stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under AllocatiИнформация

Название	Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under Allocati
Описание	This vulnerability arises when calculating the memory allocation sizes for the tile arrays within the `stbhw_build_tileset_from_image` function. The function extracts configuration data from an image header to compute the number of horizontal and vertical tiles (`h_count` and `v_count`). These counts are then used to allocate memory for the tile pointers: ```c ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); ``` - If the values for `h_count` or `v_count` are derived from untrusted header values and are manipulated to be excessively large, an integer overflow may occur during the multiplication (`sizeof(ts->h_tiles) h_count` or its vertical counterpart). This overflow results in an allocation size smaller than intended (under allocation), leading to subsequent writes potentially overflowing the allocated memory. - The vulnerability is particularly dangerous because the arithmetic for calculating these counts depends on data that may be controlled by an attacker, and insufficient validation can result in exploitable memory corruption. STBHW_EXTERN int stbhw_build_tileset_from_image(stbhw_tileset ts, unsigned char data, int stride, int w, int h) { int i, h_count, v_count; unsigned char header[9]; stbhw_config c = { 0 }; stbhw__process p = { 0 }; // Extract binary header with potential out-of-bounds read (see Vulnerability 1) for (i = 0; i < 9; ++i) header[i] = data[w3 - 1 - i] ^ (i 55); // Extract header information based on the header type if (header[7] == 0xc0) { // corner-type c.is_corner = 1; for (i = 0; i < 4; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[4]; c.num_vary_y = header[5]; c.short_side_len = header[6]; } else { // edge-type c.is_corner = 0; for (i = 0; i < 6; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[6]; c.num_vary_y = header[7]; c.short_side_len = header[8]; } // Validate header values if (c.num_vary_x < 0 \|\| c.num_vary_x > 64 \|\| c.num_vary_y < 0 \|\| c.num_vary_y > 64) return 0; if (c.short_side_len == 0) return 0; if (c.num_color[0] > 32 \|\| c.num_color[1] > 32 \|\| c.num_color[2] > 32 \|\| c.num_color[3] > 32) return 0; // Calculate the number of horizontal and vertical tiles based on header configuration stbhw__get_template_info(&c, NULL, NULL, &h_count, &v_count); ts->is_corner = c.is_corner; ts->short_side_len = c.short_side_len; memcpy(ts->num_color, c.num_color, sizeof(ts->num_color)); ts->max_h_tiles = h_count; ts->max_v_tiles = v_count; ts->num_h_tiles = ts->num_v_tiles = 0; // Allocation vulnerable to integer overflow: ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); p.ts = ts; p.data = data; p.stride = stride; p.process_h_rect = stbhw__parse_h_rect; p.process_v_rect = stbhw__parse_v_rect; p.w = w; p.h = h; p.c = &c; // Load all the tiles out of the image return stbhw__process_template(&p); }
Пользователь	ninpwn (UID 82253)
Представление	27.03.2025 15:51 (1 Год назад)
Модерация	07.04.2025 12:56 (11 days later)
Статус	принято
Запись VulDB	303685 [Nothings stb до f056911 stbhw_build_tileset_from_image h_count/v_count раскрытие информации]
Баллы	17

◂ Предыдущий Обзор Далее ▸

Do you need the next level of professionalism?

Upgrade your account now!