| Название | Open Source libzvbi 0.2.43 Unitinialized Heap Read |
|---|
| Описание | In the function vbi_strndup_iconv_ucs2 the attacker can send a length that is equal to 0 that would enable them to read uninitialized data form a minimum sized chunk on the heap.
char *vbi_strndup_iconv_ucs2(const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
char *result;
unsigned long size;
...
/// user controlled src_length & src buffer
buffer = strndup_iconv_from_ucs2 (&size,
dst_codeset,
src, src_length,
repl_char);
...
}
static char *strndup_iconv_from_ucs2(unsigned long *out_size, const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
unsigned long buffer_size;
...
if (NULL == dst_codeset || same_codeset (dst_codeset, "UTF8")) {
return strndup_utf8_ucs2 (out_size, src, src_length); // calls the vulnerable function for "UTF8" encoded strings
}
...
}
static char *strndup_utf8_ucs2(unsigned long * out_size, const uint16_t * src, long src_length)
{
char *d;
char *buffer;
const uint16_t *end;
...
buffer = vbi_malloc (src_length * 3 + 1); // src_length = 0 would allocate the minimum sized chunk to buffer
if (NULL == buffer)
return NULL;
d = buffer;
for (end = src + src_length; src < end; ++src) { // src would be < end so the loop doesn't get executed and the buffer is returned with uninitialized data
unsigned int c = *src;
if (c < 0x80) {
*d++ = c;
} else if (c < 0x800) {
d[0] = 0xC0 | (c >> 6);
d[1] = 0x80 | (c & 0x3F);
d += 2;
} else {
d[0] = 0xE0 | (c >> 12);
d[1] = 0x80 | ((c >> 6) & 0x3F);
d[2] = 0x80 | (c & 0x3F);
d += 3;
}
}
if (NULL != out_size)
*out_size = d - buffer;
*d = 0;
return buffer; // returns a buffer with 0x20 bytes of uninitialized heap data
} |
|---|
| Пользователь | ninpwn (UID 82253) |
|---|
| Представление | 03.03.2025 11:10 (1 Год назад) |
|---|
| Модерация | 11.03.2025 07:06 (8 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 299202 [libzvbi до 0.2.43 src/conv.c vbi_strndup_iconv_ucs2 src_length раскрытие информации] |
|---|
| Баллы | 17 |
|---|