New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiply integer overflow in AllocateDataSet #171
Comments
|
Hi, thanks for your detailed report and for the patch. Having examined the source, it seems to me it is safer and makes more sense to limit the amount of data that a CGATS file can hold. I have modified the code to deal with such situation. |
|
This vulnerability is assigned CVE-2018-16435. |
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Sep 5, 2018
Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile. For more details, see: mm2/Little-CMS#171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16435 The upstream fix unfortunately includes a number of unrelated changes, but thse files are not used when building for Linux. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Sep 28, 2018
Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile. For more details, see: mm2/Little-CMS#171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16435 The upstream fix unfortunately includes a number of unrelated changes, but thse files are not used when building for Linux. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9f81f57) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
buildroot-auto-update
pushed a commit
to buildroot/buildroot
that referenced
this issue
Sep 28, 2018
Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile. For more details, see: mm2/Little-CMS#171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16435 The upstream fix unfortunately includes a number of unrelated changes, but thse files are not used when building for Linux. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9f81f57) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
VULNERABILITY DETAILS
I have audited source code of lcms library and I have founded a vulnerability in
AllocateDataSetfunction (cmscgats.c). The attached it8 could crash lcms when ASAN was enabled on Linux. This vulnerability is assigned CVE-2018-16435.if
nSamplesis 2 andnPatchesis 0x55555555,((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*)is larger than the maximum representable value (0xffffffff). The result of an overflow is that the least significant representable bits of the result are stored.Datawill point to a small memory region and can not use to store large data.REPRODUCTION CASE
Following code will trigger crash
ASAN Log:
PATCH
I have checked the lastest version of LCMS. The vulnerability still exists.
https://github.com/mm2/Little-CMS/blob/master/src/cmscgats.c#L1509
Testcase:
AllocateDataSet.crash.IT8.txt
The text was updated successfully, but these errors were encountered: