102328 – Corrupt PCX files crashes gwenview

Bug 102328 - Corrupt PCX files crashes gwenview

Summary: Corrupt PCX files crashes gwenview

Status:	RESOLVED FIXED

Alias:	None

Product:	kdelibs
Classification:	Frameworks and Libraries
Component:	kimgio (show other bugs)
Version:	unspecified
Platform:	unspecified Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	security

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-03-24 00:10 UTC by Bruno Rohee
Modified:	2005-04-26 12:11 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Zip containing test images (95.59 KB, application/zip) 2005-03-24 14:23 UTC, Bruno Rohee	Details
BABYQUIL.PCX (93.38 KB, image/png) 2005-03-24 16:17 UTC, Waldo Bastian	Details
kimgio_pcx.patch (2.18 KB, patch) 2005-03-24 16:30 UTC, Waldo Bastian	Details
kdelibs/kimgio patch (11.12 KB, patch) 2005-03-24 16:30 UTC, Lubos Lunak	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Bruno Rohee 2005-03-24 00:10:26 UTC

Version:            (using KDE KDE 3.4.0)
Installed from:    I Don't Know
OS:                Linux

Tried on the Debian testing of a colleague, should be up to date, I ignore the exact version.

Some corrupt PCX files crash gwenview badly and it could maybe be exploitable.

To see in action try loading

        http://pobox.com/~newt/test/overflow-8.pcx      15561 bytes
        http://pobox.com/~newt/test/overflow-24.pcx     40334 bytes

That are slightly changed from the valid PCX files

        http://pobox.com/~newt/test/grass-8.pcx         15561 bytes
        http://pobox.com/~newt/test/grass-24.pcx        40334 bytes

If you could mark that bug confidential that would be nice, people could try exploit this. There will be an advisory about that later (there are other programs suffering the same problem).

Comment 1 Bruno Rohee 2005-03-24 14:23:54 UTC

Created attachment 10321 [details]
Zip containing test images

Sorry the URL in the report are not valid anymore

Comment 2 Lubos Lunak 2005-03-24 16:00:37 UTC

Nah, seems to be a false alert. No security problem, just a normal crash. The images have large dimensions, so QImage creation fails, QImage::scanLine() returns NULL and the NULL pointer is used for writing. Nothing else, I don't see how this could be exploitable.

Comment 3 Bruno Rohee 2005-03-24 16:09:27 UTC

OK this is not too bad, some other package use a wrapped around value for malloc() then proceed to write in non allocated memory. 

If no calculation is made using dimensions you are quite safe, you should just maybe add a check because file length is obviously not in sync with the alleged image size...

Comment 4 Waldo Bastian 2005-03-24 16:15:50 UTC

I think there might be a problem if BytesPerLine is larger than w
See also attached image that I found on the web.

Comment 5 Waldo Bastian 2005-03-24 16:17:22 UTC

Created attachment 10324 [details]
BABYQUIL.PCX

Comment 6 Waldo Bastian 2005-03-24 16:30:04 UTC

Created attachment 10325 [details]
kimgio_pcx.patch

Patch, please review carefully for correctness.

Comment 7 Lubos Lunak 2005-03-24 16:30:06 UTC

Created attachment 10326 [details]
kdelibs/kimgio patch

This should take care of the missing checks after QImage creation. But Waldo is
right about the potentional problem.

Comment 8 Dirk Mueller 2005-04-26 12:11:46 UTC

fixed by security update last week.