StringUtils_createStringFromBuffer's second argument is size which is a signed integer. If attacker supply a negtive number like -1, StringUtils_createStringFromBuffer will try to alloc a very large buffer that is size 0xffffffff in 32bit arch or 0xffffffffffffffff in 64 bit arch. Most of the time alloc will failed then memcpy will get segment fault.
Thanks for the bug report! Actually the caller has to provide valid arguments. The wrong value was caused by missing length validity checks in MmsValue_decodeMmsData. This is fixed with 6c53924.
I will also add a check if allocation fails in StringUtils_createStringFromBuffer
StringUtils_createStringFromBuffer's second argument issizewhich is a signed integer. If attacker supply a negtive number like -1,StringUtils_createStringFromBufferwill try to alloc a very large buffer that is size 0xffffffff in 32bit arch or 0xffffffffffffffff in 64 bit arch. Most of the time alloc will failed thenmemcpywill get segment fault.poc:
poc.zip
gdb results:
The text was updated successfully, but these errors were encountered: