‘ImLib _LoadBMP Endless Loop (BPP, biBitCount)’

Summary

‘Imlib is ‘an advanced replacement library for libraries like libXpm that provides many more features with much greater flexibility and speed. It was originally written for E, now used by the GNOME Project’. ImLib’s _LoadBMP function contains a security vulnerability that allows attackers to cause the function to enter into an endless loop by providing the function with a malformed BMP file.’

Credit:

‘The information has been provided by beSTORM.
The original article can be found at: http://www.beyondsecurity.com/bestorm_overview.html


Details

Vulnerable Systems:
 * imlib version 1.9.15 and prior

The _LoadBMP function reads from the BMP file the value of BPP (Bits Per Page) and uses that value to know how many bits need to be read at each step of its main file processing loop. The value of 0x0000 (zero) which is invalid, is not properly detected as the line responsible:
if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 32)
{
fprintf(stderr, ‘IMLIB ERROR: unknown bitdepth in filen’);
return NULL;
}

Incorrectly references && bpp && where it shouldn’t have probably referenced it at all to prevent the value of 0x0000 from passing.

Since the bpp value of 0x0000 is used, the loop:
  for (line = (*h – 1); line >= 0; line–)
    {
      linepos = 0;
      for (column = 0; column < *w;)
    {

Will never advanced as no case inside the loop matches the bpp value of 0x0000.

Workaround:
Remove the && bpp && from the if statement found at line 648.

Vendor status:
We have tried to contact the security person responsible for the package in Debian, but they haven’t addressed it. We have sent an email to the author of imlib on 2007-07-03 but the product appears to be no longer maintained by the author as the last release was released on 2004-09-24.

Recreate:
You can recreate the issue by using beSTORM’s BMP file fuzzer available from: http://www.beyondsecurity.com/bestorm_overview.html

Categories: UNIX