Heap-buffer-overflow when loading an image in imlib_load_image_with_error_return()

[Hee-won]

Hi there

We want to share that the latest version (3.10) of feh causes heap-buffer-overflow when executed with a crafted input via argument -l.

We assume that the invalid memory access happens due to the improper processing malformed input in imlib_load_image_with_error_return() in spite of the error handling.

Here is the output of program with address sanitizer attached.

Bug Report

AddressSanitizer:DEADLYSIGNAL

=================================================================
==1823579==ERROR: AddressSanitizer: SEGV on unknown address 0x62c000030e80 (pc 0x7f4b9ab30368 bp 0x0000000000e0 sp 0x7fffdec0b838 T0)
==1823579==The signal is caused by a READ memory access.
#0 0x7f4b9ab30367 (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x1367)
#1 0x7f4b9ab31079 in load (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x2079)
#2 0x7f4b9eaa8610 (/lib/x86_64-linux-gnu/libImlib2.so.1+0x23610)
#3 0x7f4b9eaa94f9 (/lib/x86_64-linux-gnu/libImlib2.so.1+0x244f9)
#4 0x7f4b9ea8e889 in imlib_load_image_with_error_return (/lib/x86_64-linux-gnu/libImlib2.so.1+0x9889)
#5 0x561318e7ac6b in feh_load_image /home/ubuntu/targets/feh-3.10_sanitizer/src/imlib.c:352
#6 0x561318e73c7b in feh_file_info_load /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:369
#7 0x561318e73e60 in feh_file_info_preload /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:316
#8 0x561318e74700 in feh_prepare_filelist /home/ubuntu/targets/feh-3.10_sanitizer/src/filelist.c:491
#9 0x561318ea03b0 in init_parse_options /home/ubuntu/targets/feh-3.10_sanitizer/src/options.c:109
#10 0x561318e6caf1 in main /home/ubuntu/targets/feh-3.10_sanitizer/src/main.c:57
#11 0x7f4b9e8b7082 in __libc_start_main ../csu/libc-start.c:308
#12 0x561318e6d06d in _start (/home/ubuntu/targets/feh-3.10_sanitizer/src/feh+0x1806d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/imlib2/loaders/tga.so+0x1367)
==1823579==ABORTING

Envionment

OS: Ubuntu 20.04.5 LTS / 22.04 LTS
Release: Feh 3.10
Library: imlib2 1.6.1 and imlib2 1.7.4
Program: feh

How to reproduce

$ feh poc-file -l
poc-file is attached.
poc-file.txt

[N-R-K]

imlib2/loaders/tga

What imlib2 version are you using? I fixed a buffer overrun in the TGA loader about 8 months ago.

[N-R-K]

Can confirm that this happens on imlib2 v1.9.1 but doesn't happen on imlib2's master branch.
(For context, the TGA fix was merged into imlib2 v1.10.0).

[choonginlee]

Thanks for your quick response.
I work with the writer, and happy to check this.
We tested feh with the imlib2 library of 1.6.1-1ubuntu0.1 version, which is the latest supported version of Ubuntu 20.
Let me test with the master branch of imlib2.
(https://git.enlightenment.org/old/legacy-imlib2)
I hope I found the correct source code that matches what you said.

[choonginlee]

I tested with the master branch of imlib2 and confirmed that all the vulnerabilities are fixed.
However, installing feh with the Debian-provided packages (imlib2 1.6.1 on Ubuntu 20.04.5 LTS and imlib2 1.7.4 on Ubuntu 22.04 LTS) via apt may lead to severe problems, which is common behavior to users.
I found package imlib2 >1.10 in Debian packages thanks to your effort, but I could not get it installed on my systems. I could not find any deb file.

(Plus) I failed to install feh with the master branch of imlib2 by downloading its codes on Ubuntu 20.04.5 LTS whereas succeeded on Ubuntu 22.04 LTS.

[derf]

Thanks for reporting this!

Library handling is the distribution's business and outside of feh's scope, so I don't see anything I could fix here.