Menu
▾
▴
#48 integer overflow bug
Hi,
It seems that there exists an integer overflow vulnerability in crrcsim. When a victim runs crrcsim with a malicious rgb file, arbitrary code may be executed in the victim's system.
unsigned char read_rgbimage(const char name, ...) { ... if (inputshort == 0x01da) { ... if (inputchar == 0) { ... if (inputshort == 3) { inputshort = getshort(imagein); // may become a arbitrary large number w = inputshort; inputshort = getshort(imagein); // may become a arbitrary large number h = inputshort; image = (unsigned char*)malloc(w * h * 4 * sizeof(unsigned char)); // unintended small size due to integer overflow temp = (unsigned char*)malloc(w * h * sizeof(unsigned char)); // unintended small size due to integer overflow ... } ... }