![]() ![]() At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. ![]() This issue may be used to leak internal memory allocation information.Įprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. ![]() This happens because two_back points to a memory address lower than the start of the buffer out. A crafted image file may trigger out of bounds memcpy read in `stbi_gif_load_next`. Stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service. An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |