Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Buffer Overflow in Onyx2D - stbi_jpeg_load_from_memory #438

Open
francobel opened this issue Jul 4, 2024 · 1 comment
Open

Heap Buffer Overflow in Onyx2D - stbi_jpeg_load_from_memory #438

francobel opened this issue Jul 4, 2024 · 1 comment
Labels
bug Something isn't working security

Comments

@francobel
Copy link

The vulnerable function stbi_jpeg_load_from_memory in file O2ImageDecoder_JPEG_libjpeg.m is used to decompress jpegs and create a raw bitmap version of the image.

In stbi_jpeg_load_from_memory, the values for cinfo.image_width and cinfo.image_height are retrieved directly from a jpeg file's header.

cinfo.image_width and cinfo.image_height can be manipulated by editing the header of the jpeg file being processed. They are two bytes each in the image's header so their values can range from 0x0000 to 0xFFFF. These variables are multiplied by wantedPixelSize which has a value of 4.

When these three values are multiplied together they can exceed the limit of a 32-bit unsigned integer, leading to an integer overflow vulnerability. This product is used to set the size of the outputImage buffer, which will store the decompressed jpeg. When the sizing arguments overflow, the buffer becomes too small to store the decompressed data.

The program writes the decompressed image to the buffer using the jpeg_read_scanlines function. If an integer overflow occurs, the function ends up writing to out-of-bounds memory due to the buffer's small size. This causes data in memory adjacent to the buffer to be overwritten.

An attacker is in control of the image's height, width, and contents. This allows an attacker to craft an exploit to overwrite data in memory with data they control.

@mszoek
Copy link
Collaborator

mszoek commented Aug 12, 2024

Thanks for the report! Is there a recommended fix for this, or should I just add a check for the buffer size before decompressing?

@mszoek mszoek added bug Something isn't working security labels Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security
Projects
None yet
Development

No branches or pull requests

2 participants