CImg Library Integer Overflow Vulnerability in PNM File Handling

A vulnerability allowing integer overflow has been identified in the CImg Library, a C++ library for image processing. This issue arises in the '_load_pnm()' function, where the width, height, and depth dimensions of PNM/PGM/PPM files are processed. Prior to commit 4ca26bc, the size check in '_load_pnm()' compared the declared pixel count, calculated using unsigned integers, against the actual file size. This comparison allowed oversized images to bypass the memory allocation guard, leading to a heap buffer overflow. The vulnerability can be exploited by crafting a PNM/PGM/PPM file with large dimension values, causing the overflow to wrap around and allocate an undersized buffer. Any application using CImg to load untrusted image files is affected.

Impact

Exploitation of this vulnerability can lead to a heap buffer overflow, causing applications to crash or potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a PNM file with dimensions that exceed the maximum value for unsigned integers. When this file is loaded using the CImg library, the integer overflow occurs, bypassing the memory guard and causing an out-of-memory error as the application attempts to allocate a large amount of memory based on the incorrectly processed dimensions.

Remediation

Users should update to the latest version of the CImg library, as this vulnerability has been fixed in commit 4ca26bc.