Submit #520183: Open Source libgsf <=1.14.53 Integer Overflow -> Heap Overflow (gsf_property_settings_collec)info

TitleOpen Source libgsf <=1.14.53 Integer Overflow -> Heap Overflow (gsf_property_settings_collec)
DescriptionThe vulnerability arises from unchecked arithmetic during the dynamic expansion of the parameters array—adding 16 to n_alloced_params near SIZE_MAX can overflow, leading to underallocation and potential out-of-bounds writes to heap memory. void gsf_property_settings_collect_valist (GType object_type, GParameter **p_params, size_t *p_n_params, const gchar *first_property_name, va_list var_args) { ... size_t n_params = *p_n_params; size_t n_alloced_params = n_params; ... while (name) { ... if (n_params >= n_alloced_params) { n_alloced_params += 16; // If n_alloced_params is near SIZE_MAX, adding 16 may overflow. params = g_renew (GParameter, params, n_alloced_params); // underallocation as a result fof the arithmetic } params[n_params].name = name; //the 'write' logic, could attempt to derference an offset that isn't mapped, or write to arbitrary addresses on the heap ... n_params++; // another incrementation vector that could lead to an overflow in theory ... } ... }
User
 ninpwn (UID 82253)
Submission03/13/2025 21:22 (1 Year ago)
Moderation03/24/2025 13:46 (11 days later)
StatusAccepted
VulDB entry300743 [GNOME libgsf up to 1.14.53 gsf_property_settings_collec n_alloced_params heap-based overflow]
Points17

PreviousOverviewNext