Bug 98877 - Fix out of boundary read on unknown colors
Summary: Fix out of boundary read on unknown colors
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xpm (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-11-27 17:58 UTC by Tobias Stoeckmann
Modified: 2016-12-15 17:44 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
My proposed patch (1.05 KB, patch)
2016-11-27 17:58 UTC, Tobias Stoeckmann
no flags Details | Splinter Review
XPM file (69 bytes, image/x-xpixmap)
2016-11-27 17:58 UTC, Tobias Stoeckmann
no flags Details
Proof of Concept (632 bytes, text/x-c)
2016-11-27 17:59 UTC, Tobias Stoeckmann
no flags Details
Crash report (966 bytes, text/plain)
2016-11-27 18:00 UTC, Tobias Stoeckmann
no flags Details

Description Tobias Stoeckmann 2016-11-27 17:58:06 UTC
Created attachment 128223 [details] [review]
My proposed patch

libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.

A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.

I have attached a proof of concept code and XPM file. You will most likely have to compile the binary and libXpm with -fasan to actually see that something went wrong.
Comment 1 Tobias Stoeckmann 2016-11-27 17:58:53 UTC
Created attachment 128224 [details]
XPM file

XPM file containing a symbolic color name but no default colors.
Comment 2 Tobias Stoeckmann 2016-11-27 17:59:51 UTC
Created attachment 128225 [details]
Proof of Concept

Code that triggers an out of boundary read with the attached XPM file.

Compile with "gcc -fasan -lX11 -lXpm -o poc poc.c"
Comment 3 Tobias Stoeckmann 2016-11-27 18:00:22 UTC
Created attachment 128226 [details]
Crash report

Output of Address Sanitizer


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.