Headline
CVE-2022-30067: GIMP 2.10.30 crashed when allocate large memory (#8120) · Issues · GNOME / GIMP
GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash.
Environment/Versions
- GIMP version:2.10.30 and 2.99.10
- Package: https://download.gimp.org/pub/gimp/v2.10/gimp-2.10.30.tar.bz2
https://download.gimp.org/pub/gimp/v2.99/gimp-2.99.10.tar.bz2
- Operating System: Ubuntu 21.10
Description of the bug
Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. This ASAN report:
==286446==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xab9e16000 bytes
#0 0x7f0dfc859a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f0dfbbd45b0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e5b0)
#2 0x562b862c20a7 in xcf_load_old_paths /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:2724
#3 0x562b862b8ca6 in xcf_load_image_props /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:1055
#4 0x562b862b4586 in xcf_load_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf-load.c:253
#5 0x562b862b267e in xcf_load_stream /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:315
#6 0x562b862b3630 in xcf_load_invoker /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/xcf/xcf.c:445
#7 0x562b863c33ac in gimp_procedure_real_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:213
#8 0x562b863eda5d in gimp_plug_in_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/plug-in/gimppluginprocedure.c:417
#9 0x562b863c50d0 in gimp_procedure_execute /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimpprocedure.c:431
#10 0x562b863b6325 in gimp_pdb_execute_procedure_by_name_args /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:322
#11 0x562b863b77d0 in gimp_pdb_execute_procedure_by_name /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/pdb/gimppdb.c:451
#12 0x562b866a9998 in file_open_image /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:217
#13 0x562b866ab9db in file_open_with_proc_and_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:522
#14 0x562b866ab2f2 in file_open_with_display /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:492
#15 0x562b866acc28 in file_open_from_command_line /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/file/file-open.c:706
#16 0x562b862aa21a in app_run /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/app.c:417
#17 0x562b862b0bc1 in main /home/leung/fuzzing_gimp/test/gimp-2.10.30/app/main.c:656
#18 0x7f0dfb7d7fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
==286446==HINT: if you don’t care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory …/…/…/…/src/libsanitizer/asan/asan_malloc_linux.cpp:154 in __interceptor_calloc
==286446==ABORTING
The reason: Missing size check for num_points
//gimp-2.10.30/app/xcf/xcf-load.c:2755
xcf_read_int32 (info, &num_points, 1);
....
//gimp-2.10.30/app/xcf/xcf-load.c:2780
if (num_points == 0)
{
g_free (name);
return FALSE;
}
points = g_new0 (GimpVectorsCompatPoint, num_points);
Thread 1 “gimp-console-2.” hit Breakpoint 1, xcf_load_old_path (image=0x555555a16860, info=0x7fffffffda90) at xcf-load.c:2787 2787 points = g_new0 (GimpVectorsCompatPoint, num_points); (gdb) p/x num_points $1 = 0x72696400 (gdb) n
(gimp-console-2.10:287033): GLib-ERROR **: 19:00:44.570: …/…/…/glib/gmem.c:142: failed to allocate 46068228096 bytes
Reproduction
Is the bug reproducible? Always Reproduction steps:
download the crafted XCF file:https://github.com/leung-yao/poc/raw/main/poc%20for%20gimp poc_for_gimp
compiler gimp 2.10.30 with console, my compiler command:
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$HOME/fuzzing_gimp/gegl-0.4.36/ ./configure --disable-gtktest --disable-glibtest --disable-alsatest --disable-nls --without-libtiff --without-libjpeg --without-bzip2 --without-gs --without-libpng --without-libmng --without-libexif --without-aa --without-libxpm --without-webkit --without-librsvg --without-print --without-poppler --without-cairo-pdf --without-gvfs --without-libcurl --without-wmf --without-libjasper --without-alsa --without-gudev --disable-python --enable-gimp-console --without-mac-twain --without-script-fu --without-gudev --without-dbus --disable-mp --without-linux-input --without-xvfb-run --with-gif-compression=none --without-xmc --with-shm=none --enable-debug --prefix="$HOME/fuzzing_gimp/gimp-2.10.30/install" make make install
use gimp console
./gimp-console-2.10 -d -f [poc file]
Expected result:normal
Actual result:crash
Additional information
gimp2.99.10 also will crashed by this xcf file.
Related news
Ubuntu Security Notice 6521-1 - It was discovered that GIMP incorrectly handled certain image files. If a user were tricked into opening a specially crafted image, an attacker could use this issue to cause GIMP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Red Hat Security Advisory 2022-7978-01 - The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Issues addressed include buffer overflow and denial of service vulnerabilities.
An update for gimp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30067: gimp: buffer overflow through a crafted XCF file * CVE-2022-32990: gimp: unhandled exception via a crafted XCF file may lead to DoS