libvips Integer Overflow Vulnerability in Extract Area Function

A vulnerability exists in libvips version 8.19.0 within the vips_extract_area_build function, located in libvips/conversion/extract.c. The issue arises from improper bounds checking that allows integer overflow. This vulnerability can be exploited locally, and a public exploit is available. The overflow occurs when attacker-controlled coordinates near INT_MAX are processed as signed integers, bypassing validation checks. This leads to the propagation of invalid coordinates, causing a crash during memory copying operations. The vulnerability has been patched, and users are advised to update to the latest version.

Impact

Exploitation of this vulnerability causes a crash due to a segmentation fault, disrupting the application's normal operation.

Reproduction

The vulnerability can be reproduced by building libvips with AddressSanitizer enabled, which detects memory errors. After compiling libvips with ASan, the vips command-line tool can be used to invoke the extract_area function with carefully crafted parameters that exploit the integer overflow. This triggers the vulnerability by bypassing the bounds checks and causing a crash when the invalid coordinates are processed.

Remediation

Users should update to the patched version of libvips. The patch is available in the official libvips repository on GitHub.