| Título | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_capture_sim_load_caption) |
|---|
| Descrição | The function vbi_capture_sim_load_caption has an integer overflow vulnerability that could lead to a heap overflow vulnerability as a result of appending a string to a long_max sized string and calling realloc on the original buffer with a smaller size.
// this vulnerability occurs when a LONG_MAX sized string gets appended with more data, resulting in a reallocation that resets the size of the buffer to a smaller size than what it needs to contain in case it needsto append more data to the string.
vbi_bool
vbi_capture_sim_load_caption (vbi_capture * cap,
const char * stream,
vbi_bool append)
{
vbi_capture_sim *sim;
struct buffer *b;
unsigned int ch;
const char *s;
assert (NULL != cap);
sim = PARENT (cap, vbi_capture_sim, cap);
assert (MAGIC == sim->magic);
...
if (!append) {
vbi_free (sim->caption_buffers[0].data);
vbi_free (sim->caption_buffers[1].data);
CLEAR (sim->caption_buffers);
sim->caption_i = 0;
}
...
b = &sim->caption_buffers[0];
for (s = stream;;) {
int c = *s++;
...
// decoding logic
...
if (b->size >= b->capacity) {
if (!extend_buffer (b, b->capacity + 256)) // derefrences the capacity value, which could be LONG_MAX at the latest iteration, doesn't get bound checked and triggers an under-reallocation upon another call which appends to that string
return FALSE;
}
b->data[b->size++] = vbi_par8 (c); // writes to the re-allocated buffer
}
return TRUE;
} |
|---|
| Utilizador | ninpwn (UID 82253) |
|---|
| Submissão | 03/03/2025 11h20 (há 1 Ano) |
|---|
| Moderação | 11/03/2025 07h06 (8 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 299205 [libzvbi até 0.2.43 src/io-sim.c vbi_capture_sim_load_caption Excesso de tampão] |
|---|
| Pontos | 17 |
|---|