imlib _LoadBMP() Function Endless Loop Lets Remote Users Deny Service
SecurityTracker Alert ID: 1018332|
SecurityTracker URL: http://securitytracker.com/id/1018332
(Links to External Site)
Updated: May 6 2008|
Original Entry Date: Jul 3 2007
Denial of service via network|
Exploit Included: Yes |
Version(s): 1.9.15 and prior versions|
A vulnerability was reported in imlib. A remote user can cause denial of service conditions.|
A remote user can create a specially crafted BMP file that, when loaded by the target user, will cause the _LoadBMP() to enter an endless loop.
This vulnerability was discovered using Beyond Security's beSTORM BMP file fuzzer, available at:
A remote user can create a file that, when loaded by the target user, will cause denial of service conditions.|
No solution was available at the time of this entry.|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: [UNIX] ImLib _LoadBMP Endless Loop (BPP, biBitCount)|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
ImLib _LoadBMP Endless Loop (BPP, biBitCount)
Imlib is "an advanced replacement library for libraries like libXpm that
provides many more features with much greater flexibility and speed. It
was originally written for E, now used by the GNOME Project". ImLib's
_LoadBMP function contains a security vulnerability that allows attackers
to cause the function to enter into an endless loop by providing the
function with a malformed BMP file.
* imlib version 1.9.15 and prior
The _LoadBMP function reads from the BMP file the value of BPP (Bits Per
Page) and uses that value to know how many bits need to be read at each
step of its main file processing loop. The value of 0x0000 (zero) which is
invalid, is not properly detected as the line responsible:
if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp !=
fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
Incorrectly references && bpp && where it shouldn't have probably
referenced it at all to prevent the value of 0x0000 from passing.
Since the bpp value of 0x0000 is used, the loop:
for (line = (*h - 1); line >= 0; line--)
linepos = 0;
for (column = 0; column < *w;)
Will never advanced as no case inside the loop matches the bpp value of
Remove the && bpp && from the if statement found at line 648.
We have tried to contact the security person responsible for the package
in Debian, but they haven't addressed it. We have sent an email to the
author of imlib on 2007-07-03 but the product appears to be no longer
maintained by the author as the last release was released on 2004-09-24.
You can recreate the issue by using beSTORM's BMP file fuzzer available
The information has been provided by beSTORM.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages.