Closed francobel closed 6 days ago
Hey @francobel thank you for the detailed report!
This has now been resolved in https://github.com/rive-app/rive-cpp/commit/85a28fb8715e20e91ba986ae700f6b08a47438d7
I'll close this issue, but please reopen it if you believe it does not solve it.
The vulnerable function
DecodeJpeg
in file decode_jpeg.cpp is used to decompress jpegs and create a raw bitmap version of the image.In
DecodeJpeg
, the values forcinfo.output_width
andcinfo.output_height
are retrieved directly from a jpeg file's header.cinfo.output_width
andcinfo.output_height
can be manipulated by editing the header of the jpeg file being processed. They are two bytes each in the image's header so their values can range from 0x0000 to 0xFFFF. These variables are multiplied bycinfo.output_components
.When these three values are multiplied together they can exceed the limit of a 32-bit unsigned integer, leading to an integer overflow vulnerability. This product is used to set the size of the
pixelBuffer
array, which will store the decompressed jpeg. When the sizing arguments overflow, the array becomes too small to store the decompressed data.The program writes the decompressed image to the array using the
jpeg_read_scanlines
function. If an integer overflow occurs, the function ends up writing to out-of-bounds memory due to the array's size. This causes data in memory adjacent to the array to be overwritten.An attacker is in control of the image's height, width, and contents. This allows an attacker to craft an exploit to overwrite data in memory with data they control.