###################
The vulnerability is caused due to errors in decompression of CCITT G4
compressed TIFF images.
CCITT compression is basically a RLE (Run Length Encoding) compression
of 2-color (black/white) images where run lengths of black and white
pixels are encoded using variable number of bits. In the first step of
decoding process run-lengths are determined and are stored in a buffer
of the same length as image width located on heap. After this process
the values inside the buffer are interpreted as
frozen, the browser consumes 100% CPU power.
* Verbose description
BMP file format allows Run Length Encoding in case of 4 and 8 bit
bitmaps. The RLE used in BMP format has additional features like
skipping the decompression write pointer to end of the line (bytes 00
00), skiping to the end of bitmap (00 01), and moving the write
pointer to another line and column (00 02 XX YY).
A vulnerability has been found and corrected in wireshark:
Buffer overflow in epan/dissectors/packet-enttec.c in Wireshark 1.4.2
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted ENTTEC DMX
packet with Run Length Encoding (RLE) compression (CVE-2010-4538).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-018
April 3, 2008
-- CVE ID:
CVE-2008-1021
-- Affected Vendors:
Apple
ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-018
April 3, 2008
-- CVE ID:
CVE-2008-1021
-- Affected Vendors:
Apple
