Bug 2313704 (CVE-2024-9029) - CVE-2024-9029 freeimage: Heap buffer overflow in tiff_read_iptc_profile
Summary: CVE-2024-9029 freeimage: Heap buffer overflow in tiff_read_iptc_profile
Keywords:
Status: NEW
Alias: CVE-2024-9029
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2313705 2313706 2313707
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-20 04:47 UTC by OSIDB Bzimport
Modified: 2024-09-27 12:41 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-09-20 04:47:27 UTC 
While doing fuzzing with AFL++ & Sydr. I found heap buffer overflow in read_iptc_profile:

==376632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x000000730e1d bp 0x7fffffffda90 sp 0x7fffffffda88                                                                         
READ of size 1 at 0x602000000091 thread T0                                                                                                                                                                         
[Detaching after fork from child process 376675]                                                                                                                                                                   
    #0 0x730e1c in read_iptc_profile /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74:7                                                                                                                  
    #1 0x654cae in tiff_read_iptc_profile(tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:790:10                                                                                  
    #2 0x654cae in ReadMetadata(FreeImageIO*, void*, tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:871:2                                                                        
    #3 0x64e5a2 in Load(FreeImageIO*, void*, int, int, void*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:2320:3                                                                                
    #4 0x508deb in FreeImage_LoadFromHandle /freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:386:24                                                                                                      
    #5 0x4ff0bb in FreeImage_LoadFromMemory /freeimage-svn/FreeImage/trunk/Source/FreeImage/MemoryIO.cpp:88:10                                                                                                     
    #6 0x4e0505 in LLVMFuzzerTestOneInput /load_from_memory_tiff_fuzzer.cc:35:26                                                                                                                                   
    #7 0x4e00c4 in main /afl.cc:36:9                                                                                                                                                                               
    #8 0x7ffff7a730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16                                                                                                           
    #9 0x425fbd in _start (/load_from_memory_tiff_afl+0x425fbd)

    In File /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74


    71         // find start of the BIM portion of the binary data
    72         size_t offset = 0;
    73          while(offset < length - 1) {
--->74                  if((profile[offset] == 0x1C) && (profile[offset+1] == 0x02))
    75                          break;
    76                  offset++;
    77          }
    78     
    79         // for each tag
    80         while (offset < length) {
    81     
    82             // identifies start of a tag
Note You need to log in before you can comment on or make changes to this bug.