There is a good deal of complexity in the object structure that is detailed in the post that I'm going to gloss over.Effectively you have an array of entry objects, and each entry has a pointer to a `user_data_value_element`...
`strcat` was used in a callback to craft the `xpath` for each element and it did this without any bounds checking.By nesting XML structures they could eventually overflow the memory region they were allocated in...
A bug and exploit that hearkens back to old-school browser exploitation. The bug is a use-after-free in `concat_function()` for variable concatenation, which is abused in the PHP engine to escape `disable_functions` and `open_basedir` sandboxing.
Rather subtle bug in the ASN.1 parsing state machine that comes down to one area of code being unaware of an edge case in another.
**tl;dr** Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an `enum` into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.
Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
An out of bounds access bug in the netatalk open source library for the Apple Filing Protocol (AFP) that could be exploited on WD PR4100 NAS for pre-auth RCE.The bug happens when parsing resource fork file headers, which can be reached through the `afp_openfork` handler over AFP or SMB without authentication...
The vulnerability here is a fairly straightforward overflow in the esp6 crypto module.When receiving messages, an 8-page buffer is allocated for the incoming data, but it's possible for messages to be sent that exceed 8 pages in size...
Two issues, the first simply being that the update check would make an HTTPS request but not validate the certificate, enabling some attack surface for a Man-in-the-Middle, second was in parsing the file downloaded a checksum would be copied from the file into a fixed size stack buffer. As an attacker can control the response file, the attack can overflow the stack buffer.
Cool trick impacting php's `filter_var` which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to `filter_var`eventually some code for (`FILTER_VALIDATE_DOMAIN` and `FILTER_FLAG_HOSTNAME`) will mistakenly believe the size is much smaller than it actually is (negative).