Debian Bug report logs - #414045
libX11: Buffer overflow in XGetPixel().

version graph

Package: libx11; Maintainer for libx11 is Debian X Strike Force <debian-x@lists.debian.org>;

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: critical

Tags: patch, security, upstream

Found in versions 2:1.0.3-5, 2:1.0.3-6

Fixed in version libx11/2:1.0.3-7

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Forwarded to xorg_security@x.org

Full log


Message #85 received at 414045@bugs.debian.org (full text, mbox):

Received: (at 414045) by bugs.debian.org; 23 Mar 2007 17:57:02 +0000
From ldoolitt@recycle.lbl.gov Fri Mar 23 17:57:02 2007
Return-path: <ldoolitt@recycle.lbl.gov>
Received: from recycle.lbl.gov ([131.243.169.124])
	by rietz.debian.org with smtp (Exim 4.50)
	id 1HUnxr-0007nc-MV
	for 414045@bugs.debian.org; Fri, 23 Mar 2007 17:54:12 +0000
Received: (qmail 7691 invoked by uid 1000); 23 Mar 2007 17:54:11 -0000
From: ldoolitt@recycle.lbl.gov
Date: Fri, 23 Mar 2007 10:54:11 -0700
To: Daniel Kobras <kobras@debian.org>
Cc: Sami Liedes <sliedes@cc.hut.fi>, 414045@bugs.debian.org
Subject: Re: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Message-ID: <20070323175411.GA7579@recycle.lbl.gov>
References: <20070321033746.GA29739@recycle.lbl.gov> <20070321200045.GE13872@antares.tat.physik.uni-tuebingen.de> <20070323163343.GA29523@recycle.lbl.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20070323163343.GA29523@recycle.lbl.gov>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on rietz.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-1.4 required=4.0 tests=BAYES_00,NO_REAL_NAME 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
Daniel -

For both the broken.xwd and broken2.xwd files in bug #414045,
the offending operation is in libx11-1.0.3/src/ImUtil.c:505
   dst++ = *src++;
and in fact it's the src pointer that is out of range.
This suggests it's "only" a DOS problem, or at worst an
information leak problem, but no direct exploit is possible.

A few lines earlier, the src pointer is computed as
      src = &ximage->data[ZINDEX(x, y, ximage)];
where ZINDEX is the macro
#define ZINDEX(x, y, img) ((y) * img->bytes_per_line) + \
    (((x) * img->bits_per_pixel) >> 3)

In the broken.xwd case, x = 0, y = 1838, ximage->bytes_per_line = 66148,
and ximage->bits_per_pixel = 24.  So it's no surprise that
attempting to read ximage->data[121580024] generates a segfault.

broken2.xwd is similar, but the overflow is in the x direction.

The call to XGetPixel in both cases is at
graphicsmagick-1.1.7/coders/xwd.c:388 .

I'll try to figure out which routine should check the indexes
(and against what).

   - Larry



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:58:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.