Gerbv uses a fixed size array to store gerbv_aperture_t structures but is indexed by an unrestricted integer providing an out-of-bounds read and write. This array is indexed through an attacker controlled value tool_num, while the value is checked against the MIN and MAX values for the array, being out-of-bounds only results in an error message.

This later provides an out-of-bounds read at the attacker-controlled index, and if that value is null, a user-tained value (size) will be written to the ->parameter[0] field of the structure, giving an out-of-bound write. The value written is influenced by the attacker, but it is a floating point variable, that will be divided by either 25.4 or 1000 depending on the also user-controlled unit being used.

Exploitation

The authors don’t dive too deeply into exploitation, but propose that an attacker could target the drill_stats linked-list in the heap, overwriting the next field to inject custom fields that will later be freed providing an arbitrary free primitive.