[Bug 1922189] [NEW] integer overflow for maliciously crafted tga file

Launchpad Bug Tracker Fri, 14 Feb 2025 06:46:28 -0800

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Marc Deslauriers 
(mdeslaur):


In plib, there is an integer overflow vulnerability that may cause
arbitrary code execution in the victim's system with a maliciously
crafted input.

The vulnerability resides in ssgLoadTGA() function in
src/ssg/ssgLoadTGA.cxx file. In line 91, the program reads data from
given tga file using fread.

if ( fread(header, 18, 1, f) != 1 )

Then, it stores the value to xsize and ysize and bits without
sanitizing.

// image info
int type = header[2];
int xsize = get16u(header + 12);
int ysize = get16u(header + 14);
int bits  = header[16];

If xsize and ysize are enough large to cause integer overflow the small
heap block is allocated when the new image is created. It leads to
buffer overrun when reads data to this buffer.

GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ];

I attach the maliciously crafted tga file which crashes program like below.
$ apt source plib
$ cd plib-1.8.5
$ ./configure && make
$ cd src/ssg
$ gcc -I../../src/sg -I../../src/util test.cxx -lplibssg

where text.cxx is as follows

#include <stdlib.h>
#include "ssg.h"

int main(int argc, char **argv) {
    ssgLoadTGA (argv[1], NULL);
}

$ ./a.out poc.tga
DEBUG: ssgLoadTGA: Loading 'poc.tga', colormap 65535x65535-8.
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted (core dumped)

Thank you.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libplib1 1.8.5-8build2
ProcVersionSignature: Ubuntu 5.8.0-48.54~20.04.1-generic 5.8.18
Uname: Linux 5.8.0-48-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Wed Mar 31 23:54:35 2021
InstallationDate: Installed on 2021-04-01 (0 days ago)
InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: plib
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: plib (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug focal
-- 
integer overflow for maliciously crafted tga file
https://bugs.launchpad.net/bugs/1922189
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1922189] [NEW] integer overflow for maliciously crafted tga file

Reply via email to