Vigil@nce - gdk-pixbuf: memory corruption via read_bitmap_file_data
May 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious XBM image in order to generate
an overflow in applications linked to gdk-pixbuf, which leads to a
denial of service or to code execution.
Severity: 2/4
Creation date: 15/05/2012
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The gdk-pixbuf library creates or edits images.
An XBM (X BitMap) file declares an image as C code:
#define demo_width 4
#define demo_height 6
static char demo_bits[] = 0x01, 0x00, ... ;
The "width" and "height" fields indicate the size of the image,
which is stored in the "bits" array.
The read_bitmap_file_data() function of the io-xbm.c file reads
the definition of an XBM image. However, if the indicated size is
negative, the memory allocated to store "bits" data can be too
short.
An attacker can therefore create a malicious XBM image in order to
generate an overflow in applications linked to gdk-pixbuf, which
leads to a denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/gdk-pixbuf-memory-corruption-via-read-bitmap-file-data-11629