1892577 – CImg: Multiple integer overflows leading to heap-based buffer-overflows

Bug 1892577 - CImg: Multiple integer overflows leading to heap-based buffer-overflows

Summary: CImg: Multiple integer overflows leading to heap-based buffer-overflows

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-29 08:51 UTC by Kai Dietrich
Modified:	2020-11-03 19:51 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-11-03 19:51:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kai Dietrich 2020-10-29 08:51:40 UTC

The CImg.h image library uses an unsafe pattern that is prone to integer overflows to calculate the required heap buffer allocation size. The resulting small heap buffers can be trivially overwritten by a malformed image input. This has been demonstrated at least with the load_pnm() image parsing function.

The gmic tool uses CImg and directly exposes the image open functions to the user and is affected by this bug.

This bug is public, confirmed by upstream and fixed in:
https://github.com/dtschump/CImg/pull/295

Tracked by ubuntu in:
https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983

Comment 1 Kai Dietrich 2020-10-29 08:52:19 UTC

please assign CVE

Comment 2 Todd Cullum 2020-11-03 19:51:20 UTC

(In reply to Kai Dietrich from comment #1)
> please assign CVE

Thanks for reporting this. Please use CVE-2020-25693.

Note You need to log in before you can comment on or make changes to this bug.