Under certain circumstances, an off-by-one heap overflow can occur in the
command_retr function in
while ((i = read(phile, buffer, my_buffer_size))), but under certain circumstances
read can return -1.
In this case, the problem is that the
while condition will be evaluated as true because in the C programming language all non-zero values are considered true.
As a result, an off-by-one out of bounds write into heap memory will be triggered when
buffer[-1] = '\0' is executed.
This is a medium-low severity vulnerability.
Heap memory corruption with a single nul byte.
This report was subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-YEAR-ID in any communication regarding this issue.