CImg Denial-of-Service bug

[IceCool10]

Hello,

I've identified a denial-of-service vulnerability in the tiv image viewer related to the Clmg library's handling of .cimg files. I have attached a report with all the details, including a description of the issue, affected versions, a stack trace, and a suggested fix.

Please let me know if you have any questions.

CImg_DoS.pdf

[dtschump]

Thanks. Look interesting. I'm currently on vacations, but I'll check that next week, definitely.

[dtschump]

Should be fixed with latest commit.

[IceCool10]

I can confirm that an exception occurs now and no crash.

[CImg] *** CImgIOException *** [instance(0,0,0,0,(nil),non-shared)] CImg<uint8>::load(): Failed to recognize format of file 'minimized_crash'.
Error: 'minimized_crash' has an unrecognized file format

Thank you for addressing this.
Since I’m building a personal portfolio and expanding my hands-on experience in cybersecurity, I’d like to ask if it’s acceptable to post a write-up (PDF) of my findings on my personal GitHub now that the issue is fixed.

[dtschump]

Since I’m building a personal portfolio and expanding my hands-on experience in cybersecurity, I’d like to ask if it’s acceptable to post a write-up (PDF) of my findings on my personal GitHub now that the issue is fixed.

Definitely yes.
Thanks again for the bug report.

[IceCool10]

Closing this issue as the fix has been merged and verified.
Thanks for addressing it promptly and for granting permission to publish my write-up.

[stefanhaustein]

Are you planning a release soon? I am a bit hesitant to pull in the development version?

[dtschump]

@stefanhaustein yes, my plan is to release version 3.6.0 in early September.