Apple OS X ImageIO "gifGetBandProc" Integer Overflow

Release Date:
February 19th, 2007

Severity:
High

Vendor:
Apple

Versions Affected:
OSX 10.4.8

Overview:
An integer overflow vulnerability exists within ImageIO when processing a malformed .gif file. This allows for an attacker to cause the application to crash, and or to execute arbitrary code on the targeted host.

Technical Details:
When decompressing a specially crafted .gif file, the gifGetBandProc function within ImageIO incorrectly parses the malformed data causing the application to segmentation fault.

Below the crash is triggered on OS X 10.4.8 using Safari:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x3991b000
0x918f2dc5 in gifGetBandProc ()
(gdb) bt
#0 0x918f2dc5 in gifGetBandProc ()
#1 0x918ec8ea in CGImagePlusUpdateCache ()
#2 0x918ec606 in CGImagePlusCreateImage ()
#3 0x952356c0 in -[WebImageData _cacheImages:allImages:] ()
#4 0x952355f3 in -[WebImageData imageAtIndex:] ()

Thread 0 crashed with i386 Thread State:
eax: 0x396e2000 ebx: 0x918f2bcc ecx:0x00000033 edx: 0x00027f84
edi: 0x15fb9ad0 esi: 0x00000033 ebp:0xbfffd5d8 esp: 0xbfffd140
ss: 0x0000002f efl: 0x00010206 eip:0x918f2db7 cs: 0x00000027
ds: 0x0000002f es: 0x0000002f fs:0x00000000 gs: 0x00000037

Vendor Status:
Apple was notified on 9/8/2006

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/sp-x39-advisory.php
http://security-protocols.com/poc/sp-x39.gif
http://security-protocols.com/poc/sp-x39-source.gif
http://apple.com

Security-Protocols.com :: 1999-2008