Debian Bug report logs - #414045
libX11: Buffer overflow in XGetPixel().

version graph

Package: libx11; Maintainer for libx11 is Debian X Strike Force <>;

Reported by: Sami Liedes <>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: critical

Tags: patch, security, upstream

Found in versions 2:1.0.3-5, 2:1.0.3-6

Fixed in version libx11/2:1.0.3-7

Done: Julien Cristau <>

Bug is archived. No further changes may be made.

Forwarded to

Full log

Message #85 received at (full text, mbox):

Received: (at 414045) by; 23 Mar 2007 17:57:02 +0000
From Fri Mar 23 17:57:02 2007
Return-path: <>
Received: from ([])
	by with smtp (Exim 4.50)
	id 1HUnxr-0007nc-MV
	for; Fri, 23 Mar 2007 17:54:12 +0000
Received: (qmail 7691 invoked by uid 1000); 23 Mar 2007 17:54:11 -0000
Date: Fri, 23 Mar 2007 10:54:11 -0700
To: Daniel Kobras <>
Cc: Sami Liedes <>,
Subject: Re: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on
X-Spam-Status: No, hits=-1.4 required=4.0 tests=BAYES_00,NO_REAL_NAME 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
Daniel -

For both the broken.xwd and broken2.xwd files in bug #414045,
the offending operation is in libx11-1.0.3/src/ImUtil.c:505
   dst++ = *src++;
and in fact it's the src pointer that is out of range.
This suggests it's "only" a DOS problem, or at worst an
information leak problem, but no direct exploit is possible.

A few lines earlier, the src pointer is computed as
      src = &ximage->data[ZINDEX(x, y, ximage)];
where ZINDEX is the macro
#define ZINDEX(x, y, img) ((y) * img->bytes_per_line) + \
    (((x) * img->bits_per_pixel) >> 3)

In the broken.xwd case, x = 0, y = 1838, ximage->bytes_per_line = 66148,
and ximage->bits_per_pixel = 24.  So it's no surprise that
attempting to read ximage->data[121580024] generates a segfault.

broken2.xwd is similar, but the overflow is in the x direction.

The call to XGetPixel in both cases is at
graphicsmagick-1.1.7/coders/xwd.c:388 .

I'll try to figure out which routine should check the indexes
(and against what).

   - Larry

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Mon Apr 21 12:58:13 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.