| タイトル | Open Source libgsf <=1.14.53 Out-of-Bounds Read (sorting_key_copy) |
|---|
| 説明 | The vulnerability occurs because the function copies an extra element—assuming a null terminator exists—resulting in an out-of-bounds read if the original allocation for sk->name didn't include space for that terminator.
static GsfMSOleSortingKey *gsf_msole_sorting_key_copy(GsfMSOleSortingKey *sk) {
GsfMSOleSortingKey *res = g_new(GsfMSOleSortingKey, 1);
res->len = sk->len;
// Allocate space for sk->len + 1 gunichar2 characters,
// assuming that sk->name contains a null terminator.
res->name = g_new(gunichar2, sk->len + 1);
// Copy (sk->len + 1) gunichar2 elements from sk->name into res->name.
// If sk->name was not originally allocated with (sk->len + 1) elements,
// this memcpy will read past the allocated memory (OOB read).
memcpy(res->name, sk->name, (sk->len + 1) * sizeof(gunichar2));
return res;
} |
|---|
| ユーザー | ninpwn (UID 82253) |
|---|
| 送信 | 2025年03月13日 21:24 (1 年 ago) |
|---|
| モデレーション | 2025年03月24日 13:46 (11 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 300744 [GNOME libgsf 迄 1.14.53 sorting_key_copy 名前 情報漏えい] |
|---|
| ポイント | 17 |
|---|