Bug 973761 (CVE-2016-3993) - VUL-1: CVE-2016-3993: imlib2: off by 1 Potential DOS
Summary: VUL-1: CVE-2016-3993: imlib2: off by 1 Potential DOS
Status: RESOLVED FIXED
Alias: CVE-2016-3993
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-3993:5.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-04 02:29 UTC by Simon Lees
Modified: 2022-07-25 13:20 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Lees 2016-04-04 02:29:56 UTC 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818

From Debian Report:
1) I re-compiled imlib2 package with debug information,
2) compiled and installed tests (data, src/bin),
3) run `valgrind imlib2_test`,
4) moved mouse to right lower corner of window;

==16086== Invalid read of size 1
==16086==    at 0x4E79C4E: __imlib_MergeUpdate (in 
/usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)
==16086==  Address 0x9d20360 is 0 bytes after a block of size 1,200
alloc'd
==16086==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==16086==    by 0x4E798E3: __imlib_MergeUpdate (in 
/usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)

In gdb, it points to src/lib/updates.c:

   |                 for (xx = x + 1, ww = 1;                         |
  >|                      (T(xx, y).used & T_USED) && (xx < tw); xx++,|
   |                 for (yy = y + 1, hh = 1, ok = 1;                 |

xx is 20 and tw is 20, so T(xx, y) addresses one byte out of buffer.

Pretty obvious, off-by-one error due to swapped condition order.
In unlucky case, this can result in application crash.
Security implications: very minor, DoS at most, only for application 
drawing images using coordinates from untrusted source ("drawing images 
from untrusted sources" by itself is safe).
Comment 1 Swamp Workflow Management 2016-04-04 22:00:23 UTC 
bugbot adjusting priority
Comment 3 Sebastian Krahmer 2016-04-11 08:01:27 UTC 
CVE-2016-3993
Comment 6 Swamp Workflow Management 2016-05-18 12:13:17 UTC 
openSUSE-SU-2016:1330-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963796,963797,963800,973759,973761,974202,974854,975703
CVE References: CVE-2011-5326,CVE-2014-9762,CVE-2014-9763,CVE-2014-9764,CVE-2014-9771,CVE-2016-3993,CVE-2016-3994,CVE-2016-4024
Sources used:
openSUSE 13.2 (src):    imlib2-1.4.9-17.4.1
Comment 7 Swamp Workflow Management 2016-06-03 11:09:03 UTC 
SUSE-SU-2016:1481-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 963797,963800,973759,973761,974202,977538
CVE References: CVE-2011-5326,CVE-2014-9763,CVE-2014-9764,CVE-2016-3993,CVE-2016-3994
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    imlib2-1.4.2-2.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    imlib2-1.4.2-2.20.1
Comment 8 Marcus Meissner 2016-06-16 14:49:34 UTC 
released