Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

libvips v8.18.0 Function Pointer Type Confusion in libvips Callback Dispatch

From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 10:52:52 -0400
Multiple functions in libvips invoke callbacks through incorrectly cast
function pointers, resulting in Undefined Behavior (UB). During
runtime, callbacks
such as search_package, vips_class_map_all, vips_foreign_find_load_sub,
vips_object_real_postbuild, and vips_area_free_cb are called through
function pointer types that do not match their actual signatures. This is
benign on x86-64, where calling conventions tolerate mismatches, but on
stricter ABIs (e.g., AArch64/ARM64) the mismatch can lead to stack/register
corruption, abnormal memory writes, or program crashes. If
attacker-controlled input (e.g., crafted image metadata or file paths)
influences callback selection, this may be escalated to remote code
execution (RCE).


*Impact*

   - Incorrect assumptions about function signatures cause UB.
   - Process crash from corrupted registers/stack.
   - If the attacker can control which callback is invoked with what
   arguments.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./builddir/tools/vips copy input.jpg output.png


*Output:*


../libvips/deprecated/package.c:824:13: runtime error: call to function
search_package through pointer to incorrect function type 'void *(*)(void
*, void *, void *)'

/root/libvips/builddir/../libvips/deprecated/package.c:835: note:
search_package defined here

    #0 0xffffaf056a50 in im_map_packages
/root/libvips/builddir/../libvips/deprecated/package.c:824:13

    #1 0xffffaf056a50 in im_find_function
/root/libvips/builddir/../libvips/deprecated/package.c:850:20

    #2 0xaaaac0e5f068 in main /root/libvips/builddir/../tools/vips.c:847:9

    #3 0xffffadc62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #4 0xffffadc62374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #5 0xaaaac0d7c76c in _start (/root/libvips/builddir/tools/vips+0x3c76c)
(BuildId: e10c072d9b4760bd011ba0b9daba8652453d8ea5)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: