Arbitrary Free in Accusoft ImageGear ioca_mys_rgb_allocate
Original Post:
We discussed this vulnerability during Episode 142 on 03 May 2022
An uninitialized pointer is freed by proving a malformed IOCA file with a size_Y
of zero. What happens normally is that there is an initialization routine that iterates from size_Y
to 0. Initializing the table_mys_rgb
table. Then later during the cleanup routine, in delete_table_mys_rgb_ptr
it’ll call the delete operator which leads to a free on an index into the table. When you provide a file with size_Y
as 0
, the initialization loop never assigns a pointer here. Leading to an arbitrary free.