SAIL TGA Codec Heap Buffer Overflow Vulnerability in RLE Decoder

A heap buffer overflow vulnerability has been identified in the TGA codec of the SAIL library, specifically in the RLE decoder within 'tga.c'. This vulnerability arises from an asymmetric bounds check issue: while the run-packet path properly limits the repeat count to the available buffer space, the raw-packet path lacks any equivalent bounds check. As a result, this flaw enables the writing of up to 496 bytes of attacker-controlled data beyond the end of a heap buffer.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, allowing for arbitrary code execution. The AddressSanitizer has confirmed this overflow, with the error occurring in the raw-packet processing section of the TGA decoder.

Reproduction

To reproduce this vulnerability, craft a TGA file with the following characteristics: set 'image_type' to 10 (TRUE_COLOR_RLE), 'bpp' to 32, and dimensions of 4 pixels wide by 1 pixel high. This configuration allocates a buffer of 16 bytes. The RLE stream should include a raw packet marker '0x7F' (indicating a count of 128), followed by 512 bytes of data (128 packets of 4 bytes each). This setup will trigger a 496-byte heap buffer overflow with attacker-controlled data.

Remediation

Users are advised to update to the latest version of the SAIL library, where this vulnerability has been addressed. The specific patch can be found in commit 45d48d1 on the official SAIL GitHub repository.