New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap Buffer Overflow in listfdb (master, libming 0.4.8 and earlier) #104
Comments
|
This issue is coming from the following code part: In the case of the reproducer, there is only one glyph, but listfdb is reading two and stores two glyphs in the I'll submit a fix. |
|
FTR, this issue was assigned id CVE-2018-6358. |
hlef
added a commit
to hlef/libming
that referenced
this issue
Mar 11, 2018
listfdb reads nGlyphs + 1 glyphs and stores them in an array of size nGlyphs*sizeof(int), resulting in a heap buffer overflow. In this commit we replace for(i=0; i<=nGlyphs; ++i) by for(i=0; i < nGlyphs; ++i) so that only nGlyphs glyphs are read. This patch addresses CVE-2018-6358 (fixes libming#104).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
printDefineFont2function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap buffer overflow. This vulnerability is also affecting the master branch.Reproduce:
$ listfdb heap-buffer-overflow-in-listfdb-poc-1.fdbOutput:
This may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file.
You can find the reproducer here.
The text was updated successfully, but these errors were encountered: