Security vulnerabilities and automated fixes for integer overflow issues
23 posts found
A subtle but dangerous integer overflow vulnerability was discovered in `lib/rpmi_shmem.c`, where bounds checks on shared memory operations could be silently bypassed due to 32-bit arithmetic overflow. By carefully crafting `offset` and `len` values, an OS-level or hypervisor-level caller could direct firmware writes to arbitrary memory addresses — including interrupt vector tables and security-critical configuration structures. The fix was elegantly simple: casting operands to 64-bit before add
A critical heap buffer overflow vulnerability was discovered and patched in the centitoml TOML parser, where missing integer overflow validation on a `MALLOC(len+1)` call could allow an attacker to trigger memory corruption via a crafted TOML configuration file. The vulnerability (CWE-190) is reachable through community-distributed mod or map files that the game loads from its `config/` directory, making it a realistic attack vector for remote code execution. A targeted one-line guard now preven
A critical buffer overflow vulnerability was discovered in `phlib/nativefile.c`, where multiple `memcpy` calls copied filename and extended-attribute data into fixed-size structures without verifying that source lengths didn't exceed destination buffer boundaries. An attacker supplying an oversized filename or EA name could corrupt adjacent heap memory, potentially enabling arbitrary code execution. The fix replaces unchecked arithmetic with Windows' safe integer helpers (`RtlULongAdd`, `RtlULon
A critical heap buffer overflow vulnerability was discovered in `libretro-db/rmsgpack_dom.c`, where a missing integer width cast allowed an attacker-controlled string length value of `UINT32_MAX` to wrap around to zero, completely collapsing the bounds check before a `memcpy` call. The fix is a single targeted cast to `uint64_t` that closes the overflow window and ensures the bounds check behaves correctly regardless of the input value. This class of vulnerability is a textbook example of how in
A critical vulnerability in `runtime/zenith_runtime.c` allowed the `runtime_malloc()` function to accept negative size values, which when cast to an unsigned type could either trigger a massive failed allocation or produce a dangerously undersized buffer ripe for overflow. The fix adds a simple but essential guard clause that rejects non-positive sizes before they ever reach `malloc()`. Left unpatched, this class of bug can lead to heap metadata corruption, process crashes, or even arbitrary cod
A critical heap buffer overflow vulnerability was discovered in the network packet reassembly function of `net_channel_ex.c`, where an attacker-controlled `bodylen` field could be used to corrupt heap memory without any bounds validation. The fix introduces a simple yet effective integer overflow check before accumulating packet body lengths, preventing malformed packets from triggering memory corruption. This type of vulnerability is a stark reminder that even low-level arithmetic operations in
A critical integer overflow vulnerability (CWE-190 → CWE-122) was discovered and fixed in an embedded ESP web server, where the HTTP Content-Length header value was cast to a signed integer and used directly in a `malloc()` call without proper size validation. On 32-bit systems, a crafted request with a maximum-sized Content-Length value could cause the allocation size to wrap to zero, allowing an attacker to overflow the heap with arbitrary data. The fix correctly validates the signed header va
A high-severity vulnerability in `src/parser/koala.l` allowed an attacker to craft a malicious `.kl` source file that, when parsed by the Koala compiler, could trigger a chain of memory safety bugs — integer overflow, use-after-free, and out-of-bounds access — ultimately enabling arbitrary code execution at the privilege level of the compiler process. The fix introduces strict input validation guards that break this exploitation chain before it can begin. This is a reminder that parsers and comp
A critical integer overflow vulnerability was discovered in a C-based audio reader where `malloc()` was called with an unchecked multiplication of `n_samples * sizeof(float)`, allowing heap buffer overflows through attacker-controlled input. The fix replaces raw `malloc()` calls with Ruby's safe `ALLOC_N` macro and wraps allocation logic in a protected, exception-safe block. This prevents heap memory corruption that could lead to arbitrary code execution or application crashes.
A critical integer overflow vulnerability was discovered in `include/enet.h` where size calculations derived from attacker-controlled network values could overflow before being passed to `enet_malloc`, resulting in undersized heap allocations and subsequent heap corruption. The fix adds proper bounds checking to sector I/O code, preventing attackers from triggering heap overflows by sending crafted network packets. This class of vulnerability is particularly dangerous in networked applications b
A critical integer overflow vulnerability was discovered and patched in the GIF decoder library `libnsgif`, where multiplying width, height, and pixel byte values from untrusted GIF headers could silently overflow, causing heap buffer corruption during image processing. This class of vulnerability is particularly dangerous because it originates from attacker-controlled input and can lead to arbitrary code execution or process crashes. The fix introduces explicit overflow checks before any memory
A critical integer overflow vulnerability in `uri.c` allowed attackers to craft malicious URI strings that caused an undersized heap allocation followed by an out-of-bounds `memcpy`, leading to heap corruption. The fix adds mandatory bounds validation before any memory allocation, ensuring the `len + 1` calculation cannot silently wrap around to zero. Left unpatched, this vulnerability could enable remote code execution through carefully crafted URI inputs.