Sail Heap-Based Buffer Overflow Vulnerability in XWD Parser

A heap-based buffer overflow vulnerability has been identified in the Sail library, specifically within the XWD parser. All versions of Sail are affected. The vulnerability arises because the parser uses the 'bytes_per_line' value, read directly from the XWD file, as the size for reading pixel data. This value is not validated against the actual size of the destination buffer, allowing an attacker to craft an XWD file with an excessively large 'bytes_per_line' value. This manipulation can lead to a significant write operation that exceeds the heap-allocated buffer for image pixels, potentially causing memory corruption.

Impact

Exploitation of this vulnerability corrupts heap metadata, which can be leveraged to manipulate execution flow and execute arbitrary code by exploiting heap management techniques.

Reproduction

The vulnerability can be reproduced by compiling the Sail library with AddressSanitizer enabled, which helps detect memory-related errors. After compiling Sail with ASAN, a malicious XWD file can be created using a Python script. This script constructs an XWD file with a crafted 'bytes_per_line' value that is large enough to cause a heap buffer overflow when the file is processed by the Sail library. The AddressSanitizer will report the heap-buffer-overflow error, confirming the vulnerability.