JUCE

JUCE copied to clipboard

Detailed steps on how to reproduce the bug

Hi, there we have detected that your project may be vulnerable to Heap-based Buffer Overflow. It shares similarities to a recent CVE disclosure CVE-2023-6992 in the https://github.com/freeswitch/sofia-sip. The affected file and functions are as follows:

1. deflate_stored (deflate_state *s,int flush) in the file of [modules/juce_core/zip/zlib/deflate.c](https://github.com/cloudflare/zlib)

The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2023-6992 Description: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software. Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected. Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-6992 Patch:https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

The reproduce step may be similiar to CVE-2023-6992

What is the expected behaviour?

The behaviour may be similiar to CVE-2023-6992

Operating systems

Linux

What versions of the operating systems?

ubuntu 18.04

Architectures

x86_64, 64-bit

Stacktrace

No response

Plug-in formats (if applicable)

No response

Plug-in host applications (DAWs) (if applicable)

No response

Testing on the develop branch

The bug is present on the develop branch

Code of Conduct

• [X] I agree to follow the Code of Conduct