Bug 7

Summary: GIF LZW decoder buffer overflow
Product: SWI-Prolog Reporter: Petr Pisar <ppisar>
Component: xpceAssignee: Jan Wielemaker <bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Highest    
Version: 5.10.x   
Hardware: PC   
OS: Linux   
Attachments: Code to open an image file

Description Petr Pisar 2011-08-18 11:22:02 CEST 
I've been notified by Red Hat security team a GIF decoder in xpce contains
buffer overflow while decoding malformed GIF image
(src/img/gifread.c:LZWReadByte()).

The bug has been verified in 5.10.2 version
(http://www.swi-prolog.org/git/packages/xpce.git/blob/61e1c7ee4820e5ec454cbe22ac942ca43759ef7e:/src/img/gifread.c#l507)
and also in development version.

The flaw is described in Red Hat Bugzilla instance
<https://bugzilla.redhat.com/show_bug.cgi?id=727800>. This bug has been
assigned code CVE-2011-2896.
Comment 1 Jan Wielemaker 2011-08-18 11:54:34 CEST 
Petr,

Thanks.  Should be fixed.  See

http://www.swi-prolog.org/git/packages/xpce.git/commit/bb328029beb148691edc031d9db9cf0a503c8247

     Regards --- Jan
Comment 2 Petr Pisar 2011-08-18 14:21:03 CEST 
Unfortunately this is not complete fix.

The story of CUPS implementation you used continues:
<https://bugzilla.redhat.com/show_bug.cgi?id=727800#c8> →
<http://cups.org/str.php?L3914>. I.e. another patch is needed.


Also there is another problem similar to one from gdk-pixbuf GIF decoder
(CVE-2011-2897) tracked on
<https://bugzilla.redhat.com/show_bug.cgi?id=727081>:

The last argument of LZWReadByte(... , input_code_size) is not checked for
upper bound (MAX_LZW_BITS). `input_code_size' value derives `clear_code' value
and clear_code controls iteration over next[], vals[] and stack[] (sp) those
size is based on MAX_LZW_BITS constant.
Comment 3 Jan Wielemaker 2011-08-18 16:47:17 CEST 
Hi Petr,

Thanks.  I included the patches from http://cups.org/str.php?L3914,
resulting in this patch

http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8

I don't think CVE-2011-2897 bothers this code because there is a
test (line 526) that isn't there in (some of) the other versions:

   if ((code = max_code) < (1 << MAX_LZW_BITS))

Do you agree?
Comment 4 Petr Pisar 2011-08-18 17:25:21 CEST 
(In reply to comment #3)
> Hi Petr,
> 
> Thanks.  I included the patches from http://cups.org/str.php?L3914,
> resulting in this patch
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
> 
> I don't think CVE-2011-2897 bothers this code because there is a
> test (line 526) that isn't there in (some of) the other versions:
> 
>    if ((code = max_code) < (1 << MAX_LZW_BITS))
> 
> Do you agree?

Hm, our security researcher says, the he can get segfault with image
(attachment of <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697>)
from a SDL_variation of CVE-2011-2897. He do the tests with old pl-5.7.11 and
he comments:

> The sdl reproducer segfaults following.
> Value is read here: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l558
> It's shifted to LZWReadByte as input_code_size
> where clear_code is computed: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l438
> a then http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l449

I will investigate it more deeply tomorrow.
Comment 5 Jan Wielemaker 2011-08-18 20:55:25 CEST 
Created attachment 4 [details]
Code to open an image file
Comment 6 Jan Wielemaker 2011-08-18 20:58:39 CEST 
I see.  This issue still reproduces.  Fixed in patch below

http://www.swi-prolog.org/git/packages/xpce.git/commit/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652

You can use the attached show.pl as follows:

   % swipl -s show.pl
   ?- show('somefile.gif').

       Cheers --- Jan