Avoid out-of-bounds palette write in wxIFFDecoder::ConvertToImage on malformed BMHD transparent index (Issue #26437)
15 views
Skip to first unread message
MarkLee131
May 10, 2026, 5:44:26 PMMay 10
to wx-...@googlegroups.com, Subscribed
MarkLee131 created an issue (wxWidgets/wxWidgets#26437)
### Description
#### Bug description:
The IFF `BMHD` chunk's transparent-colour field is read as a 16-bit big-endian word and stored unclamped in `m_image->transparent`. In `wxIFFDecoder::ConvertToImage`, that value is used as a palette index without checking it against the CMAP-derived colour count, writing three bytes at offset `3 * transparent` past the palette buffer.
The unsafe site is `src/common/imagiff.cpp:161`:
```cpp
int transparent = GetTransparentColour(); // line 145, sourced from BMHD bmhd_transcol
...
if (transparent != -1)
{
...
pal[3 * transparent + 0] = 255; // line 161 — OOB write
pal[3 * transparent + 1] = 0;
pal[3 * transparent + 2] = 255;
}
```
`transparent` originates from `iff_getword` at `imagiff.cpp:403`, returning 0..65535. The write value is the fixed triplet `(255, 0, 255)`, so an attacker controls only the offset, but the offset is fully attacker-controlled.
Found by an ASAN+UBSAN libFuzzer harness against `wxIFFHandler::LoadFile`
### Description
#### Bug description:
The IFF `BMHD` chunk's transparent-colour field is read as a 16-bit big-endian word and stored unclamped in `m_image->transparent`. In `wxIFFDecoder::ConvertToImage`, that value is used as a palette index without checking it against the CMAP-derived colour count, writing three bytes at offset `3 * transparent` past the palette buffer.
The unsafe site is `src/common/imagiff.cpp:161`:
```cpp
int transparent = GetTransparentColour(); // line 145, sourced from BMHD bmhd_transcol
...
if (transparent != -1)
{
...
pal[3 * transparent + 0] = 255; // line 161 — OOB write
pal[3 * transparent + 1] = 0;
pal[3 * transparent + 2] = 255;
}
```
`transparent` originates from `iff_getword` at `imagiff.cpp:403`, returning 0..65535. The write value is the fixed triplet `(255, 0, 255)`, so an attacker controls only the offset, but the offset is fully attacker-controlled.
Found by an ASAN+UBSAN libFuzzer harness against `wxIFFHandler::LoadFile`
VZ
May 21, 2026, 4:46:00 PM (9 days ago) May 21
to wx-...@googlegroups.com, Subscribed
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
Reply all
Reply to author
Forward
0 new messages