Security vulnerabilities and automated fixes for image parsing issues
2 posts found
A critical heap buffer overflow vulnerability was discovered and patched in a vendored copy of `stb_image.h`, a popular single-header image loading library. The root cause was a missing bounds check that allowed attacker-controlled image data to trigger memory writes beyond allocated heap buffers, potentially enabling arbitrary code execution. A single defensive guard — rejecting negative buffer lengths before any memory operation — closes this dangerous attack vector.
A critical integer overflow vulnerability was discovered and patched in the GIF decoder library `libnsgif`, where multiplying width, height, and pixel byte values from untrusted GIF headers could silently overflow, causing heap buffer corruption during image processing. This class of vulnerability is particularly dangerous because it originates from attacker-controlled input and can lead to arbitrary code execution or process crashes. The fix introduces explicit overflow checks before any memory