Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-42295: runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302 · Issue #3947 · AcademySoftwareFoundation/OpenImageIO

An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to execute arbitrary code and cause a denial of service via the read_rle_image function of file bifs/unquantize.c

CVE
Open in Source
#linux#dos#c++

Describe the bug:
Hi, I found runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302

To Reproduce:
Steps to reproduce the behavior:

  1. CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake … -DCMAKE_CXX_STANDARD=17
  2. make && make install
  3. iconvert --inplace poc.bmp
    poc file:
    poc.bmp.zip

Evidence:
src/bmp.imageio/bmpinput.cpp:302:41: runtime error: signed integer overflow: 10240 * 276095 cannot be represented in type ‘int’
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/fuzz/fuzz_oiio/oiio/src/bmp.imageio/bmpinput.cpp:302:41 in
terminate called after throwing an instance of ‘std::length_error’
what(): vector::_M_default_append
0# OpenImageIO_v2_5_2::Sysutil::stacktraceabi:cxx11 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO_Util.so.2.5.2
1# 0x00007F5AA4E8B5CC in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO_Util.so.2.5.2
2# 0x00007F5AA4532520 in /lib/x86_64-linux-gnu/libc.so.6
3# pthread_kill in /lib/x86_64-linux-gnu/libc.so.6
4# raise in /lib/x86_64-linux-gnu/libc.so.6
5# abort in /lib/x86_64-linux-gnu/libc.so.6
6# 0x00007F5AA48C1B9E in /lib/x86_64-linux-gnu/libstdc++.so.6
7# 0x00007F5AA48CD20C in /lib/x86_64-linux-gnu/libstdc++.so.6
8# 0x00007F5AA48CD277 in /lib/x86_64-linux-gnu/libstdc++.so.6
9# 0x00007F5AA48CD4D8 in /lib/x86_64-linux-gnu/libstdc++.so.6
10# std::__throw_length_error(char const*) in /lib/x86_64-linux-gnu/libstdc++.so.6
11# 0x00007F5AA64A29AC in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
12# 0x00007F5AA64A2281 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
13# 0x00007F5AA733A3BB in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
14# 0x00007F5AA73355FE in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
15# 0x00007F5AA7332396 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
16# OpenImageIO_v2_5_2::ImageInput::create(OpenImageIO_v2_5_2::basic_string_view<char, std::char_traits >, bool, OpenImageIO_v2_5_2::ImageSpec const*, OpenImageIO_v2_5_2::Filesystem::IOProxy*, OpenImageIO_v2_5_2::basic_string_view<char, std::char_traits >) in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
17# OpenImageIO_v2_5_2::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, OpenImageIO_v2_5_2::ImageSpec const*, OpenImageIO_v2_5_2::Filesystem::IOProxy*) in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
18# 0x000055E91B20C502 in …/…/…/oiio/build/bin/iconvert
19# 0x000055E91B2133A1 in …/…/…/oiio/build/bin/iconvert
20# 0x00007F5AA4519D90 in /lib/x86_64-linux-gnu/libc.so.6
21# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
22# 0x000055E91B14BC55 in …/…/…/oiio/build/bin/iconvert
Aborted

Platform information:
OIIO branch/version: 2.4.14.0
OS: Linux
C++ compiler: clang-14.0.6

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE