Apple Mac OSX 10.4.8 - ImageIO GIF Image Integer Overflow

EDB-ID:

29620


Author:

Tom Ferris

Type:

dos


Platform:

OSX

Date:

2007-02-20


source: https://www.securityfocus.com/bid/22630/info

Apple Mac OS X ImageIO is prone to an integer-overflow vulnerability because it fails to handle specially crafted image files.

A remote attacker can exploit this issue to cause denial-of-service conditions and potentially to execute code, but this has not been confirmed.

This issue affects Mac OS X 10.4.8; previous versions may also be affected. 




Release Date:
February 19th, 2007

Severity:
High

Vendor:
Apple

Versions Affected:
OSX 10.4.8

Overview:
An integer overflow vulnerability exists within ImageIO when processing a malformed .gif file. This allows for an attacker to cause the application to crash, and or to execute arbitrary code on the targeted host.

Technical Details:
When decompressing a specially crafted .gif file, the gifGetBandProc function within ImageIO incorrectly parses the malformed data causing the application to segmentation fault. 

Below the crash is triggered on OS X 10.4.8 using Safari:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x3991b000
0x918f2dc5 in gifGetBandProc ()
(gdb) bt
#0 0x918f2dc5 in gifGetBandProc ()
#1 0x918ec8ea in CGImagePlusUpdateCache ()
#2 0x918ec606 in CGImagePlusCreateImage ()
#3 0x952356c0 in -[WebImageData _cacheImages:allImages:] ()
#4 0x952355f3 in -[WebImageData imageAtIndex:] ()

Thread 0 crashed with i386 Thread State:
eax: 0x396e2000 ebx: 0x918f2bcc ecx:0x00000033 edx: 0x00027f84
edi: 0x15fb9ad0 esi: 0x00000033 ebp:0xbfffd5d8 esp: 0xbfffd140
ss: 0x0000002f efl: 0x00010206 eip:0x918f2db7 cs: 0x00000027
ds: 0x0000002f es: 0x0000002f fs:0x00000000 gs: 0x00000037

Vendor Status:
Apple was notified on 9/8/2006

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com



https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29620-1.gif

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29620-2.gif