You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked:
However the second case in stbi__tga_load gives much powerful capabilities because the attacker can control the size of the uninitialized buffer ([1] and [2]) and the uninitialized memory can be loaded into the image without transformations.
...
tga_data = (unsignedchar*)stbi__malloc_mad3(tga_width, tga_height, tga_comp, 0); // [1]if (!tga_data) return stbi__errpuc("outofmem", "Out of memory");
// skip to the data's starting position (offset usually = 0)stbi__skip(s, tga_offset );
if ( !tga_indexed && !tga_is_RLE && !tga_rgb16 ) {
for (i=0; i < tga_height; ++i) {
int row = tga_inverted ? tga_height -i - 1 : i;
stbi_uc *tga_row = tga_data + row*tga_width*tga_comp;
stbi__getn(s, tga_row, tga_width * tga_comp); // [2]
}
...
The
stbi__getn
function reads a specified number of bytes fromcontext
(typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked:stbi__hdr_load
stbi__tga_load
The first case is harder to exploit because the initialized memory is mixed in different arithmetic operations:
However the second case in
stbi__tga_load
gives much powerful capabilities because the attacker can control the size of the uninitialized buffer ([1] and [2]) and the uninitialized memory can be loaded into the image without transformations.Impact
Information disclosure.
Resources
To reproduce the issue in
stbi__hdr_load
:stbi__hdr_convert
and run the program. The second hit is before the usage of the uninitialized memory.The text was updated successfully, but these errors were encountered: