xorl %eax, %eax

CVE-2009-0163: CUPS Remote Integer Overflow

leave a comment »

CUPS is the most widely used open source printing system. On 3 December 2008, iDefense disclosed this integer overflow vulnerability in CUPS. The final patch was released on 16 April 2009. Releases prior to 1.3.10 might be vulnerable to this bug. The following code is from 1.3.9 release of CUPS. The following function can be found at filter/image-tiff.c:

34 /*
35  * '_cupsImageReadTIFF()' - Read a TIFF image file.
36  */
37
38 int                                     /* O - Read status */
39 _cupsImageReadTIFF(
40     cups_image_t    *img,               /* IO - cupsImage */
41     FILE            *fp,                /* I - cupsImage file */
42     cups_icspace_t  primary,            /* I - Primary choice for colorspace */
43     cups_icspace_t  secondary,          /* I - Secondary choice for colorspace */
44     int             saturation,         /* I - Color saturation (%) */
45     int             hue,                /* I - Color hue (degrees) */
46     const cups_ib_t *lut)               /* I - Lookup table for gamma/brightness */
47 {
48   TIFF          *tif;                   /* TIFF file */
49   uint32        width, height;          /* Size of image */
50   uint16        photometric,            /* Colorspace */
51                 compression,            /* Type of compression */
52                 orientation,            /* Orientation */
53                 resunit,                /* Units for resolution */
54                 samples,                /* Number of samples/pixel */
    ...
87   * Open the TIFF file and get the required parameters...
    ...
189  /*
190   * Check the size of the image...
191   */
192
193   if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH ||
194       height == 0 || height > CUPS_IMAGE_MAX_HEIGHT ||
195       (bits != 1 && bits != 2 && bits != 4 && bits != 8) ||
196       samples < 1 || samples > 4)
    ...
206  /*
207   * Setup the image size and colorspace...
208   */
209
210   img->xsize = width;
211   img->ysize = height;
    ...
322     in  = malloc(img->ysize * 3 + 3);
323     out = malloc(img->ysize * bpp);
    ...


The bug is a common integer overflow. As you can see, variable height is declared as an unsigned 32-bit long integer at line 49. When the check for the TIFF image size takes place at lines 193-196, height is compared against CUPS_IMAGE_MAX_HEIGHT which is defined at filter/image-private.h like this:

44 #  define CUPS_IMAGE_MAX_HEIGHT 0x7fffffff
45                                         /* 2^31-1 */

This value is later stored into img->ysize as seen at line 211. Now, if a malicous user creates a TIFF image with height, for example, equal to 0x7fffffff. The dynamic allocations at lines 322 and 323 can cause an integer overflow that leads into a wrap around. The proceeding write operations to the allocated buffers will result in heap memory corruption since the allocated space wouldn’t be enough to fit the data because of the wrap around. The patch was this:

-#  define CUPS_IMAGE_MAX_HEIGHT	0x7fffffff
-					/* 2^31-1 */
+#  define CUPS_IMAGE_MAX_HEIGHT	0x3fffffff
+					/* 2^30-1 */


If CUPS is configured to sharing a printer on a network this is remotely exploitable.

Written by xorl

April 17, 2009 at 04:08

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s