| Titre | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (_vbi_strndup_iconv) |
|---|
| Description | The function _vbi_strndup_iconv has an integer overflow vulnerability that could result in an under allocation and a crash.
char *_vbi_strndup_iconv(unsigned long *out_size, const char *dst_codeset,const char *src_codeset, const char * src, unsigned long src_size, int repl_char)
{
if (same_codeset (dst_codeset, src_codeset)) {
return strndup_identity (out_size, src, src_size);
} ...
}
static char *strndup_identity(unsigned long *out_size, const char *src, unsigned long src_size)
{
char *buffer;
buffer = vbi_malloc (src_size + 4); // src_size is user controlled and LONG_MAX + 4 would result in an under allocation
if (NULL == buffer) {
if (NULL != out_size)
*out_size = 0;
return NULL;
}
memcpy (buffer, src, src_size); // copying a greater amount of bytes than the size of the under allocated buffer due to the arithmetic operation in malloc
memset (buffer + src_size, 0, 4);
if (NULL != out_size)
*out_size = src_size;
return buffer;
} |
|---|
| Utilisateur | ninpwn (UID 82253) |
|---|
| Soumission | 03/03/2025 11:18 (il y a 1 Année) |
|---|
| Modérer | 11/03/2025 07:06 (8 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 299204 [libzvbi jusqu’à 0.2.43 _vbi_strndup_iconv buffer overflow] |
|---|
| Points | 17 |
|---|