| 标题 | Open Source libgsf <=1.14.53 Uninitalized Heap Read (gsf_base64_encode_simple) |
|---|
| 描述 | The vulnerability arises because the null terminator is written based on an unsynchronized size argument, allowing uninitialized heap data to be included in the base64 encoded output.
guint8 *
gsf_base64_encode_simple (guint8 const *data, size_t len)
{
guint8 *out;
int state = 0;
guint save = 0;
gboolean break_lines = TRUE; /* This differs from g_base64_encode */
size_t outlen = len * 4 / 3 + 5; // Compute the estimated output buffer size.
if (break_lines)
outlen += outlen / 72 + 1; // Account for line breaks in Base64 output.
out = g_new (guint8, outlen); // Allocate the buffer on the heap.
outlen = gsf_base64_encode_close (data, len, break_lines,
out, &state, &save);
// Here, `out[outlen] = '\0';` assumes that `outlen` is a valid index within `out`,
// but `outlen` is calculated based on the actual bytes written, which might be
// *less than* the originally allocated buffer size. If `gsf_base64_encode_close`
// did not write as much data as expected (e.g., due to input size), `outlen`
// might point beyond the valid written range, leaving uninitialized bytes in `out`.
out[outlen] = '\0';
return out;
}
|
|---|
| 用户 | ninpwn (UID 82253) |
|---|
| 提交 | 2025-03-13 21時17分 (1 年前) |
|---|
| 管理 | 2025-03-24 13時46分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 300740 [GNOME libgsf 直到 1.14.53 gsf_base64_encode_simple size 信息公开] |
|---|
| 积分 | 17 |
|---|