Out of bounds heap buffer write (GHSL-2023-171/CVE-2023-45681
)
#1559
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A crafted file may trigger memory write past an allocated heap buffer in
start_decoder
at [1]. The root cause is a potential integer overflowsizeof(char*) * (f->comment_list_length)
at [2] which may makesetup_malloc
allocate less memory than required. Since there is another integer overflow at [1] attacker may overflow it too to forcesetup_malloc
to return0
and make the exploit more reliable.Similar potential vulnerability exists in other
setup_malloc
use cases as:f->codebooks = (Codebook *) setup_malloc(f, sizeof(*f->codebooks) * f->codebook_count);
c->codewords = (uint32 *) setup_malloc(f, sizeof(c->codewords[0]) * c->entries);
Impact
This issue may lead to code execution.
Resources
To reproduce the issue: