libicns v0.8.1 Signed Integer Overflow in libicns during .icns file parsing

[Ron E <ronaldjedgerson () gmail com>]

libicns incorrectly handles certain byte values when parsing .icns files.
Specifically, shifting a byte with value 255 by 24 bits in a signed 32-bit
integer causes an integer overflow, as the resulting value exceeds the
maximum representable value for a signed int.


*Impact:*

   - Applications using libicns may crash or terminate parsing when
   processing a malicious .icns file.
   - Overflow may propagate to other computations or data structures,
   potentially causing memory corruption in downstream code.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./icnsutils/icns2png -l crafted_padded.icns

*Observed Output:*

icns_io.c:71:40: runtime error: left shift of 255 by 24 places cannot be
represented in type 'int'

    #0 0xaaaae4257704 in icns_read_be /root/libicns/src/icns_io.c:71:40

    #1 0xaaaae4257704 in icns_icns_header_check
/root/libicns/src/icns_io.c:1380:2

    #2 0xaaaae4256a60 in icns_read_family_from_file
/root/libicns/src/icns_io.c:318:6

    #3 0xaaaae4247330 in ExtractAndDescribeIconFamilyFile
/root/libicns/icnsutils/icns2png.c:433:10

    #4 0xaaaae42459a4 in main /root/libicns/icnsutils/icns2png.c:263:26

libicns: icns_read_family_from_file: Error reading icns file - all parsing
methods failed!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/