| 标题 | Open Source libzvbi 0.2.43 Integer Overflow -> Heap Overflow (vbi_capture_sim_load_caption) |
|---|
| 描述 | The function vbi_capture_sim_load_caption has an integer overflow vulnerability that could lead to a heap overflow vulnerability as a result of appending a string to a long_max sized string and calling realloc on the original buffer with a smaller size.
// this vulnerability occurs when a LONG_MAX sized string gets appended with more data, resulting in a reallocation that resets the size of the buffer to a smaller size than what it needs to contain in case it needsto append more data to the string.
vbi_bool
vbi_capture_sim_load_caption (vbi_capture * cap,
const char * stream,
vbi_bool append)
{
vbi_capture_sim *sim;
struct buffer *b;
unsigned int ch;
const char *s;
assert (NULL != cap);
sim = PARENT (cap, vbi_capture_sim, cap);
assert (MAGIC == sim->magic);
...
if (!append) {
vbi_free (sim->caption_buffers[0].data);
vbi_free (sim->caption_buffers[1].data);
CLEAR (sim->caption_buffers);
sim->caption_i = 0;
}
...
b = &sim->caption_buffers[0];
for (s = stream;;) {
int c = *s++;
...
// decoding logic
...
if (b->size >= b->capacity) {
if (!extend_buffer (b, b->capacity + 256)) // derefrences the capacity value, which could be LONG_MAX at the latest iteration, doesn't get bound checked and triggers an under-reallocation upon another call which appends to that string
return FALSE;
}
b->data[b->size++] = vbi_par8 (c); // writes to the re-allocated buffer
}
return TRUE;
} |
|---|
| 用户 | ninpwn (UID 82253) |
|---|
| 提交 | 2025-03-03 11時20分 (1 年前) |
|---|
| 管理 | 2025-03-11 07時06分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 299205 [libzvbi 直到 0.2.43 src/io-sim.c vbi_capture_sim_load_caption 内存损坏] |
|---|
| 积分 | 17 |
|---|