Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netscape Communicator 4.x JPEG-Comment Heap Overwrite Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

Netscape Communicator 4.x JPEG-Comment Heap Overwrite Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/1503/info

Netscape Browsers use the Independent JPEG Group's decoder library to process JPEG encoded images. The library functions skip JPEG comments; however, the browser uses a custom function to process these comments and store them in memory. The comment includes a 2-byte "length" field which indicates how long the comment is - this value includes the 2-bytes of the "length" field. To determine the length of the comment string alone (for memory allocation), the function reads the value in the "length" field and subtracts two. The function then allocates the length of the comment + one byte for NULL termination. There is no error checking to ensure the "length" value is valid. This makes it possible to cause an overflow by creating an image with a comment "length" field containing the value 1. The memory allocation call of 0 bytes (1 minus 2 (length field) + 1 (null termination)) will succeed. The calculated comment size variable is declared unsigned, resulting in a large positive value (from 1 minus 2). The comment handling function goes into a loop to read the comment into memory, but since the calculated comment size is enormous this causes the function to read the entire JPEG stream, overwriting the heap. It is theoretically possible to exploit this to execute arbitrary code. The browser, mail and news readers are all vulnerable to this.

http://www.exploit-db.com/sploits/20098.jpg

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
netscape communicatorjpeg-commentheap overwritevulnerabilityindependent jpeg groupmemory allocationnull terminationerror checkingexploitarbitrary codeimagebrowsermailnews readers
17