| 标题 | libretro RetroArch v1.20.0/v1.19.0/v1.18.0 Out-of-Bounds Read |
|---|
| 描述 | Title:
Out-of-Bounds Read in filestream_vscanf() of libretro RetroArch due to Missing sscanf() Result Check
Description:
A vulnerability in the filestream_vscanf() function of libretro's RetroArch (latest version at time of reporting) allows an attacker to trigger an out-of-bounds read due to improper handling of the return value from sscanf(). Specifically, the code fails to verify whether sscanf() returns 0, which results in the use of an uninitialized or attacker-controlled sublen value. This variable is used to increment a buffer iterator (bufiter), leading to out-of-bounds memory access.
An attacker can exploit this by crafting malicious format strings such as %*d%s or %d%*d%s, which can either leave sublen uninitialized or influence its value directly, enabling controlled memory leaks. This could expose sensitive data or lead to application instability. Found by Simcha Kosman
Affected Component:
filestream_vscanf() in libretro-common/streams/file_stream.c - https://github.com/libretro/RetroArch/blob/6c7522fef85825a1e376d5c11828f59134fda8d3/libretro-common/streams/file_stream.c#L298
Fixed At:
https://github.com/libretro/RetroArch/pull/17555 |
|---|
| 用户 | simkca (UID 81003) |
|---|
| 提交 | 2025-07-17 12時03分 (9 月前) |
|---|
| 管理 | 2025-08-19 07時31分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 320516 [libretro RetroArch 1.18.0/1.19.0/1.20.0 file_stream.c filestream_vscanf 信息公开] |
|---|
| 积分 | 17 |
|---|