XnView 1.98.8 PCT Image Processing Heap Overflow

2012-06-22 16:18:58

#####################################################################################

Application: XnView PCT Image Processing Heap Overflow
Platforms: Windows

Secunia: SA48666

{PRL}: 2012-17

Author: Francis Provencher (Protek Research Lab's)

Website: http://www.protekresearchlab.com/

Twitter: @ProtekResearch


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============
XnView is a cross-platform image viewer used for viewing, converting, organising and editing graphical & video files.
It is free of charge for private, educational and non-profit organisations. For commercial use and distribution,
the user must register the program. It is popular with users as it provides features normally found only
in commercial image viewers.

(http://en.wikipedia.org/wiki/XnView)

#####################################################################################

============================
2) Report Timeline
============================

2012-05-15 Vulnerability reported to Secunia
2012-06-21 Vendor disclose patch


#####################################################################################

============================
3) Technical details
============================
Insufficient validation when decompressing PCT images can be exploited
to cause a heap-based buffer overflow.

The vulnerabilities are confirmed in version 1.98.8. Other versions may also be affected

#####################################################################################

===========
4) The Code
===========

http://protekresearchlab.com/exploits/PRL-2012-17.pct
http://www.exploit-db.com/sploits/19336.pct

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.