Submit #512800: Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflowinfo

TitleOpen Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow
DescriptionThere's an integer overflow leading to a heap overflow in the exported function vbi_strndup_iconv_ucs2, which could lead to a DOS. char *vbi_strndup_iconv_ucs2(const char *dst_codeset, const uint16_t *src, long src_length, int repl_char) { char *buffer; char *result; unsigned long size; ... /// user controlled src_length & src buffer buffer = strndup_iconv_from_ucs2 (&size, dst_codeset, src, src_length, repl_char); ... } static char *strndup_iconv_from_ucs2(unsigned long *out_size, const char *dst_codeset, const uint16_t *src, long src_length, int repl_char) { char *buffer; unsigned long buffer_size; ... if (NULL == dst_codeset || same_codeset (dst_codeset, "UTF8")) { return strndup_utf8_ucs2 (out_size, src, src_length); // calls the vulnerable function for "UTF8" encoded strings } ... } static char *strndup_utf8_ucs2(unsigned long * out_size, const uint16_t * src, long src_length) { char *d; char *buffer; const uint16_t *end; ... buffer = vbi_malloc (src_length * 3 + 1); // malloc arithmetic causes an under allocation via integer overflow if (NULL == buffer) return NULL; d = buffer; for (end = src + src_length; src < end; ++src) { unsigned int c = *src; if (c < 0x80) { *d++ = c; } else if (c < 0x800) { d[0] = 0xC0 | (c >> 6); d[1] = 0x80 | (c & 0x3F); d += 2; } else { d[0] = 0xE0 | (c >> 12); d[1] = 0x80 | ((c >> 6) & 0x3F); d[2] = 0x80 | (c & 0x3F); d += 3; } } // writing decoded values into the under allocated buffer at a length that is greater than the allocation size if (NULL != out_size) *out_size = d - buffer; *d = 0; return buffer; }
User
 ninpwn (UID 82253)
Submission03/03/2025 11:14 AM (5 months ago)
Moderation03/11/2025 07:06 AM (8 days later)
StatusAccepted
VulDB Entry299203 [libzvbi up to 0.2.43 src/conv.c vbi_strndup_iconv_ucs2 src_length integer overflow]
Points17

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!