| Название | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_capture_sim_load_caption) |
|---|
| Описание | The function vbi_capture_sim_load_caption has an integer overflow vulnerability that could lead to a heap overflow vulnerability as a result of appending a string to a long_max sized string and calling realloc on the original buffer with a smaller size.
// this vulnerability occurs when a LONG_MAX sized string gets appended with more data, resulting in a reallocation that resets the size of the buffer to a smaller size than what it needs to contain in case it needsto append more data to the string.
vbi_bool
vbi_capture_sim_load_caption (vbi_capture * cap,
const char * stream,
vbi_bool append)
{
vbi_capture_sim *sim;
struct buffer *b;
unsigned int ch;
const char *s;
assert (NULL != cap);
sim = PARENT (cap, vbi_capture_sim, cap);
assert (MAGIC == sim->magic);
...
if (!append) {
vbi_free (sim->caption_buffers[0].data);
vbi_free (sim->caption_buffers[1].data);
CLEAR (sim->caption_buffers);
sim->caption_i = 0;
}
...
b = &sim->caption_buffers[0];
for (s = stream;;) {
int c = *s++;
...
// decoding logic
...
if (b->size >= b->capacity) {
if (!extend_buffer (b, b->capacity + 256)) // derefrences the capacity value, which could be LONG_MAX at the latest iteration, doesn't get bound checked and triggers an under-reallocation upon another call which appends to that string
return FALSE;
}
b->data[b->size++] = vbi_par8 (c); // writes to the re-allocated buffer
}
return TRUE;
} |
|---|
| Пользователь | ninpwn (UID 82253) |
|---|
| Представление | 03.03.2025 11:20 (1 Год назад) |
|---|
| Модерация | 11.03.2025 07:06 (8 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 299205 [libzvbi до 0.2.43 src/io-sim.c vbi_capture_sim_load_caption повреждение памяти] |
|---|
| Баллы | 17 |
|---|