[UNIX] ImLib _LoadBMP Endless Loop (BPP, biBitCount)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

ImLib _LoadBMP Endless Loop (BPP, biBitCount)
------------------------------------------------------------------------

SUMMARY

Imlib is "an advanced replacement library for libraries like libXpm that
provides many more features with much greater flexibility and speed. It
was originally written for E, now used by the GNOME Project". ImLib's
_LoadBMP function contains a security vulnerability that allows attackers
to cause the function to enter into an endless loop by providing the
function with a malformed BMP file.

DETAILS

Vulnerable Systems:
* imlib version 1.9.15 and prior

The _LoadBMP function reads from the BMP file the value of BPP (Bits Per
Page) and uses that value to know how many bits need to be read at each
step of its main file processing loop. The value of 0x0000 (zero) which is
invalid, is not properly detected as the line responsible:
if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp !=
32)
{
fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
return NULL;
}

Incorrectly references && bpp && where it shouldn't have probably
referenced it at all to prevent the value of 0x0000 from passing.

Since the bpp value of 0x0000 is used, the loop:
for (line = (*h - 1); line >= 0; line--)
{
linepos = 0;
for (column = 0; column < *w;)
{

Will never advanced as no case inside the loop matches the bpp value of
0x0000.

Workaround:
Remove the && bpp && from the if statement found at line 648.

Vendor status:
We have tried to contact the security person responsible for the package
in Debian, but they haven't addressed it. We have sent an email to the
author of imlib on 2007-07-03 but the product appears to be no longer
maintained by the author as the last release was released on 2004-09-24.

Recreate:
You can recreate the issue by using beSTORM's BMP file fuzzer available
from: <http://www.beyondsecurity.com/bestorm_overview.html>

http://www.beyondsecurity.com/bestorm_overview.html

ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:
<http://www.beyondsecurity.com/bestorm_overview.html>

http://www.beyondsecurity.com/bestorm_overview.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.