Package: crafty Version: 23.4 Severity: normal Dear Maintainer,
There seems to exist potential integer overflow in tbdecode.h . In line 647, (647) if (fread(temp, 1, HEADER_SIZE, fd) != HEADER_SIZE) ... (651) ptr = temp; (652) # define R4(i) \ (653) ((ptr[i] << 24) + (ptr[(i) + 1] << 16) + (ptr[(i) + 2] << 8) + (ptr[(i) + 3])) ... (661) n_blk = R4(72) ... (683) n = sizeof(unsigned) * (1+n_blk) ... (686) blk = (unsigned *)malloc(n); temp is read from external source. ptr has the same value as temp, and n_blk is the result of R4(72). Thus, arbitrary value of temp can cause n_blk to be a large number, which can cause integer overflow in line 683. When allocating memory in 686, the value may not be as intended. -- System Information: Debian Release: 11.0 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-19041-Microsoft Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect