foo2zjs icon indicating copy to clipboard operation
foo2zjs copied to clipboard
verified publisher icon koenkooi

Potential Integer Overflow vulnerability in foo2oak.c

Open KSB21ST opened this issue 4 years ago • 0 comments

Hi, It seems that there exists a potential integer underflow. Please find the following description:

  1. rawW can be an arbitrary number https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1636 https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1639 https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1750

  2. This can cause underflow and w will not be the intended value https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1759

  3. Calls pgm_page(buf, w, h, ofp); without checking w https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1772

  4. Calls pgm_subplanes(subplane, raw, w, h); without checking w https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L1136

  5. Call to memset with the small integer can cause a memory allocation with an underflowed size https://github.com/koenkooi/foo2zjs/blob/e04290de6b7a30d588f3411fd9834618e09f7b9b/foo2oak.c#L675

KSB21ST avatar Aug 18 '21 05:08 KSB21ST