Public bug reported: Heap Out Of Bound Write
Similar bug to: https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835461 However, this time its the second strstr that fails and as a consequence, it causes a more or less arbitrary OOB write. 232 char *_blkx_begin = strstr(plist, blkx_begin); //this call returns a non null value 233 blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin; // however, list_end is not found. blkx_size is now underflowing 234 blkx = (char *)malloc(blkx_size + 1); 235 memcpy(blkx, _blkx_begin, blkx_size); //and memcpy writes far to many bytes apt-get source dmg2img cd dmg2img-1.6.7/ make ./dmg2img ../crash ** Affects: dmg2img (Ubuntu) Importance: Undecided Status: New ** Attachment added: "dmg2img_arbitrary_OOB_write.tar" https://bugs.launchpad.net/bugs/1854230/+attachment/5308310/+files/dmg2img_arbitrary_OOB_write.tar -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854230 Title: integer underflow causes OOB write To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854230/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
