| शीर्षक | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_search_new) |
|---|
| विवरण | The function vbi_search_new attempts to find a pattern in a passed string, it takes pat_len which is user controlled as the argument for malloc while performing an arithmetic operation in the call without checking any bounds, ultimately could result in a minimum sized chunk allocation.
if (!regexp) { // user controlled, set to False
if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) { // integer overflow -> under allocation, pat_len is user controlled
free(s);
return NULL;
}
for (i = j = 0; i < pat_len; i++) {
if (strchr("!\"#$%&()*+,-./:;=?@[\\]^_{|}~", pattern[i]))
esc_pat[j++] = '\\';
esc_pat[j++] = pattern[i]; /* effectively can be written to 'everywhere' on the heap starting from esc_pat
*/
}
pattern = esc_pat;
pat_len = j;
} |
|---|
| उपयोगकर्ता | ninpwn (UID 82253) |
|---|
| सबमिशन | 03/03/2025 11:22 AM (1 वर्ष पहले) |
|---|
| संयम | 11/03/2025 07:06 AM (8 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 299206 [libzvbi तक 0.2.43 src/search.c vbi_search_new pat_len बफ़र ओवरफ़्लो] |
|---|
| अंक | 17 |
|---|