libvips Out-of-Bounds Read Vulnerability in Band Extraction Function

A vulnerability in libvips version 8.19.0 allows for an out-of-bounds read in the band extraction function. This issue arises because the function vips_extract_band_build improperly validates input by using signed integer arithmetic, which can be manipulated to overflow and bypass checks. The vulnerability is triggered through the vips command-line interface, with the --vips-max-coord option set to a high value. Exploitation of this vulnerability has been publicly disclosed and can lead to a crash when the library is built with AddressSanitizer enabled.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash. However, such out-of-bounds reads can potentially be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by building libvips with AddressSanitizer enabled, preparing a small valid input image, and then using the vips command-line tool to extract a band with parameters that trigger the signed integer overflow. This process can be automated with a script that includes the necessary steps.

Remediation

Users are advised to update to libvips version 8.18.1 or later, where this vulnerability has been fixed.