إرسال #512798: Open Source libzvbi 0.2.43 Unitinialized Heap Readالمعلومات

عنوانOpen Source libzvbi 0.2.43 Unitinialized Heap Read
الوصفIn the function vbi_strndup_iconv_ucs2 the attacker can send a length that is equal to 0 that would enable them to read uninitialized data form a minimum sized chunk on the heap. char *vbi_strndup_iconv_ucs2(const char *dst_codeset, const uint16_t *src, long src_length, int repl_char) { char *buffer; char *result; unsigned long size; ... /// user controlled src_length & src buffer buffer = strndup_iconv_from_ucs2 (&size, dst_codeset, src, src_length, repl_char); ... } static char *strndup_iconv_from_ucs2(unsigned long *out_size, const char *dst_codeset, const uint16_t *src, long src_length, int repl_char) { char *buffer; unsigned long buffer_size; ... if (NULL == dst_codeset || same_codeset (dst_codeset, "UTF8")) { return strndup_utf8_ucs2 (out_size, src, src_length); // calls the vulnerable function for "UTF8" encoded strings } ... } static char *strndup_utf8_ucs2(unsigned long * out_size, const uint16_t * src, long src_length) { char *d; char *buffer; const uint16_t *end; ... buffer = vbi_malloc (src_length * 3 + 1); // src_length = 0 would allocate the minimum sized chunk to buffer if (NULL == buffer) return NULL; d = buffer; for (end = src + src_length; src < end; ++src) { // src would be < end so the loop doesn't get executed and the buffer is returned with uninitialized data unsigned int c = *src; if (c < 0x80) { *d++ = c; } else if (c < 0x800) { d[0] = 0xC0 | (c >> 6); d[1] = 0x80 | (c & 0x3F); d += 2; } else { d[0] = 0xE0 | (c >> 12); d[1] = 0x80 | ((c >> 6) & 0x3F); d[2] = 0x80 | (c & 0x3F); d += 3; } } if (NULL != out_size) *out_size = d - buffer; *d = 0; return buffer; // returns a buffer with 0x20 bytes of uninitialized heap data }
المستخدم
 ninpwn (UID 82253)
ارسال03/03/2025 11:10 AM (1 سنة منذ)
الاعتدال11/03/2025 07:06 AM (8 days later)
الحالةتمت الموافقة
إدخال VulDB299202 [libzvbi حتى 0.2.43 src/conv.c vbi_strndup_iconv_ucs2 src_length الكشف عن المعلومات]
النقاط17

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!