GIMP Integer Overflow Vulnerability in PSP File Parser Leading to Heap Overflow and Denial-of-Service

An integer overflow vulnerability has been identified in GIMP's PSP (Paint Shop Pro) file parser, specifically in the read_creator_block() function. This flaw allows remote attackers to exploit the vulnerability by providing a specially crafted PSP image file. The issue arises when a 32-bit length value read from the file is used for memory allocation without proper validation, leading to a heap overflow and an out-of-bounds write. Successful exploitation of this vulnerability could cause the application to crash or become unstable.

Impact

Exploitation of this vulnerability causes a heap overflow and an out-of-bounds write, leading to a crash or instability of the application. Additionally, such heap overflows can often be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by crafting a PSP file that includes a length value set to 0xFFFFFFFF. This crafted file can be processed by GIMP, which will trigger the integer overflow in the PSP file parser. The vulnerability can be exploited by using a C program that simulates the reading of a PSP file with the malicious length value, demonstrating how the overflow occurs and how it can be exploited.