When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow.
{ "binaries": [ { "binary_name": "libfreeimage-dev", "binary_version": "3.17.0+ds1-2ubuntu0.1+esm1" }, { "binary_name": "libfreeimage3", "binary_version": "3.17.0+ds1-2ubuntu0.1+esm1" }, { "binary_name": "libfreeimageplus-dev", "binary_version": "3.17.0+ds1-2ubuntu0.1+esm1" }, { "binary_name": "libfreeimageplus3", "binary_version": "3.17.0+ds1-2ubuntu0.1+esm1" } ], "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "libfreeimage-dev", "binary_version": "3.17.0+ds1-5+deb9u1build0.18.04.1" }, { "binary_name": "libfreeimage3", "binary_version": "3.17.0+ds1-5+deb9u1build0.18.04.1" }, { "binary_name": "libfreeimageplus-dev", "binary_version": "3.17.0+ds1-5+deb9u1build0.18.04.1" }, { "binary_name": "libfreeimageplus3", "binary_version": "3.17.0+ds1-5+deb9u1build0.18.04.1" } ], "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "libfreeimage-dev", "binary_version": "3.18.0+ds2-1ubuntu3.1" }, { "binary_name": "libfreeimage3", "binary_version": "3.18.0+ds2-1ubuntu3.1" }, { "binary_name": "libfreeimageplus-dev", "binary_version": "3.18.0+ds2-1ubuntu3.1" }, { "binary_name": "libfreeimageplus3", "binary_version": "3.18.0+ds2-1ubuntu3.1" } ], "availability": "No subscription required" }