You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
we found cmsIT8SaveToMem could suffer off-by-one problem by using fuzzing.
In document, it restricts the 3-th argument of cmsIT8SaveToMem shoud follow that
bytesNeeded: Points to a user-allocated cmsUInt32Number which will receive the needed memory size in bytes.
Which means the number of bytesNeeded stored should be less than or equal to the buffer size of MemPtr.
However, if the number stored in bytesNeeded equal to the sizeof MemPtr, the off-by-one will happen.
for (i=0; i < it8 ->TablesCount; i++) {
cmsIT8SetTable(hIT8, i);
WriteHeader(it8, &sd);
WriteDataFormat(&sd, it8);
WriteData(&sd, it8);
}
sd.Used++; // The \0 at the very end
if (sd.Base)
-> *sd.Ptr = 0; // off-by-one
Let just assume the size of MemPtr is 0x20 and the number stored in bytesNeeded is 0x20 too. After the for loop, the sd.Ptr will point to the MemPtr + 0x20 location, then a 0 byte will be write out of the bound of MemPtr.
Hi,
we found
cmsIT8SaveToMem
could suffer off-by-one problem by using fuzzing.In document, it restricts the 3-th argument of
cmsIT8SaveToMem
shoud follow thatWhich means the number of
bytesNeeded
stored should be less than or equal to the buffer size ofMemPtr
.However, if the number stored in
bytesNeeded
equal to the sizeofMemPtr
, the off-by-one will happen.Let just assume the size of
MemPtr
is 0x20 and the number stored inbytesNeeded
is 0x20 too. After thefor
loop, thesd.Ptr
will point to theMemPtr + 0x20
location, then a 0 byte will be write out of the bound ofMemPtr
.A trigger case is listed bellow:
The text was updated successfully, but these errors were encountered: