Ubuntu
dmg2img package

integer underflow causes OOB write

Bug #1854230 reported by Bugs SysSec
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dmg2img (Ubuntu)
New
Undecided
Unassigned

Bug Description

Heap Out Of Bound Write

Similar bug to: https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835461
However, this time its the second strstr that fails and as a consequence, it causes a more or less arbitrary OOB write.

232 char *_blkx_begin = strstr(plist, blkx_begin); //this call returns a non null value
233 blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin; // however, list_end is not found. blkx_size is now underflowing
234 blkx = (char *)malloc(blkx_size + 1);
235 memcpy(blkx, _blkx_begin, blkx_size); //and memcpy writes far to many bytes

apt-get source dmg2img
cd dmg2img-1.6.7/
make
./dmg2img ../crash

Revision history for this message
Bugs SysSec (bugs-syssec) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.