Bug 151034 – buffer overflow in bmp handling

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab .
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 151034 - buffer overflow in bmp handling

Summary:	buffer overflow in bmp handling

Status:	RESOLVED WONTFIX
Product:	imlib1
Classification:	Deprecated
Component:	general
Version:	unspecified
Hardware:	Other Linux
Importance :	Normal normal
Target Milestone :	---
Assigned To:	Mark Crichton
QA Contact:	Mark Crichton
URL:
Whiteboard:	gnome[unmaintained]
Depends on:
Blocks:

See Also:
Reported:	2004年08月25日 15:34 UTC by Marcus Meissner
Modified:	2012年02月24日 15:30 UTC
GNOME target:	---
GNOME version:	---

Attachments
crash.bmp (3.05 KB, image/bmp) 2004年08月25日 15:35 UTC, Marcus Meissner	Details
imlib-1.9.14-fix.patch (906 bytes, patch) 2004年08月25日 15:35 UTC, Marcus Meissner	none	Details \| Review
imlib-1.9.14-suse-alt-bound.patch (5.46 KB, patch) 2004年08月31日 11:59 UTC, Dmitry V. Levin	none	Details \| Review
imlib strace output (3.16 KB, text/plain) 2004年09月06日 17:18 UTC, Sune Kloppenborg Jeppesen	Details
imlib-1.9.14-suse-alt-bound.patch (11.49 KB, patch) 2004年09月06日 17:26 UTC, Dmitry V. Levin	none	Details \| Review

Description Marcus Meissner 2004年08月25日 15:34:34 UTC

view the attached BMP in a imlib 1 based viewer. see it crash.

Comment 1 Marcus Meissner 2004年08月25日 15:35:14 UTC

Created attachment 30933 [details] 
crash.bmp

Comment 2 Marcus Meissner 2004年08月25日 15:35:40 UTC

Created attachment 30934 [details]  [review]
imlib-1.9.14-fix.patch
patch that fixes the problem.

Comment 3 Mark Crichton 2004年08月27日 15:34:04 UTC

Not a security issue. WONTFIX. Please use something written in this century.

Comment 4 Mark Crichton 2004年08月27日 15:43:47 UTC

Ok, actually, it could be bad.

Comment 5 Dmitry V. Levin 2004年08月31日 11:59:02 UTC

Created attachment 31137 [details]  [review]
imlib-1.9.14-suse-alt-bound.patch
Here is a patch I'm going to use for updates.
While I'm not sure that result image will be correct, this patch addresses all
potential heap corruption problems found in loader_bmp() so far, and allows to
load as much bmp data as possible.

Comment 6 Sune Kloppenborg Jeppesen 2004年09月06日 17:16:50 UTC

Downstream we tried patch from comment #2 without luck. 
 
Pasting comment: 
 
Chris White 2004年09月06日 09:47 PST ------- 
Something seems wrong here. 
 
I tried with xzgv ( which depends on imlib ) and tried the exploit, which gave 
the correct effect ( xzgv took the big one ). However, after applying the 
patch, re-emerging imlib, and even re-emerging xzgv, it still bites the big 
one while loading the exploit file. 
 
I did an strace to make sure, and sure enough it bites the big one shortly 
after accessing imlib. I think we should probably upstream this, and I'll 
attach the relevant strace output for upstream to look at.

Comment 7 Sune Kloppenborg Jeppesen 2004年09月06日 17:18:32 UTC

Created attachment 31333 [details] 
imlib strace output

Comment 8 Dmitry V. Levin 2004年09月06日 17:26:44 UTC

Created attachment 31335 [details]  [review]
imlib-1.9.14-suse-alt-bound.patch
Proposed patch, take 2.
Patching gdk_imlib/io-bmp.c is not sufficient, Imlib/load.c also requires same
fix.

Comment 9 Sune Kloppenborg Jeppesen 2004年09月06日 18:58:07 UTC

Patch from #8 works fine.

Comment 10 André Klapper 2012年02月24日 15:30:18 UTC

According to http://ftp.gnome.org/pub/GNOME/sources/imlib/ the last tarball release was on 24-Sep-2004.
Same for the last code commit: http://git.gnome.org/browse/archive/imlib/log/
Hence this application has been unmaintained for quite a while and its maintainer will not work on it soon. Please feel free to reopen this bug report
in the future if anyone takes the responsibility for active development.