Multiple heap buffer overflows caused by int overflow
Bug #1900983 reported by
Kai Dietrich
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cimg (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
| gmic (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
The CImg library uses an unsafe pattern to calculate memory allocations size. At least in the PNM file format parser, an attacker can trivially supply width/height fields that overflow the heap and result in arbitrary heap writes. This probably also affects other file format parsers in CImg.
The most prominent user of CImg is gmic.
The gmic commandline tool directly exposes the load_pnm() functions (and also the other file format load functions) to the user and thus is affected.
The issue is public and fixed in:
https:/
Redhat bug:
https:/
https:/
CVE References
Revision history for this message
| Kai Dietrich (0cs935kb517wwm-mail) wrote | #1 |
| summary: |
- Multiple heap buffer overflows by integer overflow + Multiple heap buffer overflows cause by integer overflow |
| summary: |
- Multiple heap buffer overflows cause by integer overflow + Multiple heap buffer overflows caused by integer overflow |
| summary: |
- Multiple heap buffer overflows caused by integer overflow + Multiple heap buffer overflows caused by int overflow |
| description: | updated |
Revision history for this message
| Eduardo Barretto (ebarretto) wrote | #2 |
| tags: | added: community-security |
| information type: | Private Security → Public Security |
| Changed in cimg (Ubuntu): | |
| status: | New → Confirmed |
| Changed in gmic (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
| description: | updated |
To post a comment you must log in.
No CVE assigned yet AFAIK.