libvips Memory Corruption Vulnerability in Matrix Load Function

A memory corruption vulnerability has been identified in libvips versions prior to 8.18.0. The issue arises in the matrix loading functions within 'libvips/foreign/matrixload.c', where improper handling of signed and unsigned values can lead to stack underflow writes. This vulnerability is exploitable locally and has been confirmed with an AddressSanitizer (ASAN) report indicating a stack-buffer-overflow error.

Impact

Exploitation of this vulnerability causes a stack-buffer-overflow, leading to a write operation that underflows the 'line' variable, allowing for potential memory corruption.

Reproduction

The vulnerability can be reproduced by building libvips with AddressSanitizer enabled, which detects memory corruption issues. After compiling libvips with ASAN, the 'vips' command-line tool can be used to copy data from '/proc/self/mem' to a file, triggering the vulnerability. The ASAN report will confirm the stack-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to libvips version 8.19.0 or later, where this vulnerability has been fixed.