Bugzilla – Bug 7
GIF LZW decoder buffer overflow
Last modified: 2011-08-18 20:58:39 CEST
I've been notified by Red Hat security team a GIF decoder in xpce contains buffer overflow while decoding malformed GIF image (src/img/gifread.c:LZWReadByte()). The bug has been verified in 5.10.2 version (http://www.swi-prolog.org/git/packages/xpce.git/blob/61e1c7ee4820e5ec454cbe22ac942ca43759ef7e:/src/img/gifread.c#l507) and also in development version. The flaw is described in Red Hat Bugzilla instance <https://bugzilla.redhat.com/show_bug.cgi?id=727800>. This bug has been assigned code CVE-2011-2896.
Petr, Thanks. Should be fixed. See http://www.swi-prolog.org/git/packages/xpce.git/commit/bb328029beb148691edc031d9db9cf0a503c8247 Regards --- Jan
Unfortunately this is not complete fix. The story of CUPS implementation you used continues: <https://bugzilla.redhat.com/show_bug.cgi?id=727800#c8> → <http://cups.org/str.php?L3914>. I.e. another patch is needed. Also there is another problem similar to one from gdk-pixbuf GIF decoder (CVE-2011-2897) tracked on <https://bugzilla.redhat.com/show_bug.cgi?id=727081>: The last argument of LZWReadByte(... , input_code_size) is not checked for upper bound (MAX_LZW_BITS). `input_code_size' value derives `clear_code' value and clear_code controls iteration over next[], vals[] and stack[] (sp) those size is based on MAX_LZW_BITS constant.
Hi Petr, Thanks. I included the patches from http://cups.org/str.php?L3914, resulting in this patch http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 I don't think CVE-2011-2897 bothers this code because there is a test (line 526) that isn't there in (some of) the other versions: if ((code = max_code) < (1 << MAX_LZW_BITS)) Do you agree?
(In reply to comment #3) > Hi Petr, > > Thanks. I included the patches from http://cups.org/str.php?L3914, > resulting in this patch > > http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 > > I don't think CVE-2011-2897 bothers this code because there is a > test (line 526) that isn't there in (some of) the other versions: > > if ((code = max_code) < (1 << MAX_LZW_BITS)) > > Do you agree? Hm, our security researcher says, the he can get segfault with image (attachment of <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697>) from a SDL_variation of CVE-2011-2897. He do the tests with old pl-5.7.11 and he comments: > The sdl reproducer segfaults following. > Value is read here: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l558 > It's shifted to LZWReadByte as input_code_size > where clear_code is computed: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l438 > a then http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l449 I will investigate it more deeply tomorrow.
Created attachment 4 [details] Code to open an image file
I see. This issue still reproduces. Fixed in patch below http://www.swi-prolog.org/git/packages/xpce.git/commit/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652 You can use the attached show.pl as follows: % swipl -s show.pl ?- show('somefile.gif'). Cheers --- Jan