No description provided by source.
source: http://www.securityfocus.com/bid/22630/info Apple Mac OS X ImageIO is prone to an integer-overflow vulnerability because it fails to handle specially crafted image files. A remote attacker can exploit this issue to cause denial-of-service conditions and potentially to execute code, but this has not been confirmed. This issue affects Mac OS X 10.4.8; previous versions may also be affected. Release Date: February 19th, 2007 Severity: High Vendor: Apple Versions Affected: OSX 10.4.8 Overview: An integer overflow vulnerability exists within ImageIO when processing a malformed .gif file. This allows for an attacker to cause the application to crash, and or to execute arbitrary code on the targeted host. Technical Details: When decompressing a specially crafted .gif file, the gifGetBandProc function within ImageIO incorrectly parses the malformed data causing the application to segmentation fault. Below the crash is triggered on OS X 10.4.8 using Safari: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x3991b000 0x918f2dc5 in gifGetBandProc () (gdb) bt #0 0x918f2dc5 in gifGetBandProc () #1 0x918ec8ea in CGImagePlusUpdateCache () #2 0x918ec606 in CGImagePlusCreateImage () #3 0x952356c0 in -[WebImageData _cacheImages:allImages:] () #4 0x952355f3 in -[WebImageData imageAtIndex:] () Thread 0 crashed with i386 Thread State: eax: 0x396e2000 ebx: 0x918f2bcc ecx:0x00000033 edx: 0x00027f84 edi: 0x15fb9ad0 esi: 0x00000033 ebp:0xbfffd5d8 esp: 0xbfffd140 ss: 0x0000002f efl: 0x00010206 eip:0x918f2db7 cs: 0x00000027 ds: 0x0000002f es: 0x0000002f fs:0x00000000 gs: 0x00000037 Vendor Status: Apple was notified on 9/8/2006 Discovered by: Tom Ferris tommy[at]security-protocols[dot]com http://www.exploit-db.com/sploits/29620-1.gif http://www.exploit-db.com/sploits/29620-2.gif