| tiêu đề | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_capture_sim_load_caption) |
|---|
| Mô tả | The function vbi_capture_sim_load_caption has an integer overflow vulnerability that could lead to a heap overflow vulnerability as a result of appending a string to a long_max sized string and calling realloc on the original buffer with a smaller size.
// this vulnerability occurs when a LONG_MAX sized string gets appended with more data, resulting in a reallocation that resets the size of the buffer to a smaller size than what it needs to contain in case it needsto append more data to the string.
vbi_bool
vbi_capture_sim_load_caption (vbi_capture * cap,
const char * stream,
vbi_bool append)
{
vbi_capture_sim *sim;
struct buffer *b;
unsigned int ch;
const char *s;
assert (NULL != cap);
sim = PARENT (cap, vbi_capture_sim, cap);
assert (MAGIC == sim->magic);
...
if (!append) {
vbi_free (sim->caption_buffers[0].data);
vbi_free (sim->caption_buffers[1].data);
CLEAR (sim->caption_buffers);
sim->caption_i = 0;
}
...
b = &sim->caption_buffers[0];
for (s = stream;;) {
int c = *s++;
...
// decoding logic
...
if (b->size >= b->capacity) {
if (!extend_buffer (b, b->capacity + 256)) // derefrences the capacity value, which could be LONG_MAX at the latest iteration, doesn't get bound checked and triggers an under-reallocation upon another call which appends to that string
return FALSE;
}
b->data[b->size++] = vbi_par8 (c); // writes to the re-allocated buffer
}
return TRUE;
} |
|---|
| Người dùng | ninpwn (UID 82253) |
|---|
| Đệ trình | 03/03/2025 11:20 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 11/03/2025 07:06 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 299205 [libzvbi đến 0.2.43 src/io-sim.c vbi_capture_sim_load_caption tràn bộ đệm] |
|---|
| điểm | 17 |
|---|