I have used imageEN224 for processing images in my application, but an error appeared when PSD processing. (I'm only using imageEN)
I tried to figure out what's going in there, so I reversed my application with assembly, and found that the function in my application causes heap overflow in PSD image processing (specifically, size-check part)
Function Flow outline (size-check) below:
1) do ROR(assembly) several times for a passed argument of this function.
2) save the returned value of this function to some variable.
3 a value of this variable will be used in representing SIZE inforamtion.
4) If you manipulate this value into higher one, overflowing would be caused.
Here's screenshot for what i've done.
05 A9 -> C1 A9 -> overflow
It tested on OS window 7, window xp sp3.
Also, i could manipulate and control eip(assembly) value with Hex Editor.(this may cause serious problem to my application because this may completely change the flow in my application.
any updates for this issue? |
Search
Update for vulnerability in iepsd
Posted - Oct 13 2016 : 01:57:41
