New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack-buffer-overflow in function compress_symbolic_block_for_partition_2planes() #296
Comments
This issue is caused by a read from a 32-entry weight array using a direct texel index when the actual weight grid is decimated. This can read an index >= 32 if partition texel count is high enough, resulting in an load off the end of the array. In the overflow case the incorrect value loaded is immediately overwritten by a valid value, so there is no visible impact on program stability unless the first read exceeds the stack limit and triggers a fault. A fix so that the incorrect reads are correctly guarded by block decimation state is on |
2.x not impacted, so closing. |
Thank you for your timely feedback.Would you like to assign a CVE to the vulnerability we found? |
Hi @NISL-SecurityGroup, I was trying to reproduce this bug, however, the POC link is broken, can you please provide me the file, I needed it to test a tool I am working on! |
Sorry, I didn't notice your problem before. The repository has been set to private. I uploaded this poc on my personal repository again. Maybe you will need it.Poc file is this. |
Version
Environment
Ubuntu 18.04,64 bit
Command
Compile test program:
$ mkdir build $ cd build $ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release .. $ make -j8
Compile test program with address sanitizer:
Result
The result of running without ASAN:
Information obtained by using ASAN:
Description
Poc
Poc file is this.
The text was updated successfully, but these errors were encountered: