SAIL Image Decoding Library Memory Corruption Vulnerability in BMPv3 Palette Decoding

A memory corruption vulnerability has been identified in the SAIL Image Decoding Library version 0.9.8, specifically within the BMPv3 Palette Decoding functionality. This vulnerability arises when the library processes a specially crafted BMP file, leading to an integer overflow. The overflow causes a heap-based buffer overflow by improperly handling the image palette, which can be exploited for remote code execution. To trigger this vulnerability, an attacker must persuade the library to read a maliciously crafted BMP file.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for remote code execution.

Reproduction

The vulnerability can be reproduced by using the SAIL Image Decoding Library to decode a BMP file that has been crafted to exploit the integer overflow condition. The crafted BMP file must be prepared in such a way that it triggers the vulnerability by overflowing an integer value, causing a buffer overflow when the palette is read. This can be done by manipulating the 'biClrUsed' field in the BMPv3 header to a value that, when multiplied by 4, exceeds the maximum value for a 32-bit integer, creating an undersized buffer that can be overflowed when the palette is subsequently read from the file.

Remediation

Users are advised to update to the patched version of the SAIL Image Decoding Library. The latest version can be obtained from the official SAIL website.