libvips Heap-Based Buffer Overflow Vulnerability in nip2 Handler

A heap-based buffer overflow vulnerability has been identified in libvips versions through 8.18.2. The issue arises in the nip2 handler within the deprecated vips7compat.c file, specifically in the im_minpos_vec function. This function calls vips_min to retrieve 'n' minimum positions but then unconditionally copies 'n' elements from the returned arrays. The vips_min function, however, allocates its output arrays based on the actual number of pixels scanned, which can result in the copied data exceeding the allocated buffer size when fewer pixels are present. This vulnerability requires local exploitation.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for potential arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using the 'vips' command-line tool with the 'im_minpos_vec' operation. A PGM file named 'poc_1x1.pgm' can be used as input, along with a parameter value of 100, which exceeds the number of pixels in the image. This combination triggers the out-of-bounds read by overwriting memory beyond the allocated buffer.

Remediation

The vulnerability has been addressed in libvips version 8.19.0, which removes the deprecated functions and the associated vulnerability. Users are advised to update to this version.