Bug 7 - GIF LZW decoder buffer overflow
: GIF LZW decoder buffer overflow
Status: RESOLVED FIXED
Product: SWI-Prolog
Classification: Unclassified
Component: xpce
: 5.10.x
: PC Linux
: Highest normal
Assigned To: Jan Wielemaker
:
:
:
  Show dependency treegraph
 
Reported: 2011-08-18 11:22 CEST by Petr Pisar
Modified: 2014-02-03 03:27 CET (History)
1 user (show)

See Also:


Attachments
Code to open an image file (114 bytes, application/x-perl)
2011-08-18 20:55 CEST, Jan Wielemaker
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Pisar 2011-08-18 11:22:02 CEST
I've been notified by Red Hat security team a GIF decoder in xpce contains
buffer overflow while decoding malformed GIF image
(src/img/gifread.c:LZWReadByte()).

The bug has been verified in 5.10.2 version
(http://www.swi-prolog.org/git/packages/xpce.git/blob/61e1c7ee4820e5ec454cbe22ac942ca43759ef7e:/src/img/gifread.c#l507)
and also in development version.

The flaw is described in Red Hat Bugzilla instance
<https://bugzilla.redhat.com/show_bug.cgi?id=727800>. This bug has been
assigned code CVE-2011-2896.
Comment 1 Jan Wielemaker 2011-08-18 11:54:34 CEST
Petr,

Thanks.  Should be fixed.  See

http://www.swi-prolog.org/git/packages/xpce.git/commit/bb328029beb148691edc031d9db9cf0a503c8247

     Regards --- Jan
Comment 2 Petr Pisar 2011-08-18 14:21:03 CEST
Unfortunately this is not complete fix.

The story of CUPS implementation you used continues:
<https://bugzilla.redhat.com/show_bug.cgi?id=727800#c8> →
<http://cups.org/str.php?L3914>. I.e. another patch is needed.


Also there is another problem similar to one from gdk-pixbuf GIF decoder
(CVE-2011-2897) tracked on
<https://bugzilla.redhat.com/show_bug.cgi?id=727081>:

The last argument of LZWReadByte(... , input_code_size) is not checked for
upper bound (MAX_LZW_BITS). `input_code_size' value derives `clear_code' value
and clear_code controls iteration over next[], vals[] and stack[] (sp) those
size is based on MAX_LZW_BITS constant.
Comment 3 Jan Wielemaker 2011-08-18 16:47:17 CEST
Hi Petr,

Thanks.  I included the patches from http://cups.org/str.php?L3914,
resulting in this patch

http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8

I don't think CVE-2011-2897 bothers this code because there is a
test (line 526) that isn't there in (some of) the other versions:

   if ((code = max_code) < (1 << MAX_LZW_BITS))

Do you agree?
Comment 4 Petr Pisar 2011-08-18 17:25:21 CEST
(In reply to comment #3)
> Hi Petr,
> 
> Thanks.  I included the patches from http://cups.org/str.php?L3914,
> resulting in this patch
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commit/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
> 
> I don't think CVE-2011-2897 bothers this code because there is a
> test (line 526) that isn't there in (some of) the other versions:
> 
>    if ((code = max_code) < (1 << MAX_LZW_BITS))
> 
> Do you agree?

Hm, our security researcher says, the he can get segfault with image
(attachment of <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697>)
from a SDL_variation of CVE-2011-2897. He do the tests with old pl-5.7.11 and
he comments:

> The sdl reproducer segfaults following.
> Value is read here: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l558
> It's shifted to LZWReadByte as input_code_size
> where clear_code is computed: http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l438
> a then http://www.swi-prolog.org/git/packages/xpce.git/blob/30fbc4e030cbef5871e1b96c31458116ce3e2ee8:/src/img/gifread.c#l449

I will investigate it more deeply tomorrow.
Comment 5 Jan Wielemaker 2011-08-18 20:55:25 CEST
Created attachment 4 [details]
Code to open an image file
Comment 6 Jan Wielemaker 2011-08-18 20:58:39 CEST
I see.  This issue still reproduces.  Fixed in patch below

http://www.swi-prolog.org/git/packages/xpce.git/commit/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652

You can use the attached show.pl as follows:

   % swipl -s show.pl
   ?- show('somefile.gif').

       Cheers --- Jan
Comment 7 Alexa 2014-02-03 03:27:29 CET
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen live from the domain http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.