FreeImage Integer Overflow Vulnerability in PSD Parser Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in FreeImage versions through 3.18.0, caused by an integer overflow in the psdParser::ReadImageData function. This vulnerability allows attackers to disrupt service by supplying a crafted PSD file. The issue arises because the parser calculates the size of image lines based on PSD header fields without proper validation, leading to a heap buffer overflow when the malformed data is processed.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to memory corruption. AddressSanitizer has confirmed an out-of-bounds heap write during the image loading process.

Reproduction

The vulnerability can be reproduced by opening a malicious PSD file with an excessively large depth field using the FreeImage_Load() function. This triggers the integer overflow, as the depth value is used to calculate the line size, which can then exceed the buffer's capacity. The resulting memory corruption can be verified with AddressSanitizer.