libvips Heap-Based Buffer Overflow Vulnerability in vips_source_read_to_memory Function

A heap-based buffer overflow vulnerability has been identified in libvips versions through 8.19.0. The issue arises in the vips_source_read_to_memory function within the file libvips/iofuncs/source.c. This vulnerability is triggered by an integer truncation error, where a 64-bit length value is improperly handled, leading to memory corruption. The vulnerability requires local access to exploit and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building libvips with AddressSanitizer and UndefinedBehaviorSanitizer enabled. After installing the library, a proof-of-concept program can be compiled and run. This program creates a custom VipsSource that simulates a length greater than 4 GiB. When the vips_source_read_to_memory function is called, the improper length handling causes a heap-buffer-overflow, which can be verified using the AddressSanitizer.

Remediation

Users are advised to update to libvips version 8.19.1 or later, where this vulnerability has been patched.