Open chibataiki opened 3 years ago
I submitted to huntr.dev for a quick cve assignment.
fixed, pls check last code.
Seem not fix the root cause of the issue : the type of BMP struct stride is int and result integer overflow, fix this maybe need more work. This testcase issue fixed so this patch LGTM, thanks for your work!
Hi, an exploitable heap overflow vulnerability exists in function bmp_load() in bmp.c.
version 4ab404e (latest one)
env ubuntu 20.04 x86_64 gcc version 9.3.0
reproduce: make ./ffjpeg -e poc zipped poc
detail
in the function
bmp_load()
,the struction of BMP isThe
stride
type is int, ifwidth
is big enough, thestride
value will tigger integer overflow.Also:
pb->stride * pb->height
will also tigger integer overflow , thenpdata
will minus the wrong length at line 50.At line 51 ,
fread
read data from file and copied to the allocated buffer. Thepb->stride
is bigger thanpb->stride * pb->height
and will lead to heap corruption.