Ubuntu
whoopsie package

  1. Focal (20.04)
  2. Bug #1872560
  3. Comment #1

Comment 1 for bug 1872560

Revision history for this message
Seong-Joong Kim (sungjungk) wrote : Re: heap-based buffer overflow in bson.c

It seems that this vulnerability was originally caused by ‘bytesNeeded’ integer overflow in bson_ensure_space().
Sum of ‘len’ and ‘dataSize’ that both have a type of ‘uint32_t’ can assigned to ‘byteNeeded’ (see https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n670).
Even though it was already applied a series of exception handling routine for overflow of 'len' and 'dataSize', the flaw lies in improper exception handling of overflow in 'bytesNeeded'.
I think it would be better to replace data type of 'bytesNeeded'; from 'uint32_t' to 'size_t'.
Please check the attached patch.