CVE-2023-45662 — Out-of-bounds Read in STB Image.h

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

8.1HIGHNVD

CNA6.5

EPSS

0.1%

top 70.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nothings STB Nothings STB Image.h

Timeline

PublishedOct 21

Description

stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDnothings/stb_image.h2.28

▶CVEListV5nothings/stb2.28

🔴Vulnerability Details

OSV

CVE-2023-45662: stb_image is a single file MIT licensed library for processing images↗2023-10-21

▶

CVEList

Multi-byte read heap buffer overflow in stbi__vertical_flip in stb_image↗2023-10-20

▶

📋Vendor Advisories

Debian

CVE-2023-45662: libstb - stb_image is a single file MIT licensed library for processing images. When `stb...↗2023

▶