libjpeg-turbo -- heap-based buffer overflow

2012-05-31T00:00:00
ID A460035E-D111-11E1-AFF7-001FD056C417
Type freebsd
Reporter FreeBSD
Modified 2012-07-19T00:00:00

Description

The Changelog for version 1.2.1 says: Fixed a regression caused by 1.2.0[6] in which decompressing corrupt JPEG images (specifically, images in which the component count was erroneously set to a large value) would cause libjpeg-turbo to segfault.

A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.