| 标题 | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow |
|---|
| 描述 | There's an integer overflow leading to a heap overflow in the exported function vbi_strndup_iconv_ucs2, which could lead to a DOS.
char *vbi_strndup_iconv_ucs2(const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
char *result;
unsigned long size;
...
/// user controlled src_length & src buffer
buffer = strndup_iconv_from_ucs2 (&size,
dst_codeset,
src, src_length,
repl_char);
...
}
static char *strndup_iconv_from_ucs2(unsigned long *out_size, const char *dst_codeset, const uint16_t *src, long src_length, int repl_char)
{
char *buffer;
unsigned long buffer_size;
...
if (NULL == dst_codeset || same_codeset (dst_codeset, "UTF8")) {
return strndup_utf8_ucs2 (out_size, src, src_length); // calls the vulnerable function for "UTF8" encoded strings
}
...
}
static char *strndup_utf8_ucs2(unsigned long * out_size, const uint16_t * src, long src_length)
{
char *d;
char *buffer;
const uint16_t *end;
...
buffer = vbi_malloc (src_length * 3 + 1); // malloc arithmetic causes an under allocation via integer overflow
if (NULL == buffer)
return NULL;
d = buffer;
for (end = src + src_length; src < end; ++src) {
unsigned int c = *src;
if (c < 0x80) {
*d++ = c;
} else if (c < 0x800) {
d[0] = 0xC0 | (c >> 6);
d[1] = 0x80 | (c & 0x3F);
d += 2;
} else {
d[0] = 0xE0 | (c >> 12);
d[1] = 0x80 | ((c >> 6) & 0x3F);
d[2] = 0x80 | (c & 0x3F);
d += 3;
}
} // writing decoded values into the under allocated buffer at a length that is greater than the allocation size
if (NULL != out_size)
*out_size = d - buffer;
*d = 0;
return buffer;
}
|
|---|
| 用户 | ninpwn (UID 82253) |
|---|
| 提交 | 2025-03-03 11時14分 (1 年前) |
|---|
| 管理 | 2025-03-11 07時06分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 299203 [libzvbi 直到 0.2.43 src/conv.c vbi_strndup_iconv_ucs2 src_length 内存损坏] |
|---|
| 积分 | 17 |
|---|