Multiple heap buffer overflows caused by int overflow
Bug #1900983 reported by
Kai Dietrich
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cimg (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
gmic (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The CImg library uses an unsafe pattern to calculate memory allocations size. At least in the PNM file format parser, an attacker can trivially supply width/height fields that overflow the heap and result in arbitrary heap writes. This probably also affects other file format parsers in CImg.
The most prominent user of CImg is gmic.
The gmic commandline tool directly exposes the load_pnm() functions (and also the other file format load functions) to the user and thus is affected.
The issue is public and fixed in:
https:/
Redhat bug:
https:/
https:/
CVE References
summary: |
- Multiple heap buffer overflows by integer overflow + Multiple heap buffer overflows cause by integer overflow |
summary: |
- Multiple heap buffer overflows cause by integer overflow + Multiple heap buffer overflows caused by integer overflow |
summary: |
- Multiple heap buffer overflows caused by integer overflow + Multiple heap buffer overflows caused by int overflow |
description: | updated |
description: | updated |
description: | updated |
To post a comment you must log in.
No CVE assigned yet AFAIK.