Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack Buffer Overflow with BMP files - Version 1.9.13 #456

Closed
Voiddy-Dev opened this issue Dec 11, 2021 · 2 comments
Closed

Stack Buffer Overflow with BMP files - Version 1.9.13 #456

Voiddy-Dev opened this issue Dec 11, 2021 · 2 comments
Assignees
@michaelrsweet
Labels
bug Something isn't working priority-medium security Security issue
Milestone
Stable

Comments

@Voiddy-Dev
Copy link

The fix for the issue stack buffer overflow before 1.9.13 does not completely protect against a stack buffer overflow in image_load_bmp().

It is possible to control the read in buffer colormap through the colors_used variable. The previous fix does not mitigate the issue as the color_used is an integer, therefore, regardless of the unsigned return of read_dword(fp) the buffer can be overflowed.

static int			/* O - 0 = success, -1 = fail */
image_load_bmp(image_t *img,	/* I - Image to load into */
               FILE    *fp,	/* I - File to read from */
	       int     gray,	/* I - Grayscale image? */
               int     load_data)/* I - 1 = load image data, 0 = just info */
{
  ...

  uchar		colormap[256][4];
  ...
  colors_used      = (int)read_dword(fp);
  ...
  // Get colormap...
  if (colors_used == 0 && depth <= 8)
    colors_used = 1 << depth;
  else if (colors_used > 256)  // colors_used => 0xffffff00 --> -0x100
    return (-1);
  ...
  fread(colormap, colors_used, 4, fp);
  ...
}

As an example, if colors_used is 0xffffff00 the if statement validates the variable and leads to a buffer overflow.

Impact

  • This buffer overflow can lead to modifying the instruction pointer and can therefore lead to remote code execution.
    image

POC: vuln_htmldoc_1.9.13.zip
@michaelrsweet michaelrsweet self-assigned this Dec 11, 2021
@michaelrsweet michaelrsweet added bug Something isn't working priority-medium security Security issue labels Dec 11, 2021
@michaelrsweet michaelrsweet added this to the Stable milestone Dec 11, 2021
@michaelrsweet
Copy link
Owner

I'm beginning to think that the best solution for this is to drop BMP support entirely - it is a dead format and I've spent far more time fixing potential security issues than I'd like...

michaelrsweet added a commit that referenced this issue Dec 18, 2021
@michaelrsweet
Fix another potential stack overflow issue in the BMP image loader (I…
753c71b 
…ssue #456)

Deprecate BMP support and document that it is going away in a future HTMLDOC
release.
@michaelrsweet
Copy link
Owner

[master 753c71b] Fix another potential stack overflow issue in the BMP image loader (Issue #456)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
bug Something isn't working priority-medium security Security issue
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
2 participants
@michaelrsweet @Voiddy-Dev