Skip to content

CVE-2024-28219: Use strncpy to avoid buffer overflow#7928

Merged
hugovk merged 3 commits intomainfrom
lcms
Apr 1, 2024
Merged

CVE-2024-28219: Use strncpy to avoid buffer overflow#7928
hugovk merged 3 commits intomainfrom
lcms

Conversation

@hugovk
Copy link
Member

@hugovk hugovk commented Apr 1, 2024
edited
Loading

A straightforward way to stop strcpy from overflowing is to use strncpy.

The test image is from https://github.com/saucecontrol/Compact-ICC-Profiles/blob/master/profiles/sGrey-v2-nano.icc, licensed under CC0.

@hugovk hugovk added the automerge Automatically merge PRs that are ready label Apr 1, 2024
@hugovk
Copy link
Member Author

hugovk commented Apr 1, 2024

Merging; we don't need to wait for valgrind or AppVeyor to finish testing the latest commit which was docs only.

@hugovk hugovk merged commit 2776126 into main Apr 1, 2024
@hugovk
Copy link
Member Author

hugovk commented Apr 1, 2024

I'll update CHANGES.rst with this when bumping the version.

@radarhere radarhere deleted the lcms branch April 1, 2024 09:21
@hugovk
Copy link
Member Author

hugovk commented Apr 1, 2024

Or you already did, no problem :)

charmander
charmander reviewed Apr 1, 2024
View reviewed changes
src/_imagingcms.c
Comment on lines +204 to +205
strncpy(self->mode_in, mode_in, 8);
strncpy(self->mode_out, mode_out, 8);
Copy link

@charmander charmander Apr 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

strncpy doesn’t null-terminate oversized entries.

Suggested change
strncpy(self->mode_in, mode_in, 8);
strncpy(self->mode_out, mode_out, 8);
strncpy(self->mode_in, mode_in, 8);
self->mode_in[7] = '\0';
strncpy(self->mode_out, mode_out, 8);
self->mode_out[7] = '\0';

But are these even used? The Python ImageCmsTransform wrapper has inputMode and outputMode attributes already, and they work normally. Is there a need to preserve a slightly different .transform.inputMode?

Copy link
Contributor

@nulano nulano Apr 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not, see #7931 for a suggestion to remove them.

@ThiefMaster
Copy link

ThiefMaster commented Apr 3, 2024

Is this exploitable when all you do is opening user-provided images and converting them? Or only when you explicitly used the ImageCms module?

@radarhere
Copy link
Member

radarhere commented Apr 4, 2024

Something outside of Pillow would have to use ImageCms, yes.

@ArielPrevu3D
Copy link

ArielPrevu3D commented Apr 10, 2024
edited
Loading

It looks like Image.convert can lead to a buffer overflow if the mode parameter is user-supplied. Your code does not have to use ImageCms directly to be exploitable.

Pillow/src/PIL/Image.py

Line 1079 in 955c5da

profiles[0], profiles[1], self.mode, mode

@radarhere
Copy link
Member

radarhere commented Apr 10, 2024

If you look a few lines earlier

Pillow/src/PIL/Image.py

Lines 1070 to 1079 in 955c5da

if "LAB" in (self.mode, mode):
other_mode = mode if self.mode == "LAB" else self.mode
if other_mode in ("RGB", "RGBA", "RGBX"):
from . import ImageCms
srgb = ImageCms.createProfile("sRGB")
lab = ImageCms.createProfile("LAB")
profiles = [lab, srgb] if self.mode == "LAB" else [srgb, lab]
transform = ImageCms.buildTransform(
profiles[0], profiles[1], self.mode, mode

you will see that one of the modes has to be "LAB", and the other has to be one of "RGB", "RGBA" or "RGBX",
none of which is more than 8 characters.

So it isn't exploitable from Image.convert.

@data-sync-user data-sync-user mentioned this pull request Jun 3, 2024
Merged
@pushfoo pushfoo mentioned this pull request Sep 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radarhere radarhere radarhere approved these changes

+2 more reviewers

@charmander charmander charmander left review comments

@nulano nulano nulano left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automerge Automatically merge PRs that are ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@hugovk @ThiefMaster @radarhere @ArielPrevu3D @charmander @nulano