Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21426: FreeImage / Bugs / #300 heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp

Buffer Overflow vulnerability in function C_IStream::read in PluginEXR.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

CVE
Open in Source
#vulnerability#dos#buffer_overflow
  • Summary
  • Files
  • Reviews
  • Support
  • Mailing Lists
  • Code
  • Tickets ▾
    • Feature Requests
    • Patches
    • Bugs
    • Support Requests
  • News
  • Discussion
  • FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.
Asan log as below:

==2194==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3b06d00 at pc 0x08087ebd bp 0xffe389d8 sp 0xffe385b0 WRITE of size 329845 at 0xf3b06d00 thread T0 #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc) #1 0x883a341 in _ReadProc(void*, unsigned int, unsigned int, void*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19 #2 0x816a96f in C_IStream::read(char*, int) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:66:26 #3 0x851cd1f in Imf_2_2::(anonymous namespace)::readPixelData(Imf_2_2::InputStreamMutex*, Imf_2_2::ScanLineInputFile::Data*, int, char*&, int&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:440:25 #4 0x8519bd7 in Imf_2_2::(anonymous namespace)::newLineBufferTask(IlmThread_2_2::TaskGroup*, Imf_2_2::InputStreamMutex*, Imf_2_2::ScanLineInputFile::Data*, int, int, int, Imf_2_2::OptimizationMode) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1033:14 #5 0x8519bd7 in Imf_2_2::ScanLineInputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:44 #6 0x849dba8 in Imf_2_2::InputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:815:23 #7 0x81638a2 in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:428:9 #8 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #9 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #10 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #11 0xf71fefb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16 #12 0x806f8f5 in _start (/home/FreeImage/test+0x806f8f5)

0xf3b06d00 is located 0 bytes to the right of 6144-byte region [0xf3b05500,0xf3b06d00) allocated by thread T0 here: #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675) #1 0x8510c1f in Imf_2_2::EXRAllocAligned(unsigned int, unsigned int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfSystemSpecific.h:139:12 #2 0x8510c1f in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58 #3 0x8511e19 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5 #4 0x8496904 in Imf_2_2::InputFile::initialize() /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:553:32 #5 0x8498d15 in Imf_2_2::InputFile::InputFile(Imf_2_2::IStream&, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:450:13 #6 0x8161d1f in Load(FreeImageIO*, void*, int, int, void*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:193:18 #7 0x814d00b in FreeImage_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24 #8 0x814d00b in FreeImage_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22 #9 0x811a7a0 in main /home/FreeImage/test.cpp:115:8 #10 0xf71fefb8 in __libc_start_main /build/glibc-jYPHgv/glibc-2.30/csu/…/csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/FreeImage/test+0x8087ebc) in fread Shadow bytes around the buggy address: 0x3e760d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e760d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e760d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e760d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3e760d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3e760da0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e760db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e760dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e760dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e760de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e760df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2194==ABORTING

1 Attachments

Discussion

Log in to post a comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE