libvips Heap-Based Buffer Overflow Vulnerability in Bandrank Function

A heap-based buffer overflow vulnerability has been identified in libvips version 8.19.0. The issue arises in the bandrank functionality, specifically within the vips_bandrank_build function in bandrank.c. The vulnerability is triggered by user-controlled manipulation of the 'index' argument, which is not properly validated against the number of input images. This oversight allows for out-of-bounds memory access, leading to a heap overflow. The vulnerability requires local exploitation and has a public exploit available.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building libvips with AddressSanitizer (ASAN) enabled, creating two small input images, and then using the 'vips bandrank' command with an out-of-range index value. The ASAN build will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users are advised to update to libvips version 8.19.1 or later, where this vulnerability has been patched.