Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21428: FreeImage / Bugs / #299 heap-buffer-overflow in function LoadRGB of PluginDDS.cpp

Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

CVE
#vulnerability#dos#buffer_overflow
  • Summary
  • Files
  • Reviews
  • Support
  • Mailing Lists
  • Code
  • Tickets ▾
    • Feature Requests
    • Patches
    • Bugs
    • Support Requests
  • News
  • Discussion
  • FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function LoadRGB of PluginDDS.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.
Asan log as below:

==32112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4103e04 at pc 0x08087ebd bp 0xffc70e68 sp 0xffc70a40 WRITE of size 91 at 0xf4103e04 thread T0 #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc) #1 0x883a341 in _ReadProc(void*, unsigned int, unsigned int, void*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19 #2 0x815b75a in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:649:4 #3 0x815b75a in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9 #4 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #5 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #6 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8 #7 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16 #8 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)

0xf4103e04 is located 0 bytes to the right of 1412-byte region [0xf4103880,0xf4103e04) allocated by thread T0 here: #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675) #1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19 #2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26 #3 0x812b63f in FreeImage_Allocate /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:487:9 #4 0x815b159 in LoadRGB(tagDDSURFACEDESC2 const*, FreeImageIO*, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp #5 0x815b159 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9 #6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #8 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8 #9 0xf71fcfb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/FreeImage/test+0x8087ebc) in fread Shadow bytes around the buggy address: 0x3e820770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e820780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e820790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8207a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e8207b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e8207c0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8207f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e820800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e820810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==32112==ABORTING

1 Attachments

Discussion

Log in to post a comment.

Related news

Ubuntu Security Notice USN-6586-1

Ubuntu Security Notice 6586-1 - It was discovered that FreeImage incorrectly handled certain memory operations. If a user were tricked into opening a crafted TIFF file, a remote attacker could use this issue to cause a heap buffer overflow, resulting in a denial of service attack. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. It was discovered that FreeImage incorrectly processed images under certain circumstances. If a user were tricked into opening a crafted TIFF file, a remote attacker could possibly use this issue to cause a stack exhaustion condition, resulting in a denial of service attack. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS.

Debian Security Advisory 5579-1

Debian Linux Security Advisory 5579-1 - Multiple vulnerabilities were discovered in FreeImage, a support library for graphics image formats, which could result in the execution of arbitrary code if malformed image files are processed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907