Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Jun 2015 11:33:48 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7

On lun, giu 01, 2015 at 03:06:57 -0500, Fernando Muñoz wrote:
> libwmf is affected by a heap overflow on the function that decodes BMP images.
> 
> WMF files may contain both vector graphics and bitmap components. With
> the attached WMF file, the issue can be reproduced, an overflow
> happens because image_size gets a value of 32, that space is used to
> allocate data->image
> 
> src/ipa/ipa/bmp.h, function ReadBMPImage:
> 
> 1129    image_size = bytes_per_line * bmp->height;
> 1131    data->image = (unsigned char*) wmf_malloc (API,image_size);
> 1147        DecodeImage (API,bmp,src,(unsigned int)
> bmp_info.compression,data->image);
> 
> Inside DecodeImage we have:
> 
> DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int
> compression,unsigned char* pixels)
> 
> 874     for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++)
> pixels[u] = 0;
> 
> But bmp->width * bmp->height has a value of 64, and a write out of
> bounds takes place.
> 
> $ wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts bmpoverflow.wmf
> <partial svg output>
> *** Error in `wmf2svg': free(): invalid next size (fast): 0x091584b8 ***
> 
> ASAN enabled libwmf/wmf2svg shows the problem:
> 
> $ ./src/convert/wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts
> bmpoverflow.wmf
> <partial svg output>
> ==3400==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0xb5c268b0 at pc 0x807093e bp 0xbfc3cee8 sp 0xbfc3ced8
> WRITE of size 1 at 0xb5c268b0 thread T0
>     #0 0x807093d in DecodeImage ../../src/ipa/ipa/bmp.h:874
>     #1 0x807093d in ReadBMPImage ../../src/ipa/ipa/bmp.h:1147
>     #2 0x807093d in wmf_ipa_bmp_read ../../src/ipa/ipa/bmp.h:477
>     #3 0x815f013 in meta_dib_brush player/meta.h:2187
>     #4 0x815f013 in WmfPlayMetaFile
> /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:922
>     #5 0x81a5ff5 in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323
>     #6 0x804c583 in wmf2svg_draw
> /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:208
>     #7 0x804f2c5 in wmf2svg_file
> /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:439
>     #8 0x804ad78 in main
> /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:458
>     #9 0xb6efc72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d)
>     #10 0x804b46e
> (/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg+0x804b46e)
> 
> 0xb5c268b0 is located 0 bytes to the right of 32-byte region
> [0xb5c26890,0xb5c268b0)
> allocated by thread T0 here:
>     #0 0xb72d718c in __interceptor_malloc
> (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c)
>     #1 0x80d74a8 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482
> 
> This causes a Denial of Service, or could cause code execution since
> the DecodeImage writes the data of the run-length decoded image to
> data->image.

For the record, the upstream developer was contacted but he did not reply and
there's currently no patch fixing this.

Cheers

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ