WhatsApp has the ability for users to apply filters on images. The way these filters work is they take a “source” image, apply transformations on the underlying pixel data, then save the new image. After fuzzing, the authors discovered a crash when switching between filters on crafted GIF files. After some root causing and reversing, they determined the vulnerability was ultimately in
applyFilterIntoBuffer() from the WhatsApp library.
An out-of-bounds access can occur when iterating through the source image pixels to apply transformations on them. This is because the WhatsApp developers assumed the source and destination image both have the same pixel format (or “stride”) as well as the same dimensions, but these assumptions are never verified. By sending a malicious source image with a stride of 1 byte per pixel instead of the expected 4 bytes per pixel, the function will attempt to copy 4 times more data from the source image than it should.
This attack would be fairly complex to pull off against a victim, as you would have to send a victim a malicious source image, have them apply a filter on it, then get them to send it back to you. None the less, WhatsApp took it seriously and responded well to the report.
Patch The patch consisted of two steps. First, it now ensures the stride is the expected 4 bytes. Second, it also validates the image size using the stride to ensure the image has exactly 4 bytes per pixel before parsing.