lubomir Kundrak 2007-09-11 17:24:42 UTC 
Created attachment 192731 [details]
The reproducer for the out-of-bound write to ImageMagick's heap
Comment 2 Norm Murray 2008-01-11 10:08:38 UTC 
Investigation on 2.1 shows that ImageMagick doesn't have a native xcf handler,
but instead is relying upon gimp-perl's xcftopnm functionality, and the error in
handling this image is the same as handling a known good xcf file:
# identify ~/working-images/image.xcf
protocol error (1) at /usr/lib/perl5/site_perl/5.6.0/i386-linux/Gimp/Net.pm line 66.
identify: Unable to open file (/tmp/magicGpe6SE/fileEsPyVM) [No such file or
directory].
identify: Missing an image file name.

So this does not have impact for 2.1
Comment 5 Ville Skyttä 2008-03-22 14:14:18 UTC 
GraphicsMagick is reportedly affected too, Cc'ing maintainer.
Comment 7 Red Hat Bugzilla 2009-10-23 19:03:16 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 8 Vincent Danen 2013-04-10 20:37:25 UTC 
This has been corrected in Red Hat Enterprise Linux 3, 4, and 5:

https://access.redhat.com/security/cve/CVE-2008-1096
Note You need to log in before you can comment on or make changes to this bug.