The CImg.h image library uses an unsafe pattern that is prone to integer overflows to calculate the required heap buffer allocation size. The resulting small heap buffers can be trivially overwritten by a malformed image input. This has been demonstrated at least with the load_pnm() image parsing function. References: https://github.com/dtschump/CImg/pull/295 https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983
Acknowledgments: Name: Kai Dietrich
Created CImg tracking bugs for this issue: Affects: fedora-all [bug 1893378]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Upstream commit: https://github.com/dtschump/CImg/pull/295/commits/4f184f89f9ab6785a6c90fd238dbaa6d901d3505
Flaw summary: In CImg.h, the pattern `(size_t)size_x*size_y*size_z*size_c` is used in multiple locations but it was discovered that it can wrap (called "overflow" in the commit) the resulting `size_t` value. The patch introduces a function called `_safe_size()` which performs the calculations whilst preventing unsigned integer wrap in the result. Because the above calculations are used in allocation of heap memory, the flaw can lead to arbitrary heap memory write in subsequent code when specially crafted input is provided to CImg. It is more likely to occur on platforms where the `size_t` type is 32-bit.