|
![](/i/fill.gif) |
> Francois Labreque <fla### [at] videotron ca> wrote:
>> Ex: One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
>
Sorry, it was MAX_SIGNED_INT +1.
Of course, the file formats are usually strict enough, but they can't
prevent all problems.
http://technet.microsoft.com/en-us/security/bulletin/ms04-028
http://technet.microsoft.com/en-us/security/bulletin/ms08-052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0597
In the case of the BMP flaw, the leaked Windows 2000 source code showed
that the DLL was using a signed int to read an offset value that was
unsigned in the file format, so by crafting a special BMP file you would
have the DLL jump to a negative offset, and outside of the actual data
structure it was supposed to read. Now since GDI.DLL runs in ring 0 for
performance reasons, the fault was not caught and the program would
continue reading garbage, which in turn would cause a buffer overflow
and arbitrary code execution. Photoshop CS2 and CS3 were vulnerable to
this one, on top of all the MS applications that use GDI.DLL, so it
wasn't only shoddy programming on Microsoft's part.
I don't have the specifics on the JPG or PNG ones, but from the MITRE
descritpion, the JPG also used an improper cast in the DLL to achieve
its result. For the PNG vulnerability, it was a problem with libpng not
handling a variable field length properly.
I'm sure you know that there are many, many ways a programmer can screw up.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |