SAIL Image Decoding Library Memory Corruption Vulnerability in BMPv3 Handling Allowing Remote Code Execution

A memory corruption vulnerability has been identified in the SAIL Image Decoding Library version 0.9.8, specifically within the BMPv3 image decoding functionality. The vulnerability arises from an integer overflow that occurs when the library processes a specially crafted BMP file. This overflow leads to a heap-based buffer overflow during image decoding, creating a potential for remote code execution. To exploit this vulnerability, an attacker must persuade the library to read the malicious BMP file.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, a type of memory corruption that can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the SAIL Image Decoding Library to decode a BMP file that has been crafted to trigger the integer overflow. This can be done by setting the 'biWidth' field to 65535, the 'biHeight' field to 131072, and the 'biBitCount' field to 4, which results in the library allocating no buffer space for decoding the image. When the library attempts to read the image data, it will overwrite memory outside the bounds of the allocated buffer, causing a segmentation fault. This memory corruption can be exploited to execute arbitrary code.

Remediation

Users are advised to update to the patched version of the SAIL Image Decoding Library. The latest version can be downloaded from the SAIL Image Decoding Library website.