Headline
CVE-2021-40589: ZAngband / Bugs / #671 integer underflow bug
ZAngband zangband-data 2.7.5 is affected by an integer underflow vulnerability in src/tk/plat.c through the variable fileheader.bfOffBits.
- Summary
- Files
- Reviews
- Support
- Wiki
- Mailing Lists
- Tickets ▾
- Patches
- Bugs
- News
- Discussion
- Code
Menu ▾ ▴
Status: open
Owner: nobody
Labels: None
Priority: 5
Updated: 2021-08-30
Created: 2021-08-30
Private: No
in src/tk/plat.c, the variable fileheader.bfOffBits is tainted so that ncol can be overflowed. Then it is used as an argument to memory allocation function.
/\* Read the "BITMAPFILEHEADER" \*/
rd\_u16b(f, &(fileheader.bfType));
rd\_u32b(f, &(fileheader.bfSize));
rd\_u16b(f, &(fileheader.bfReserved1));
rd\_u16b(f, &(fileheader.bfReserved2));
rd\_u32b(f, &(fileheader.bfOffBits));
/\* Read the "BITMAPINFOHEADER" \*/
rd\_u32b(f, &(infoheader.biSize));
rd\_u32b(f, &(infoheader.biWidth));
rd\_u32b(f, &(infoheader.biHeight));
rd\_u16b(f, &(infoheader.biPlanes));
rd\_u16b(f, &(infoheader.biBitCount));
rd\_u32b(f, &(infoheader.biCompresion));
rd\_u32b(f, &(infoheader.biSizeImage));
rd\_u32b(f, &(infoheader.biXPelsPerMeter));
rd\_u32b(f, &(infoheader.biYPelsPerMeter));
rd\_u32b(f, &(infoheader.biClrUsed));
rd\_u32b(f, &(infoheader.biClrImportand));
/\* Verify the header \*/
if (feof(f) ||
(fileheader.bfType != 19778) ||
(infoheader.biSize != 40))
{
quit\_fmt("Incorrect BMP file format %s", Name);
}
/\* The two headers above occupy 54 bytes total \*/
/\* The "bfOffBits" field says where the data starts \*/
/\* The "biClrUsed" field does not seem to be reliable \*/
/\* Compute number of colors recorded \*/
ncol \= (fileheader.bfOffBits \- 54) / 4;
if (ncol)
{
/\* Create palette \*/
C\_MAKE(pal, ncol \* 3, byte);
}
Discussion
Log in to post a comment.