SAIL Heap Buffer Overflow Vulnerability in PSD Codec LAB 16-bit Mode

A heap buffer overflow vulnerability has been identified in the SAIL library's PSD codec, specifically in LAB color mode with 16-bit depth. The issue arises because the codec calculates bytes-per-pixel (bpp) based on the number of channels and depth, but the actual pixel buffer allocation relies on a different pixel format that does not account for the full depth. This mismatch leads to a deterministic heap buffer overflow, as the codec writes more pixel data than the allocated buffer can handle, creating a 100-byte overflow for each row of pixels. The vulnerability is present in SAIL versions through 1.0.0.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a PSD file that includes specific header values indicating LAB mode with 3 channels and 16-bit depth. When this file is processed by the SAIL library, the mismatch between the calculated and allocated bytes-per-pixel results in a heap buffer overflow. This can be verified using AddressSanitizer, which will report the overflow error.

Remediation

Users can update to the latest version of SAIL, where this vulnerability has been patched.