| 标题 | Open Source libzvbi 0.2.43 Unitinialized Heap Read |
|---|
| 描述 | In the function vbi_strndup_iconv_ucs2 the attacker can send a length that is equal to 0 that would enable them to read uninitialized data form a minimum sized chunk on the heap.
char *vbi_strndup_iconv_ucs2(const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
char *result;
unsigned long size;
...
/// user controlled src_length & src buffer
buffer = strndup_iconv_from_ucs2 (&size,
dst_codeset,
src, src_length,
repl_char);
...
}
static char *strndup_iconv_from_ucs2(unsigned long *out_size, const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
unsigned long buffer_size;
...
if (NULL == dst_codeset || same_codeset (dst_codeset, "UTF8")) {
return strndup_utf8_ucs2 (out_size, src, src_length); // calls the vulnerable function for "UTF8" encoded strings
}
...
}
static char *strndup_utf8_ucs2(unsigned long * out_size, const uint16_t * src, long src_length)
{
char *d;
char *buffer;
const uint16_t *end;
...
buffer = vbi_malloc (src_length * 3 + 1); // src_length = 0 would allocate the minimum sized chunk to buffer
if (NULL == buffer)
return NULL;
d = buffer;
for (end = src + src_length; src < end; ++src) { // src would be < end so the loop doesn't get executed and the buffer is returned with uninitialized data
unsigned int c = *src;
if (c < 0x80) {
*d++ = c;
} else if (c < 0x800) {
d[0] = 0xC0 | (c >> 6);
d[1] = 0x80 | (c & 0x3F);
d += 2;
} else {
d[0] = 0xE0 | (c >> 12);
d[1] = 0x80 | ((c >> 6) & 0x3F);
d[2] = 0x80 | (c & 0x3F);
d += 3;
}
}
if (NULL != out_size)
*out_size = d - buffer;
*d = 0;
return buffer; // returns a buffer with 0x20 bytes of uninitialized heap data
} |
|---|
| 用户 | ninpwn (UID 82253) |
|---|
| 提交 | 2025-03-03 11時10分 (1 年前) |
|---|
| 管理 | 2025-03-11 07時06分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 299202 [libzvbi 直到 0.2.43 src/conv.c vbi_strndup_iconv_ucs2 src_length 信息公开] |
|---|
| 积分 | 17 |
|---|