Menu
▾
▴
#48 integer overflow bug
Hi,
It seems that there exists an integer overflow vulnerability in crrcsim. When a victim runs crrcsim with a malicious rgb file, arbitrary code may be executed in the victim's system.
unsigned char read_rgbimage(const char name, ...) {
...
if (inputshort == 0x01da) {
...
if (inputchar == 0) {
...
if (inputshort == 3) {
inputshort = getshort(imagein); // may become a arbitrary large number
w = inputshort;
inputshort = getshort(imagein); // may become a arbitrary large number
h = inputshort;
image = (unsigned char*)malloc(w * h * 4 * sizeof(unsigned char)); // unintended small size due to integer overflow
temp = (unsigned char*)malloc(w * h * sizeof(unsigned char)); // unintended small size due to integer overflow
...
}
...
}
