Apple OS X 10.4.6 "ReadBMP ()" .bmp DoS

Release Date:
April 19th, 2006

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.6 and prior

Overview:
A heap overflow vulnerability exists when processing .bmp files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.

Technical Details:
When decompressing a specially crafted .bmp file, the ReadBMP () function incorrectly parses the malformed data and causes the application to segmentation fault.

Below the crash is triggered on OS X (PPC) 10.4.6 using Preview within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
(gdb) bt
#0 0xffff8a60 in ___memcpy ()
#1 0x8f11c0d4 in ReadBMP ()
#2 0x8f11d528 in BMP_CDBandDecompress ()
#3 0x90b5bafc in CallComponentFunctionCommon ()
#4 0x90b5b684 in CallComponent ()
#5 0x8fad5680 in ImageCodecBandDecompress ()
#6 0x8fac70b8 in DoBandedDecompress ()
#7 0x8fb3fb98 in ICMAction_aligned ()
#8 0x8fac38e0 in ICMDeviceLoop ()
#9 0x8fac9dfc in DecompressSequenceFrameWhen ()
#10 0x8fafb224 in DecompressSequenceFrameS ()
#11 0x8f097b2c in importGraphicDrawInternal ()
#12 0x8f0992d0 in importGraphicDrawOrDecide ()
#13 0x90b5bae0 in CallComponentFunctionCommon ()
#14 0x90b5b684 in CallComponent ()
#15 0x90b5b684 in CallComponent ()
#16 0x8fafb05c in GraphicsImportDraw ()
#17 0x919948f8 in getBandProcQT ()
#18 0x9197b87c in CGImagePlusUpdateCache ()
#19 0x9197b590 in CGImagePlusCreateImage ()

Vendor Status:
Apple was notified.

Solution:
Currently no patches have been released for this vulnerability.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x27.html
http://www.apple.com/macosx/

Security-Protocols.com :: 1999-2008