Bug 98877

Summary:

Fix out of boundary read on unknown colors

Product:

xorg

Reporter:

Tobias Stoeckmann <tobias>

Component:

Lib/Xpm

Assignee:

Xorg Project Team <xorg-team>

Status:

RESOLVED FIXED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

normal

Priority:

medium

Keywords:

patch

Version:

git

Hardware:

Other

OS:

All

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
My proposed patch	none
XPM file	none
Proof of Concept	none
Crash report	none

Description Tobias Stoeckmann 2016-11-27 17:58:06 UTC

Created attachment 128223 [details] [review]
My proposed patch

libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.

A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.

I have attached a proof of concept code and XPM file. You will most likely have to compile the binary and libXpm with -fasan to actually see that something went wrong.

Comment 1 Tobias Stoeckmann 2016-11-27 17:58:53 UTC

Created attachment 128224 [details]
XPM file

XPM file containing a symbolic color name but no default colors.

Comment 2 Tobias Stoeckmann 2016-11-27 17:59:51 UTC

Created attachment 128225 [details]
Proof of Concept

Code that triggers an out of boundary read with the attached XPM file.

Compile with "gcc -fasan -lX11 -lXpm -o poc poc.c"

Comment 3 Tobias Stoeckmann 2016-11-27 18:00:22 UTC

Created attachment 128226 [details]
Crash report

Output of Address Sanitizer

Comment 4 Matthieu Herrb 2016-12-15 17:44:21 UTC

Committed https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=c46dedeba15edf7216d62633ed6daf40cd1f5bfd

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.