The root cause is an integer overflow in `setup_malloc`. A crafted file may trigger out of bounds write in `f->vendor = get8_packet(f) `. Stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1)) ` and `f->comment_list = (char*)setup_malloc(f, sizeof(char) * (len+1)) `. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. A crafted file may trigger out of bounds write in `f->vendor = (char)'\0' `. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. *This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (``) is enabled.* This vulnerability affects Firefox comment_list_length)` which may make `setup_malloc` allocate less memory than required. In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory. Integer overflow in USB in Google Chrome prior to 1.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. (Chromium security severity: High)Ī flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. Integer overflow in Skia in Google Chrome prior to 1.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |