![]() Stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1)) ` and `f->comment_list = (char*)setup_malloc(f, sizeof(char) * (len+1)) `. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. A crafted file may trigger out of bounds write in `f->vendor = (char)'\0' `. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. *This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (``) is enabled.* This vulnerability affects Firefox comment_list_length)` which may make `setup_malloc` allocate less memory than required. ![]() In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory. Integer overflow in USB in Google Chrome prior to 1.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |