stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under Allocatiजानकारी

शीर्षक	Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under Allocati
विवरण	This vulnerability arises when calculating the memory allocation sizes for the tile arrays within the `stbhw_build_tileset_from_image` function. The function extracts configuration data from an image header to compute the number of horizontal and vertical tiles (`h_count` and `v_count`). These counts are then used to allocate memory for the tile pointers: ```c ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); ``` - If the values for `h_count` or `v_count` are derived from untrusted header values and are manipulated to be excessively large, an integer overflow may occur during the multiplication (`sizeof(ts->h_tiles) h_count` or its vertical counterpart). This overflow results in an allocation size smaller than intended (under allocation), leading to subsequent writes potentially overflowing the allocated memory. - The vulnerability is particularly dangerous because the arithmetic for calculating these counts depends on data that may be controlled by an attacker, and insufficient validation can result in exploitable memory corruption. STBHW_EXTERN int stbhw_build_tileset_from_image(stbhw_tileset ts, unsigned char data, int stride, int w, int h) { int i, h_count, v_count; unsigned char header[9]; stbhw_config c = { 0 }; stbhw__process p = { 0 }; // Extract binary header with potential out-of-bounds read (see Vulnerability 1) for (i = 0; i < 9; ++i) header[i] = data[w3 - 1 - i] ^ (i 55); // Extract header information based on the header type if (header[7] == 0xc0) { // corner-type c.is_corner = 1; for (i = 0; i < 4; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[4]; c.num_vary_y = header[5]; c.short_side_len = header[6]; } else { // edge-type c.is_corner = 0; for (i = 0; i < 6; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[6]; c.num_vary_y = header[7]; c.short_side_len = header[8]; } // Validate header values if (c.num_vary_x < 0 \|\| c.num_vary_x > 64 \|\| c.num_vary_y < 0 \|\| c.num_vary_y > 64) return 0; if (c.short_side_len == 0) return 0; if (c.num_color[0] > 32 \|\| c.num_color[1] > 32 \|\| c.num_color[2] > 32 \|\| c.num_color[3] > 32) return 0; // Calculate the number of horizontal and vertical tiles based on header configuration stbhw__get_template_info(&c, NULL, NULL, &h_count, &v_count); ts->is_corner = c.is_corner; ts->short_side_len = c.short_side_len; memcpy(ts->num_color, c.num_color, sizeof(ts->num_color)); ts->max_h_tiles = h_count; ts->max_v_tiles = v_count; ts->num_h_tiles = ts->num_v_tiles = 0; // Allocation vulnerable to integer overflow: ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); p.ts = ts; p.data = data; p.stride = stride; p.process_h_rect = stbhw__parse_h_rect; p.process_v_rect = stbhw__parse_v_rect; p.w = w; p.h = h; p.c = &c; // Load all the tiles out of the image return stbhw__process_template(&p); }
उपयोगकर्ता	ninpwn (UID 82253)
सबमिशन	27/03/2025 03:51 PM (1 वर्ष पहले)
संयम	07/04/2025 12:56 PM (11 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	303685 [Nothings stb तक f056911 stbhw_build_tileset_from_image h_count/v_count सूचना का प्रकटीकरण]
अंक	17

◂ पिछला सिंहावलोकन अगला ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!