Cisco Blogs
Share

Vulnerability Spotlight: FreeImage Library XMP Image Handling Code Execution Vulnerability


October 3, 2016 - 1 Comment

FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

<<Read more>>



Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

  1. As I go deeper into my reading process, of Talos' detailed explanations. I look every vulnerability as a master class, in the continuous and never ending learning process. Thank you for the valuable opportunity. Deeply appreciated. My respects to every member of Talos, well deserved.