| 제목 | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_capture_sim_load_caption) |
|---|
| 설명 | The function vbi_capture_sim_load_caption has an integer overflow vulnerability that could lead to a heap overflow vulnerability as a result of appending a string to a long_max sized string and calling realloc on the original buffer with a smaller size.
// this vulnerability occurs when a LONG_MAX sized string gets appended with more data, resulting in a reallocation that resets the size of the buffer to a smaller size than what it needs to contain in case it needsto append more data to the string.
vbi_bool
vbi_capture_sim_load_caption (vbi_capture * cap,
const char * stream,
vbi_bool append)
{
vbi_capture_sim *sim;
struct buffer *b;
unsigned int ch;
const char *s;
assert (NULL != cap);
sim = PARENT (cap, vbi_capture_sim, cap);
assert (MAGIC == sim->magic);
...
if (!append) {
vbi_free (sim->caption_buffers[0].data);
vbi_free (sim->caption_buffers[1].data);
CLEAR (sim->caption_buffers);
sim->caption_i = 0;
}
...
b = &sim->caption_buffers[0];
for (s = stream;;) {
int c = *s++;
...
// decoding logic
...
if (b->size >= b->capacity) {
if (!extend_buffer (b, b->capacity + 256)) // derefrences the capacity value, which could be LONG_MAX at the latest iteration, doesn't get bound checked and triggers an under-reallocation upon another call which appends to that string
return FALSE;
}
b->data[b->size++] = vbi_par8 (c); // writes to the re-allocated buffer
}
return TRUE;
} |
|---|
| 사용자 | ninpwn (UID 82253) |
|---|
| 제출 | 2025. 03. 03. AM 11:20 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 03. 11. AM 07:06 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 299205 [libzvbi 까지 0.2.43 src/io-sim.c vbi_capture_sim_load_caption 메모리 손상] |
|---|
| 포인트들 | 17 |
|---|