| タイトル | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (_vbi_strndup_iconv) |
|---|
| 説明 | The function _vbi_strndup_iconv has an integer overflow vulnerability that could result in an under allocation and a crash.
char *_vbi_strndup_iconv(unsigned long *out_size, const char *dst_codeset,const char *src_codeset, const char * src, unsigned long src_size, int repl_char)
{
if (same_codeset (dst_codeset, src_codeset)) {
return strndup_identity (out_size, src, src_size);
} ...
}
static char *strndup_identity(unsigned long *out_size, const char *src, unsigned long src_size)
{
char *buffer;
buffer = vbi_malloc (src_size + 4); // src_size is user controlled and LONG_MAX + 4 would result in an under allocation
if (NULL == buffer) {
if (NULL != out_size)
*out_size = 0;
return NULL;
}
memcpy (buffer, src, src_size); // copying a greater amount of bytes than the size of the under allocated buffer due to the arithmetic operation in malloc
memset (buffer + src_size, 0, 4);
if (NULL != out_size)
*out_size = src_size;
return buffer;
} |
|---|
| ユーザー | ninpwn (UID 82253) |
|---|
| 送信 | 2025年03月03日 11:18 (1 年 ago) |
|---|
| モデレーション | 2025年03月11日 07:06 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 299204 [libzvbi 迄 0.2.43 _vbi_strndup_iconv メモリ破損] |
|---|
| ポイント | 17 |
|---|