Closed Bug 277815 Opened 20 years ago Closed 20 years ago

oversized XBM image vulnerability

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
Other Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: francis.uy, Assigned: pavlov)

References

(
URL
)

Details

(Keywords: crash) 

I tested Firefox 1.0 on Windows and Mac, no problem occurred. I did not test 1.6
as reported by Luca, therefore unconfirmed.

From http://www.securityfocus.com/archive/1/386380/2005-01-07/2005-01-13/0

Mail client and Web Browser allows the usage of XBM graphic files and a security
flaw in the way softwares handles those images, allow a malicious user to
perform a denial-of-service attack. The X BitMap data is stored as ASCII data,
and files begin with '#define' statements in substitution of a header.

Opening file, Mozilla read width and height values from '#define' statement and
try to allocate enought memory to display image. Defining high values to width
and height parameters would cause the application to crash.

This vulnerability can be exploited by sending an e-mail containing a specially
crafted image, or tricking a user on a malicious website.

A proof of concept is aviable at this address:
http://www.geocities.com/xbm_bug/index.html
Note that Firefox 1.0 is a lot newer than 1.6.... Is this an issue in a current
trunk build?
Looks like this is fixed on the latest 1.4 branch.
This is no more a risk than any image with large dimensions except that it is
slightly easier to craft since you can use a plain text editor instead of a hex
editor.  In any case, if the memory cannot be allocated, it won't be and there
is no crash -> WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.