Bug 102328

Summary: Corrupt PCX files crashes gwenview
Product: [Frameworks and Libraries] kdelibs Reporter: Bruno Rohee <bruno+kde>
Component: kimgioAssignee: security
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Zip containing test images
BABYQUIL.PCX
kimgio_pcx.patch
kdelibs/kimgio patch

Description Bruno Rohee 2005-03-24 00:10:26 UTC
Version:            (using KDE KDE 3.4.0)
Installed from:    I Don't Know
OS:                Linux

Tried on the Debian testing of a colleague, should be up to date, I ignore the exact version.

Some corrupt PCX files crash gwenview badly and it could maybe be exploitable.

To see in action try loading

        http://pobox.com/~newt/test/overflow-8.pcx      15561 bytes
        http://pobox.com/~newt/test/overflow-24.pcx     40334 bytes

That are slightly changed from the valid PCX files

        http://pobox.com/~newt/test/grass-8.pcx         15561 bytes
        http://pobox.com/~newt/test/grass-24.pcx        40334 bytes

If you could mark that bug confidential that would be nice, people could try exploit this. There will be an advisory about that later (there are other programs suffering the same problem).
Comment 1 Bruno Rohee 2005-03-24 14:23:54 UTC
Created attachment 10321 [details]
Zip containing test images

Sorry the URL in the report are not valid anymore
Comment 2 Lubos Lunak 2005-03-24 16:00:37 UTC
Nah, seems to be a false alert. No security problem, just a normal crash. The images have large dimensions, so QImage creation fails, QImage::scanLine() returns NULL and the NULL pointer is used for writing. Nothing else, I don't see how this could be exploitable.
Comment 3 Bruno Rohee 2005-03-24 16:09:27 UTC
OK this is not too bad, some other package use a wrapped around value for malloc() then proceed to write in non allocated memory. 

If no calculation is made using dimensions you are quite safe, you should just maybe add a check because file length is obviously not in sync with the alleged image size...

Comment 4 Waldo Bastian 2005-03-24 16:15:50 UTC
I think there might be a problem if BytesPerLine is larger than w
See also attached image that I found on the web.
Comment 5 Waldo Bastian 2005-03-24 16:17:22 UTC
Created attachment 10324 [details]
BABYQUIL.PCX
Comment 6 Waldo Bastian 2005-03-24 16:30:04 UTC
Created attachment 10325 [details]
kimgio_pcx.patch

Patch, please review carefully for correctness.
Comment 7 Lubos Lunak 2005-03-24 16:30:06 UTC
Created attachment 10326 [details]
kdelibs/kimgio patch

This should take care of the missing checks after QImage creation. But Waldo is
right about the potentional problem.
Comment 8 Dirk Mueller 2005-04-26 12:11:46 UTC
fixed by security update last week.