Category

Image Parsing

Security vulnerabilities and automated fixes for image parsing issues

3 posts found

critical8 min

How buffer overflow in stb_image.h memcpy happens in C image parsing and how to fix it

A critical buffer overflow vulnerability was discovered in stb_image.h at line 4823, where a memcpy operation copied image data without validating buffer bounds. The multiplication of width (x) and channel count (img_n) could overflow or exceed allocated memory, allowing attackers to corrupt memory through malicious PNG files. The fix adds an explicit size_t cast to prevent integer overflow during the buffer size calculation.

#buffer-overflow#c-security#image-parsing+4 more
O
orbisai0security
Jul 6, 2026
high7 min

Heap Buffer Overflow in stb_image.h: How a Missing Bounds Check Could Lead to Code Execution

A critical heap buffer overflow vulnerability was discovered and patched in a vendored copy of `stb_image.h`, a popular single-header image loading library. The root cause was a missing bounds check that allowed attacker-controlled image data to trigger memory writes beyond allocated heap buffers, potentially enabling arbitrary code execution. A single defensive guard — rejecting negative buffer lengths before any memory operation — closes this dangerous attack vector.

#buffer-overflow#c-cpp#memory-safety+4 more
O
orbisai0security
May 28, 2026
critical8 min

Critical Integer Overflow in GIF Decoder: How a Simple Multiplication Can Lead to Heap Corruption

A critical integer overflow vulnerability was discovered and patched in the GIF decoder library `libnsgif`, where multiplying width, height, and pixel byte values from untrusted GIF headers could silently overflow, causing heap buffer corruption during image processing. This class of vulnerability is particularly dangerous because it originates from attacker-controlled input and can lead to arbitrary code execution or process crashes. The fix introduces explicit overflow checks before any memory

#c#integer-overflow#gif-decoder+4 more
O
orbisai0security
May 28, 2026