PRL-2015-06

#####################################################################################

Application:   Paintshop Pro X7 GIF Conversion  Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)

Platforms:   Windows

Versions:   The vulnerability is confirmed in version Paintshop Prox X7, Other versions may also be affected.

Secunia:

{PRL}:   2015-06

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

 

PaintShop Pro (PSP) is a raster and vector graphics editor for Microsoft Windows. It was originally published by Jasc Software. In October 2004, Corel purchased Jasc Software and the distribution rights to Paint Shop Pro. PSP functionality can be extended by Photoshop-compatible plugins.

Although often written as Paint Shop Pro, Corel’s website shows the name for the product as PaintShop Pro. The X-numbered editions have been sold in two versions: PaintShop Pro, which is the basic editing program, and PaintShop Pro Ultimate, which bundles in other standalone programs. The particular bundled programs have varied with each numbered version and have not been sold by Corel as separate products.

(https://en.wikipedia.org/wiki/PaintShop_Pro)

#####################################################################################

============================
2) Report Timeline
============================

2015-04-23: Francis Provencher from Protek Research Lab’s found the issue;
2015-02-24: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
2015-02-25: Francis Provencher From Protek Research Lab’s ask for a security contact at Corel Software;
2015-05-10: Corel push a silent fix, without credit.

2015-05-16: Publication of this advisory.

 

#####################################################################################

============================
3) Technical details
============================

An error when handling LZWMinimumCodeSize can be exploited to cause an heap memory corruption via a specially crafted GIF file.

#####################################################################################

===========

4) POC

===========

Here

###############################################################################