freeimage: Multiple vulnerabilities (CVE-2019-12211, CVE-2019-12212, CVE-2019-12213, CVE-2019-12214)
CVE-2019-12211: heap-based buffer overflow in PluginTIFF.cpp
When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow.
References:
- https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
- https://sourceforge.net/p/freeimage/svn/1825/
CVE-2019-12212: stack exhaustion in function StreamCalcIFDSize in JXRMeta.c
When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize function of JXRMeta.c repeatedly calls itself due to improper processing of the file, eventually causing stack exhaustion. An attacker can achieve a remote denial of service attack by sending a specially constructed file.
References:
- https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
- https://security-tracker.debian.org/tracker/CVE-2019-12212
CVE-2019-12213: stack exhaustion in function TIFFReadDirectory in PluginTIFF.cpp
When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory function in PluginTIFF.cpp always returns 1, leading to stack exhaustion.
References:
- https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
- https://sourceforge.net/p/freeimage/svn/1825/
CVE-2019-12214: out-of-bounds access in function j2k_read_ppm_v3 in j2k.c
In FreeImage 3.18.0, an out-of-bounds access occurs because of mishandling of the OpenJPEG j2k_read_ppm_v3 function in j2k.c. The value of l_N_ppm comes from the file read in, and the code does not consider that l_N_ppm may be greater than the size of p_header_data.
References:
https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
Affected branches:
-
master