Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28068: Fix oobread crash in DWARF parser (tests_64924) ##crash · radareorg/radare2@637f4bd

A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0.

CVE
Open in Source
#buffer_overflow

Expand Up @@ -383,21 +383,18 @@ static inline ut64 dwarf_read_offset(bool is_64bit, const ut8 **buf, const ut8 * if (is_64bit) { result = READ64 (*buf); } else { result = READ32 (*buf); result = (ut64)READ32 (*buf); } return result; }
static inline ut64 dwarf_read_address(size_t size, const ut8 **buf, const ut8 *buf_end) { ut64 result; switch (size) { case 2: result = READ16 (*buf); break; case 4: result = READ32 (*buf); break; case 8: result = READ64 (*buf); break; default: case 2: result = READ16 (*buf); break; case 4: result = READ32 (*buf); break; case 8: result = READ64 (*buf); break; default: result = 0; *buf += size; eprintf ("Weird dwarf address size: %zu.", size); Expand Down Expand Up @@ -1857,8 +1854,7 @@ static const ut8 *parse_attr_value(const ut8 *obuf, int obuf_len, * @param sdb * @return const ut8* Updated buffer */ static const ut8 *parse_die(const ut8 *buf, const ut8 *buf_end, RBinDwarfAbbrevDecl *abbrev, RBinDwarfCompUnitHdr *hdr, RBinDwarfDie *die, const ut8 *debug_str, size_t debug_str_len, Sdb *sdb) { static const ut8 *parse_die(const ut8 *buf, const ut8 *buf_end, RBinDwarfAbbrevDecl *abbrev, RBinDwarfCompUnitHdr *hdr, RBinDwarfDie *die, const ut8 *debug_str, size_t debug_str_len, Sdb *sdb) { size_t i; for (i = 0; i < abbrev->count - 1; i++) { memset (&die->attr_values[i], 0, sizeof (die->attr_values[i])); Expand All @@ -1868,9 +1864,8 @@ static const ut8 *parse_die(const ut8 *buf, const ut8 *buf_end, RBinDwarfAbbrevD
RBinDwarfAttrValue *attribute = &die->attr_values[i];
bool is_valid_string_form = (attribute->attr_form == DW_FORM_strp || attribute->attr_form == DW_FORM_string) && attribute->string.content; bool is_string = (attribute->attr_form == DW_FORM_strp || attribute->attr_form == DW_FORM_string); bool is_valid_string_form = is_string && attribute->string.content; // TODO does this have a purpose anymore? // Or atleast it needs to rework becase there will be // more comp units -> more comp dirs and only the last one will be kept Expand All @@ -1880,7 +1875,6 @@ static const ut8 *parse_die(const ut8 *buf, const ut8 *buf_end, RBinDwarfAbbrevD } die->count++; }
return buf; }
Expand Down

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE