integer underflow causes OOB write
Bug #1854230 reported by
Bugs SysSec
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dmg2img (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Heap Out Of Bound Write
Similar bug to: https:/
However, this time its the second strstr that fails and as a consequence, it causes a more or less arbitrary OOB write.
232 char *_blkx_begin = strstr(plist, blkx_begin); //this call returns a non null value
233 blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin; // however, list_end is not found. blkx_size is now underflowing
234 blkx = (char *)malloc(blkx_size + 1);
235 memcpy(blkx, _blkx_begin, blkx_size); //and memcpy writes far to many bytes
apt-get source dmg2img
cd dmg2img-1.6.7/
make
./dmg2img ../crash
To post a comment you must log in.