Headline
CVE-2020-24295: FreeImage / Discussion / Developers: Four Vulnerabilities about Freeimage 3.19.0
Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in FreeImage 3.19.0 [r1859] allows remote attackers to ru narbitrary code via use of crafted psd file.
1.PluginICO.cpp/LoadStandardIcon( )/heap_overflow
When the program reads a ico file, it will be handed to the Load function of the ‘PluginICO.cpp’ file, but in the ‘332’ line of the program, when the ‘io->read_proc’ function is executed, the size of the “height * pitch” are not considered, which will cause the heap_overflow.
From the above,we can find that the “FreeImage_GetBits” function return a pointer,which corresponds to the buffer as follows.
The buffer size is (0x259aa44df50 + 0x663 - 259aa44df50) 0xa3
At the same time ,the “handle” stores the pointer to the ICO data we read in. Moreover,we can see that the buffer has read the ico data when the ‘io->read_proc’ function is executed.
Also the size of the “height * pitch” can be controlled.
Finally,it will cause the heap overflow if we make the “height * pitch” is greater than the size of buffer. Moreover, it may has the risk of arbitrary code execution.
2.PSDParser.cpp/ReadImageLine( )/heap_overflow
When the program reads a psd file, it will be handed to the Load function of the ‘PSDParser.cpp’ file, but in the ‘1298’ line of the program, when the ‘memcpy’ function is executed, the size of the “lineSize” are not considered, which will cause the heap_overflow.
The lineSize is determined by the nWidth we passed in,which is controllable.
The buffer size of “dst” is (0x19f53cdffe0 + 0x2013 -0x0000019f53ce1f90) 0x63
Also the content of “src” comes from the psd file we read in.
Finally,it will cause the heap overflow when the ‘memcpy’ function is executed,if we make the ‘lineSize’ is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.
3.PSDParser.cpp/UnpackRLE( )/Integer overflow
A Integer overflow in line “1328” of the “psdParser::UnpackRLE” function in "PSDParser.cpp". Where the “srcSize” is an unsigned integer. But it is still recognized as a positive number in the memory when “srcSize-=len” is a negative number(0xffffff94). Eventually results in "srcSize > 0", which causes rle_line to generate an out-of-bounds read.
4.PSDParser.cpp/psdThumbnail::Read( )/heap_overflow
When the program reads a psd file, it will be handed to the Load function of the ‘PSDParser.cpp’ file, but in the ‘801’ line of the "psdThumbnail::Read", when the ‘memcpy’ function is executed, the size of the “_Width * _BitPerPixel” are not considered, which will cause the heap_overflow.
The buffer size of “dst_line_start” is (0x231fdfde8f0 + 0x70b - 0x00000231fdfdefe4 ) 0x17 and the “_Width * _BitPerPixel” is determined by the nWidth we passed in,which is controllable.
In the code above,the "io->read_proc(line_start, _WidthBytes, 1, handle)" function is executed, where the “handle” stores the pointer to the psd data we read in. Also the “_WidthBytes” is controllable,which means the content of “line_start” is controllable.
Finally,it will cause the heap overflow when the ‘memcpy’ function is executed,if we make the “_Width * _BitPerPixel” is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.
Author by [email protected]
Last edit: Avscx 2020-08-07