Open
Description
PhysFS has some memory safe issues resulting in out-of-bound reads.
These issues were noticed by running tests using Clang's sanitizers (address,signed-integer-overflow).
An obvious impact is the ability to make software crash (ie Denial of Service) by providing malformed archives.
I have not investigated whether more serious exploits are possible or not. My focus is on reporting problems and recommending fixes.
- physfs_archiver_csm.c: Off-by-one error in array index may lead to accessing memory after the end of the name buffer.
- physfs_archived_qpak.c: Failure to validate the name is null-terminated may lead to accessing memory after the end of the name buffer.
- physfs_unicode.c: Off-by-one error in buffer increment may lead to accessing memory after the end of an unicode buffer.
An upcoming merge request will provide a possible fix and will points to specific lines of code.
Metadata
Metadata
Assignees
Labels
No labels