After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 790853 - (CVE-2017-17787) heap overread in psp importer / read_creator_block()
(CVE-2017-17787)
heap overread in psp importer / read_creator_block()
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
2.9.6
Other All
: Normal normal
: 2.10
Assigned To: GIMP Bugs
GIMP Bugs
Depends on:
Blocks:
 
 
Reported: 2017-11-26 13:39 UTC by Hanno Böck
Modified: 2017-12-21 11:53 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
poc file (126 bytes, application/octet-stream)
2017-11-26 13:39 UTC, Hanno Böck 		Details

Description Hanno Böck 2017-11-26 13:39:17 UTC 
Created attachment 364440 [details]
poc file

The attached file will cause a heap out of bounds read access in the function read_creator_block, which can be seen with address sanitizer.

Stack trace:
==18118==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095d5 at pc 0x0000004738a5 bp 0x7ffe1c4c0460 sp 0x7ffe1c4bfc10
READ of size 6 at 0x6020000095d5 thread T0
    #0 0x4738a4 in __interceptor_strlen.part.31 (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4738a4)
    #1 0x7f124e39d0ec in g_string_insert_len (/usr/lib64/libglib-2.0.so.0+0x6c0ec)
    #2 0x51637f in read_creator_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:961:7
    #3 0x51637f in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1835
    #4 0x51637f in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f1251de0afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f1251de0afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f1251de0afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f124d0390cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

0x6020000095d5 is located 0 bytes to the right of 5-byte region [0x6020000095d0,0x6020000095d5)
allocated by thread T0 here:
    #0 0x4da048 in __interceptor_malloc (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4da048)
    #1 0x7f124e3806b8 in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4f6b8)
    #2 0x5159b1 in read_creator_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:889:20
    #3 0x5159b1 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1835
    #4 0x5159b1 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f1251de0afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f1251de0afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f1251de0afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f124d0390cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)
Comment 1 Jehan 2017-12-21 11:53:05 UTC 
Master:

commit eb2980683e6472aff35a3117587c4f814515c74d (HEAD -> master, origin/master, origin/HEAD)
Author: Jehan <jehan@girinstud.io>
Date:   Thu Dec 21 12:49:41 2017 +0100

    Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
    
    As any external data, we have to check that strings being read at fixed
    length are properly nul-terminated.

 plug-ins/common/file-psp.c | 6 ++++++
 1 file changed, 6 insertions(+)

2.8:

commit 87ba505fff85989af795f4ab6a047713f4d9381d (HEAD -> gimp-2-8, origin/gimp-2-8)
Author: Jehan <jehan@girinstud.io>
Date:   Thu Dec 21 12:49:41 2017 +0100

    Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
    
    As any external data, we have to check that strings being read at fixed
    length are properly nul-terminated.
    
    (cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)

 plug-ins/common/file-psp.c | 6 ++++++
 1 file changed, 6 insertions(+)