Vulnerability Note VU#646748
Embarcadero Delphi and C++Builder VCL BMP file processing buffer overflow
Embarcadero Delphi and C++ Builder Visual Component Library (VCL) bitmap (BMP) file processing code contains a buffer overflow that could allow an attacker to execute arbitrary code.
Embarcadero Delphi and C++ Builder tools contain a buffer overflow (CWE-119) in VCL BMP file processing code (Vcl.Graphics.TPicture.Bitmap). Core Security Technologies advisory CORE-2014-0004 provides further details, including more specific information about vulnerable development tools. Any application built with a vulnerable VCL version are likely to also be vulnerable.
An attacker who can cause a vulnerable application to process a specially crafted BMP file could execute arbitrary code. Whether or not the attacker is remote or authenticated depends on the interfaces and behavior of the vulnerable application.
Embarcadero has released a hotfix for XE6-series tools and provided documentation for older tools on how to modify VCL source code.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Embarcadero Technologies||Affected||09 Jul 2014||11 Sep 2014|
CVSS Metrics (Learn More)
Thanks to Marcos Accossatto and Joaqu╠n Rodr╠guez Varela from Core Security Technologies and Mike Devery from Embarcadero.
This document was written by Art Manion.
- CVE IDs: CVE-2014-0993
- Date Public: 20 Aug 2014
- Date First Published: 11 Sep 2014
- Date Last Updated: 12 Dec 2014
- Document Revision: 27
If you have feedback, comments, or additional information about this vulnerability, please send us email.