OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
SDL_Image 1.2.6 and prior GIF handling buffer overflow

From: Gynvael Coldwind (gynvaelvexillium.org)
Date: Wed Jan 23 2008 - 02:20:30 CST


* Name : SDL_Image 1.2.6 and prior GIF handling buffer overflow
* Type : (Remote) DoS / Code Execution (?)
* Impact : Low / Medium (?)
* Credits : Gynvael Coldwind / Team Vexillium
* Discovered: 2007-12-17
* Published : 2008-01-23

* Brief

SDL_Image is an open source library providing image file handling
functionality.
GIF format handling routines suffers from lack of proper buffer
size validating, which makes it vulnerable to a buffer overflow
attack. An attacker could DoS an application using SDL_Image,
or execute arbitrary code (this has not been confirmed, and
is believed to be nontrivial).
Since this is a library, in some cases the attack could be remote.

* Verbose

The problem takes place when a GIF file has invalid LWZ Minimum Code
Size in the Table Based Image Data header. The standard allows the
codes to have maximum size of 12 bits, but this is not checked in
SDL_image.
An attacker could use this for a local or remote buffer overflow
attack that may have denial of service or arbitrary code execution
effect.

SDL_image file IMG_gif.c, function ReadImage:

...
    unsigned char c;
...
    if (LWZReadByte(src, TRUE, c) < 0) {
    RWSetMsg("error reading image");
    return NULL;
    }
    /*
    ** If this is an "uninteresting picture" ignore it.
     */
    if (ignore) {
    while (LWZReadByte(src, FALSE, c) >= 0)
        ;
    return NULL;
    }
...

Please note that 'c' value is passed to LZWReadByte without checking
if it is OK with the standard.

Then in function LWZReadByte:

LWZReadByte(SDL_RWops *src, int flag, int input_code_size)
...
    static int table[2][(1 << MAX_LWZ_BITS)];
...
    set_code_size = input_code_size;
...
    clear_code = 1 << set_code_size;
...
    for (i = 0; i < clear_code; ++i) {
        table[0][i] = 0;
        table[1][i] = i;
    }
...

This is the first place that is affected by this issue.

* Proof of concept

DoS proof of concept GIF file:
http://vexillium.org/dl.php?sdlgifdos

* Versions affected and vendor status

Version 1.2.6 and prior are affected.
Vendor was informed and has fixed this issue in 1.2.7.

* Disclaimer

This document and all the information it contains is provided "as is",
without any warranty. The author is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

--
gynvael.coldwind//vx
http://vexillium.org
http://hispasec.com