stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under Allocatithông tin

tiêu đề	Open Source STB Project (https://github.com/nothings/stb) Latest (<= commit f056911) stbhw_build_tileset_from_image Integer Overflow → Under Allocati
Mô tả	This vulnerability arises when calculating the memory allocation sizes for the tile arrays within the `stbhw_build_tileset_from_image` function. The function extracts configuration data from an image header to compute the number of horizontal and vertical tiles (`h_count` and `v_count`). These counts are then used to allocate memory for the tile pointers: ```c ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); ``` - If the values for `h_count` or `v_count` are derived from untrusted header values and are manipulated to be excessively large, an integer overflow may occur during the multiplication (`sizeof(ts->h_tiles) h_count` or its vertical counterpart). This overflow results in an allocation size smaller than intended (under allocation), leading to subsequent writes potentially overflowing the allocated memory. - The vulnerability is particularly dangerous because the arithmetic for calculating these counts depends on data that may be controlled by an attacker, and insufficient validation can result in exploitable memory corruption. STBHW_EXTERN int stbhw_build_tileset_from_image(stbhw_tileset ts, unsigned char data, int stride, int w, int h) { int i, h_count, v_count; unsigned char header[9]; stbhw_config c = { 0 }; stbhw__process p = { 0 }; // Extract binary header with potential out-of-bounds read (see Vulnerability 1) for (i = 0; i < 9; ++i) header[i] = data[w3 - 1 - i] ^ (i 55); // Extract header information based on the header type if (header[7] == 0xc0) { // corner-type c.is_corner = 1; for (i = 0; i < 4; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[4]; c.num_vary_y = header[5]; c.short_side_len = header[6]; } else { // edge-type c.is_corner = 0; for (i = 0; i < 6; ++i) c.num_color[i] = header[i]; c.num_vary_x = header[6]; c.num_vary_y = header[7]; c.short_side_len = header[8]; } // Validate header values if (c.num_vary_x < 0 \|\| c.num_vary_x > 64 \|\| c.num_vary_y < 0 \|\| c.num_vary_y > 64) return 0; if (c.short_side_len == 0) return 0; if (c.num_color[0] > 32 \|\| c.num_color[1] > 32 \|\| c.num_color[2] > 32 \|\| c.num_color[3] > 32) return 0; // Calculate the number of horizontal and vertical tiles based on header configuration stbhw__get_template_info(&c, NULL, NULL, &h_count, &v_count); ts->is_corner = c.is_corner; ts->short_side_len = c.short_side_len; memcpy(ts->num_color, c.num_color, sizeof(ts->num_color)); ts->max_h_tiles = h_count; ts->max_v_tiles = v_count; ts->num_h_tiles = ts->num_v_tiles = 0; // Allocation vulnerable to integer overflow: ts->h_tiles = (stbhw_tile *) malloc(sizeof(ts->h_tiles) * h_count); ts->v_tiles = (stbhw_tile *) malloc(sizeof(ts->v_tiles) * v_count); p.ts = ts; p.data = data; p.stride = stride; p.process_h_rect = stbhw__parse_h_rect; p.process_v_rect = stbhw__parse_v_rect; p.w = w; p.h = h; p.c = &c; // Load all the tiles out of the image return stbhw__process_template(&p); }
Người dùng	ninpwn (UID 82253)
Đệ trình	27/03/2025 15:51 (cách đây 1 Năm)
Kiểm duyệt	07/04/2025 12:56 (11 days later)
Trạng thái	được chấp nhận
Mục VulDB	303685 [Nothings stb đến f056911 stbhw_build_tileset_from_image h_count/v_count tiết lộ thông tin]
điểm	17

◂ Trước Tổng Quan Tiếp theo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!