SAIL Image Decoding Library BMPv3 RLE Decoding Heap-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A memory corruption vulnerability has been identified in the SAIL Image Decoding Library version 0.9.8, specifically within the BMPv3 RLE decoding functionality. This vulnerability arises from an integer overflow that leads to a heap-based buffer overflow, allowing for remote code execution. The issue is triggered when the library decompresses image data from a specially crafted .bmp file. To exploit this vulnerability, an attacker must convince the library to read a file containing the maliciously crafted image data.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and allow for remote code execution under the context of the library.

Reproduction

The vulnerability can be reproduced by using the SAIL Image Decoding Library to decode a crafted BMP file that exploits the RLE compression feature. The crafted file must be designed to trigger the buffer overflow by manipulating the image headers and compression data, particularly by using RLE4 or RLE8 compression with specific bit counts and run-length encoding markers. This can be done using a Python script that creates a BMP file with the necessary characteristics, such as a width and height of 1 pixel, 8 bits per pixel, and RLE-encoded data that exceeds the allocated buffer size.

Remediation

Users are advised to update to the patched version of the SAIL Image Decoding Library. The latest version can be obtained from the official SAIL website.