Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <trinity-ddfb0472-ffff-435b-9f9b-606ca08a9c4a-1440732755137@3capp-mailcom-lxa06>
Date: Fri, 28 Aug 2015 05:32:36 +0200
From: "pcheng pcheng" <pcheng@....com>
To: oss-security@...ts.openwall.com
Cc: carnil@...ian.org, ghedo@...ian.org
Subject: CVE-2015-0852 [FreeImage] Integer overflow in PluginPCX.cpp

The following bug was reported to upstream and Debian security team. CVE-2015-0852 was assigned by Debian security team.

Name : FreeImage
Affected Version: <= 3.17.0
URL : http://freeimage.sourceforge.net/

Description :
An integer overflow issue in the FreeImage project was reported and fixed recently.
Upstream fix: Revision 1.18 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=log&pathrev=MAIN

Details:

The PluginPCX.cpp file(version 3.17.0) has:

371 unsigned width = header.window[2] - header.window[0] + 1;
372 unsigned height = header.window[3] - header.window[1] + 1;
373 unsigned bitcount = header.bpp * header.planes;

However, it's possible that header.window[2] < header.window[0], and also header.window[3] < header.window[1]. In this two cases, width and height can be overflowed. And this can lead further issue in the rest of the code. Take the following lines for example:

568 for (x = 0; x < width; x++) {
569 bits[x * 3 + FI_RGBA_RED] = pline[x];
570 }

The write operation on buffer bits can help an attacker to corrupt the heap.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.