| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-Gyjez9Qm=KVOOfO8b_WMWUYKUe9T4xCAurZTj17c_JE3w@mail.gmail.com>
Date: Thu, 11 Sep 2025 03:07:40 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libicns v0.8.1 Signed Integer Overflow in libicns during .icns
file parsing
libicns incorrectly handles certain byte values when parsing .icns files.
Specifically, shifting a byte with value 255 by 24 bits in a signed 32-bit
integer causes an integer overflow, as the resulting value exceeds the
maximum representable value for a signed int.
*Impact:*
- Applications using libicns may crash or terminate parsing when
processing a malicious .icns file.
- Overflow may propagate to other computations or data structures,
potentially causing memory corruption in downstream code.
*Proof of Concept:*
ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \
UBSAN_OPTIONS=print_stacktrace=1 \
./icnsutils/icns2png -l crafted_padded.icns
*Observed Output:*
icns_io.c:71:40: runtime error: left shift of 255 by 24 places cannot be
represented in type 'int'
#0 0xaaaae4257704 in icns_read_be /root/libicns/src/icns_io.c:71:40
#1 0xaaaae4257704 in icns_icns_header_check
/root/libicns/src/icns_io.c:1380:2
#2 0xaaaae4256a60 in icns_read_family_from_file
/root/libicns/src/icns_io.c:318:6
#3 0xaaaae4247330 in ExtractAndDescribeIconFamilyFile
/root/libicns/icnsutils/icns2png.c:433:10
#4 0xaaaae42459a4 in main /root/libicns/icnsutils/icns2png.c:263:26
libicns: icns_read_family_from_file: Error reading icns file - all parsing
methods failed!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists