Warmcat Libwebsockets Out-of-Bounds Write Vulnerability in UPNG Component

A vulnerability allowing out-of-bounds write has been identified in the Warmcat libwebsockets library, specifically in version 4.4 of the UPNG component. This vulnerability arises when the library is compiled with the LWS_WITH_UPNG flag enabled and the HTML display stack is used. The issue occurs because a crafted PNG file, containing a large width value that triggers an integer overflow, can be used to write past the bounds of a heap-allocated buffer. This exploitation may lead to a crash or other undesirable effects, such as memory corruption.

Impact

Exploitation of this vulnerability can cause a heap-based buffer overflow, potentially leading to memory corruption, a crash, or other unspecified impacts.

Reproduction

The vulnerability can be reproduced by visiting a website that hosts a specially crafted PNG file with an exaggerated width value. This file should be designed to cause an integer overflow, manipulating the way libwebsockets allocates memory for the PNG processing. When the modified PNG is processed, the library will incorrectly calculate the required buffer size, leading to an out-of-bounds write. This can be verified using tools like AddressSanitizer, which will report the memory corruption caused by the overflow.

Remediation

Users are advised to update to the patched version of libwebsockets, which includes a sanity check to prevent the integer overflow by ensuring that the width value does not exceed a certain limit before memory allocation.