mailing list archives
Re: Firefox 0.92 DoS via TinyBMP
From: st3ng4h <st3ng4h () comcast net>
Date: Mon, 12 Jul 2004 19:22:51 -0500
On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali Campbell wrote:
I agree when you say that it's probably a flaw in the BMP lib
implementation. But as I've pointed out once already, Windows isn't the
only afflicted platform:
You're correct, and I'm glad you did point this out, because it may
potentially affect many such implementations.
The April bugtraq advisory that I provided URL for earlier (and
again ) says:
"When a BMP file loaded into the Internet Explorer (for exmaple
'IMG' tag) the internet explorer check the BMP image size written
in BMP file, and then allocate the necessary memory to itself for
placing bmp image into the memory."
Also see MSDN's explanation of bitmap file structure  for more
AFAICT, any program/library that allocates bfSize (in
BITMAPFILEHEADER) bytes of memory, without verifying that this
resembles the actual size of the bitmap file, will likely suffer
from this problem in some form or another.
Why this was not figured out in the original advisory or this one is
beyond me; I have approximately zero experience as a bug-hunter and
am mostly ignorant to Windows internals.
What's more annoying is that the OP apparently just ripped off the
PoC from the original (incorrect) IE advisory, did not credit the
finder, and published it as a Firefox vulnerability.
Full-Disclosure - We believe in it.
AW: Firefox 0.92 DoS via TinyBMP Webmaster (Jul 12)
Re: Firefox 0.92 DoS via TinyBMP & Thunderbird 0.72 & Outlook Express (latest Version) thE_iNviNciblE (Jul 12)
Re: Firefox 0.92 DoS via TinyBMP Thomas Kaschwig (Jul 13)
Re: Firefox 0.92 DoS via TinyBMP Bernardo Santos Wernesback (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP, (continued)