The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc.
In addition to verifying the correctness of a subset of fields in the bitmap headers, the gdiplus!ValidateBitmapInfo function is also responsible for extracting the palette (in case of a 8-bpp image), which is later used to display the image. The function assumes that the palette is placed directly after the header, but doesn't make sure that the overall record is large enough to hold it, which may result in reading data past the memory region allocated for the record and displaying it on the screen. In the context of GDI+ clients which make it possible to read the rendered pixels back and send them to an attacker or use as part of a larger exploit chain, the bug could result in disclosure of sensitive data or defeat of exploit mitigations such as ASLR.
A proof-of-concept poc.emf file is attached, which uses the EMR_BITBLT record to embed a 8-bpp bitmap with no palette. When loaded in a GDI+ client (e.g. Microsoft Office), it will clearly display contents of uninitialized heap memory. An example result of inserting it into a blank presentation in PowerPoint 2013 three times is illustrated in the attached screenshot.
The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
