Bug#413034: graphicsmagick: Multiple segfaults in PCX coder.

Sun, 04 Mar 2007 12:42:11 -0800 

retitle 413034 graphicsmagick: Heap overflow in PCX coder.
tag 413034 + security
tag 413034 + patch
severity 413034 grave
thanks

The testcases uncovered two separate problems here. The first one is a
missing error check on SeekBlob(), similar to #413031 and #413032,
allowing for a potential DoS. Once this is fixed, the pcx testcase
cause a heap overflow of the scanline array due to an incorrect
calculation of the maximum array size during allocation. The array is
overflown with user-provided data. Hence, it might be possible to
exploit this bug, but I haven't investigated in detail.

Daniel.


--- a/coders/pcx.c      Sun Mar 04 19:19:13 2007 +0100
+++ b/coders/pcx.c      Sun Mar 04 19:51:58 2007 +0100
@@ -277,7 +277,9 @@ static Image *ReadPCXImage(const ImageIn
       }
     }
   if (page_table != (ExtendedSignedIntegralType *) NULL)
-    (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET);
+    if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
+        == -1)
+      ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
   count=ReadBlob(image,1,(char *) &pcx_info.identifier);
   for (id=1; id < 1024; id++)
   {
@@ -594,7 +596,9 @@ static Image *ReadPCXImage(const ImageIn
       break;
     if (page_table[id] == 0)
       break;
-    (void) SeekBlob(image,(ExtendedSignedIntegralType) 
page_table[id],SEEK_SET);
+    if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET)
+        == -1)
+      ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
     count=ReadBlob(image,1,(char *) &pcx_info.identifier);
     if ((count != 0) && (pcx_info.identifier == 0x0a))
       {

--- a/coders/pcx.c      Sun Mar 04 20:16:03 2007 +0100
+++ b/coders/pcx.c      Sun Mar 04 21:10:33 2007 +0100
@@ -341,7 +341,7 @@ static Image *ReadPCXImage(const ImageIn
     pcx_packets=(unsigned long) 
image->rows*pcx_info.bytes_per_line*pcx_info.planes;
     pcx_pixels=MagickAllocateMemory(unsigned char *,pcx_packets);
     scanline=MagickAllocateMemory(unsigned char *,Max(image->columns,
-      (unsigned long) pcx_info.bytes_per_line)*pcx_info.planes);
+      (unsigned long) pcx_info.bytes_per_line)*Max(pcx_info.planes,8));
     if ((pcx_pixels == (unsigned char *) NULL) ||
         (scanline == (unsigned char *) NULL))
       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);

Reply via email to