We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
value. Allocation of memory to "iris_pixels" is based on this values.
When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc
not
enough memory for next operations, and cause heap overflow.
3. PoC
Example crafted SGI file: http://overflow.pl/poc/imheap.sgi
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.