Under certain circumstances, an off-by-one heap overflow can occur in the
Multiple int-to-bool casting vulnerabilities, leading to heap overflow
command_retr function in
while ((i = read(phile, buffer, my_buffer_size))), but under certain circumstances
read can return -1.
In this case, the problem is that the
while condition will be evaluated as true because in the C programming language all non-zero values are considered true.
As a result, an off-by-one out of bounds write into heap memory will be triggered when
buffer[-1] = '\0' is executed.
This is a medium-low severity vulnerability.
Heap memory corruption with a single nul byte.
Coordinated Disclosure Timeline
This report was subject to our coordinated disclosure policy.
- 01/09/2020: Report sent to Vendor
- 01/09/2020: Vendor acknowledged report
- 01/10/2020: Vendor published fix
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-YEAR-ID in any communication regarding this issue.