-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-26540: heap-buffer-overflow in load_analyze(...) #403
Comments
Does 6a97a52 seem to be a good solution to you? |
This will indeed fix the underflow issue that causes the To give you an example, a For example here: CImg<T>& _load_analyze(std::FILE *const file, const char *const filename, float *const voxel_size=0) {
// ...
if (endian) {
cimg::invert_endianness((short*)(header + 40),5); // <--- Out of bounds access
cimg::invert_endianness((short*)(header + 70),1); // ---
cimg::invert_endianness((short*)(header + 72),1); // ---
cimg::invert_endianness((float*)(header + 76),4); // ---
cimg::invert_endianness((float*)(header + 108),1); // ---
cimg::invert_endianness((float*)(header + 112),1); // ---
}
// ...
} Or here: CImg<T>& _load_analyze(std::FILE *const file, const char *const filename, float *const voxel_size=0) {
// ...
if (nfile_header==nfile) {
const unsigned int vox_offset = (unsigned int)*(float*)(header + 108); // <--- Out of bounds access
std::fseek(nfile,vox_offset,SEEK_SET);
}
// ...
} Since the code of Additionally, I believe that it's also crucial to check the return value of the Let me know if you need any further clarification or reproduction cases/files. |
According to https://brainder.org/2012/09/23/the-nifti-file-format/, the header size for Analyze and NIFTI files should be 348 bytes, so a more strict check may be possible (let say at least My proposal : ec6a1f2 Can you tell me if that seems ok ? |
Sorry, cb9c551 |
Yes! The changes look good to me. Thank you for the quick responses regarding this issue :) Best, |
Vulnerability Report
Summary
It is possible to cause a heap-buffer-overflow in CImg by passing a corrupted file as an input to the
load_analyze
function that is meant to processANALYZE7.5/NIFTI
files.Details
The issue is present in the
_load_analyze
function, and it has to do with the fact that after reading theheader_size
variable, there is no check if its value is bigger than 4 bytes. Therefore, providing aheader_size
smaller than 4 bytes will make the first argument ofcimg::fread
point out of bounds of theheader
buffer, while it will subsequently underflow the second parameter (the size) passed to the function:Due to how
cimg::fread
is implemented this will write all the contents of the corrupted file out of bounds of theheader
buffer, enabling an attacker to control both the size and the contents of the overflow.Version
Tested on CImg 3.3.2
Reproduction
Simply call
load_analyze(..)
with the "corrupted" file attached in this issue as an input.ASAN Report
poc.zip
The text was updated successfully, but these errors were encountered: