Headline
CVE-2020-21427: FreeImage / Bugs / #298 heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp
Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginBMP.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.
- Summary
- Files
- Reviews
- Support
- Mailing Lists
- Code
- Tickets ▾
- Feature Requests
- Patches
- Bugs
- Support Requests
- News
- Discussion
- FreeImage
Menu ▾ ▴
Milestone: None
Status: pending
Labels: None
Priority: 5
Updated: 2021-04-04
Created: 2019-12-03
Private: No
There is a heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp whick may cause a code execution or denial of service.
The asan log as below:
================================================================= ==28346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4b02ca0 at pc 0x081595db bp 0xff8e4b28 sp 0xff8e4b20 WRITE of size 1 at 0xf4b02ca0 thread T0 #0 0x81595da in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 #1 0x8153442 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:555:11 #2 0x8153442 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12 #3 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #4 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #5 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #6 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16 #7 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)
0xf4b02ca0 is located 0 bytes to the right of 544-byte region [0xf4b02a80,0xf4b02ca0) allocated by thread T0 here: #0 0x80e6675 in malloc (/home/FreeImage/TestAPI/testAPI+0x80e6675) #1 0x812aa32 in FreeImage_Aligned_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19 #2 0x812aa32 in FreeImage_AllocateBitmap(int, unsigned char*, unsigned int, FREE_IMAGE_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26 #3 0x812b600 in FreeImage_AllocateHeader /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:482:9 #4 0x8152bf1 in LoadWindowsBMP(FreeImageIO*, void*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:494:11 #5 0x8152bf1 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12 #6 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #7 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #8 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #9 0xf7290fb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 in LoadPixelDataRLE8(FreeImageIO*, void*, int, int, FIBITMAP*) Shadow bytes around the buggy address: 0x3e960540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e960550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e960580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e960590: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa 0x3e9605a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9605b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e9605e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==28346==ABORTING
1 Attachments
Discussion
Log in to post a comment.
Related news
Ubuntu Security Notice 6586-1 - It was discovered that FreeImage incorrectly handled certain memory operations. If a user were tricked into opening a crafted TIFF file, a remote attacker could use this issue to cause a heap buffer overflow, resulting in a denial of service attack. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS. It was discovered that FreeImage incorrectly processed images under certain circumstances. If a user were tricked into opening a crafted TIFF file, a remote attacker could possibly use this issue to cause a stack exhaustion condition, resulting in a denial of service attack. This issue only affected Ubuntu 16.04 LTS and Ubuntu 20.04 LTS.
Debian Linux Security Advisory 5579-1 - Multiple vulnerabilities were discovered in FreeImage, a support library for graphics image formats, which could result in the execution of arbitrary code if malformed image files are processed.