CVE-2019-5059
An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow, allocating too small of a buffer. This buffer can then be written out of bounds resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability.
SDL_image 2.0.4
https://www.libsdl.org/projects/SDL_image/
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-190: Integer Overflow or Wraparound
LibSDL is a multi-platform library for easy access to low-level hardware and graphics, providing support for a large number of video games, software and emulators. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single, uniform API for image processing, regardless of the type.
XPM is a line-based image format. The first line contains the width, height, number of colors, and number of characters per pixel to be parsed [0].
SDL_image/IMG_xpm.c:1015
/*
* The header string of an XPMv3 image has the format
*
* <width> <height> <ncolors> <cpp> [ <hotspot_x> <hotspot_y> ]
*
* where the hotspot coords are intended for mouse cursors.
* Right now we don't use the hotspots but it should be handled
* one day.
*/
if (SDL_sscanf(line, "%d %d %d %d", &w, &h, &ncolors, &cpp) != 4 // [0]
|| w <= 0 || h <= 0 || ncolors <= 0 || cpp <= 0) {
error = "Invalid format description";
goto done;
}
In preparation for parsing, a buffer is allocated for the pixels by multiplying the read number of colors by the characters per pixel [1].
SDL_image/IMG_xpm.c:1033
keystrings = (char *)SDL_malloc(ncolors * cpp); // [1]
if (!keystrings) {
error = "Out of memory";
goto done;
}
nextkey = keystrings;
The next line in the XPM format describes each color. The most basic format for each of these lines is to have a character with a given color. For instance, the following line shows that any following āzā will be colored black and will produce a line of colors that has three black pixels, three white pixels and then three more black pixels.
z c #000000
. c #ffffff
zzz...zzz
When parsing these lines [2], the color code is copied into the keystrings/nextkey buffer allocated previously [3]. The amount of data copied is controlled via the cpp value read from the previous line assuming the first characters of the color code is valid [4].
SDL_image/IMG_xpm.c:1070
line = get_next_line(xpmlines, src, 0); // [2]
if (!line)
goto done;
p = line + cpp + 1;
/* parse a colour definition */
for (;;) {
char nametype;
char *colname;
Uint32 rgb, pixel;
SKIPSPACE(p);
if (!*p) {
printf("Color parse error\n");
error = "colour parse error";
goto done;
}
nametype = *p;
SKIPNONSPACE(p);
SKIPSPACE(p);
colname = p;
SKIPNONSPACE(p);
if (nametype == 's') {
printf("skipping nametype == s\n");
continue; /* skip symbolic colour names */
}
if (!color_to_rgb(colname, (int)(p - colname), &rgb)) { // [4]
printf("color to rgb failed\n");
continue;
}
SDL_memcpy(nextkey, line, cpp); // [3]
By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.
=================================================================
==21578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x7fa51007e904 bp 0x7ffe5004dbd0 sp 0x7ffe5004d378
WRITE of size 4100 at 0x60200000eff4 thread T0
#0 0x7fa51007e903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x4ba104 in load_xpm ../IMG_xpm.c:1123
#2 0x40653c in IMG_LoadTyped_RW ../IMG.c:195
#3 0x404d70 in main ../showimage.c:56
#4 0x7fa50f51e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x405388 in _start (/root/vmshare/targets/sdl/SDL_image/build-afl-asan/showimage+0x405388)
0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
#0 0x7fa51008a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4f6ebc in SDL_malloc_REAL /root/vmshare/targets/sdl/SDL/src/stdlib/SDL_malloc.c:5390
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21578==ABORTING
2019-05-30 - Vendor Disclosure
2019-07-03 - Vendor Patched
2019-07-29 - Public Release
Discovered by Cory Duplantis of Cisco Talos.