Opera problems with JPEG images
Attackers can use specially prepared JPEG images to inject arbitrary code into the Opera Web browser. This was made possible by a integer variables in the browser code for the processing of images with insufficient range.
Manipulated JPEG images that contain very large values for the height or width in certain fields of the JPEG header can cause an integer variable to overload. As a result, too little memory is allocated for the image, causing a buffer overload. heise Security's background article A heap of risk discusses an example where an integer overflow in the calculation of the image size causes a heap overflow. It explains in detail how this can be exploited by attackers to execute code included in a specially prepared image file.
Opera 8.54 and older versions are affected by this problem. In version 9.0 of the browser released on Tuesday 20th June 2006, the vendor has remedied the flaw. All Opera users should therefore immediately install this new version.
- A heap of risk, article on heise Security
- Opera JPEG Processing Integer Overflow Vulnerability, security advisory from VigilantMinds
- Download the current version of Opera
(ju)