Bug 102328 - Corrupt PCX files crashes gwenview
Summary: Corrupt PCX files crashes gwenview
Alias: None
Product: kdelibs
Classification: Frameworks and Libraries
Component: kimgio (show other bugs)
Version: unspecified
Platform: unspecified Linux
: NOR crash
Target Milestone: ---
Assignee: security
Depends on:
Reported: 2005-03-24 00:10 UTC by Bruno Rohee
Modified: 2005-04-26 12:11 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Zip containing test images (95.59 KB, application/zip)
2005-03-24 14:23 UTC, Bruno Rohee
BABYQUIL.PCX (93.38 KB, image/png)
2005-03-24 16:17 UTC, Waldo Bastian
kimgio_pcx.patch (2.18 KB, patch)
2005-03-24 16:30 UTC, Waldo Bastian
kdelibs/kimgio patch (11.12 KB, patch)
2005-03-24 16:30 UTC, Lubos Lunak

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Rohee 2005-03-24 00:10:26 UTC
Version:            (using KDE KDE 3.4.0)
Installed from:    I Don't Know
OS:                Linux

Tried on the Debian testing of a colleague, should be up to date, I ignore the exact version.

Some corrupt PCX files crash gwenview badly and it could maybe be exploitable.

To see in action try loading

        http://pobox.com/~newt/test/overflow-8.pcx      15561 bytes
        http://pobox.com/~newt/test/overflow-24.pcx     40334 bytes

That are slightly changed from the valid PCX files

        http://pobox.com/~newt/test/grass-8.pcx         15561 bytes
        http://pobox.com/~newt/test/grass-24.pcx        40334 bytes

If you could mark that bug confidential that would be nice, people could try exploit this. There will be an advisory about that later (there are other programs suffering the same problem).
Comment 1 Bruno Rohee 2005-03-24 14:23:54 UTC
Created attachment 10321 [details]
Zip containing test images

Sorry the URL in the report are not valid anymore
Comment 2 Lubos Lunak 2005-03-24 16:00:37 UTC
Nah, seems to be a false alert. No security problem, just a normal crash. The images have large dimensions, so QImage creation fails, QImage::scanLine() returns NULL and the NULL pointer is used for writing. Nothing else, I don't see how this could be exploitable.
Comment 3 Bruno Rohee 2005-03-24 16:09:27 UTC
OK this is not too bad, some other package use a wrapped around value for malloc() then proceed to write in non allocated memory. 

If no calculation is made using dimensions you are quite safe, you should just maybe add a check because file length is obviously not in sync with the alleged image size...

Comment 4 Waldo Bastian 2005-03-24 16:15:50 UTC
I think there might be a problem if BytesPerLine is larger than w
See also attached image that I found on the web.
Comment 5 Waldo Bastian 2005-03-24 16:17:22 UTC
Created attachment 10324 [details]
Comment 6 Waldo Bastian 2005-03-24 16:30:04 UTC
Created attachment 10325 [details]

Patch, please review carefully for correctness.
Comment 7 Lubos Lunak 2005-03-24 16:30:06 UTC
Created attachment 10326 [details]
kdelibs/kimgio patch

This should take care of the missing checks after QImage creation. But Waldo is
right about the potentional problem.
Comment 8 Dirk Mueller 2005-04-26 12:11:46 UTC
fixed by security update last week.