2017-01-23

TALOS-2016-0223

Libbpg BGP image decoding Code Execution Vulnerability

January 23, 2017

Report ID

CVE-2016-8710

Summary

An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using libbpg.

Tested Versions

Libbpg - 0.9.4 and 0.9.7

Product URLs

http://bellard.org/bpg/bpg_spec.txt

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

BPG (Better Portable Graphics) is an image format created in 2014 based on the HECV video compression standard. BPG has been praised for its ability to produce the same quality image as JPEG or JPEG XR, but in a much smaller file size. It is currently in line to be incorporated in the multimedia player VLC.

During the decoding of a BPG, in the restore_tqb_pixels function, an attacker controlled integer underflow can occur [1] during the calculation of offsets for the src and dst operands of a mempcy. Because of the underflows, the resulting addresses passed to the memcpy [2] are outside the bounds of the original heap structures, resulting in an out of bounds write condition.

Crash Information

In the above valgrind output, an out of bounds write is recorded.

Mitigation

The following patch will fix the vulnerability, but it is untested as to whether it breaks any legitimate images.

Credit

Discovered by Cory Duplantis of Cisco Talos.

Timeline

2017-10-20 - Vendor Disclosure

2017-01-23 - Public Release

Show more