Imager Heap-Based Buffer Overflow Vulnerability in GIF Handling

A heap-based buffer overflow vulnerability has been identified in the Imager library, specifically in versions through 1.030, when processing crafted multi-frame GIF files. The issue arises in the Imager::File::GIF module's 'i_readgif_multi_low' function, which allocates a single buffer per row, sized according to the GIF's global screen width. This buffer is reused across all images in the file. While the function includes a validation step for the image dimensions before writing to the buffer, this check is bypassed in the parallel skip-image branch, leading to the out-of-bounds write.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using the 'Imager' Perl module to read a crafted multi-frame GIF file that exploits the buffer overflow in the 'i_readgif_multi_low' function. This can be done by creating a GIF file that has images positioned to overlap the right or bottom edges of the canvas, bypassing the dimension checks and causing the buffer overflow when the image data is read.

Remediation

Users can upgrade to Imager version 1.031, which includes a patch for this vulnerability. Instructions for downloading the updated version are available on the MetaCPAN Imager release page.