SAIL XWD Codec Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the SAIL library's XWD codec, prior to a specific commit in 2026. The issue arises from a mismatch between how pixel formats are interpreted and how data is processed during byte-swapping. When the 'pixmap_depth' is set to 8 but 'bits_per_pixel' is 32, the byte-swap operation incorrectly accesses memory as 32-bit integers, leading to a buffer overflow by a factor of four. This vulnerability is distinct from another issue previously reported by the same author, which involved improper validation of 'bytes_per_line'.

Impact

Exploitation of this vulnerability allows for heap corruption, with the potential for arbitrary code execution. The overflow size can be controlled by the attacker, relative to the width of the image being processed.

Reproduction

To reproduce this vulnerability, create an XWD file that specifies a 'pixmap_depth' of 8 and a 'bits_per_pixel' of 32. The file should also include a 'byte_order' of 1 (indicating MSB First) and a 'visual_class' of 3 (PseudoColor). The image should be 100 pixels wide and 1 pixel high, with a 'bytes_per_line' value of 100 and a color palette of 256 colors. This crafted file will trigger the byte-swap loop to read and write 400 bytes, resulting in a 300-byte overflow, as confirmed by AddressSanitizer.

Remediation

Users are advised to update to the patched version of the SAIL library, which includes a fix for this vulnerability by ensuring that 'bits_per_pixel' is validated to match the resolved pixel format before any byte-swapping operations are performed.