Project

General

Profile

Actions
Copy link

Bug #13417

open

Verify heap-buffer-overflow in createSalt

Added by Matthias Van Ceulebroeck about 1 month ago. Updated about 1 month ago.

Status:
Review
Priority:
Normal
Assignee:
-
Target version:
4.12.0
Start date:
01/15/2025
Due date:
% Done:

0%

Estimated time:

Description

Due to how this function is implemented, always copying three bytes, a heap-buffer-overflow has been introduced here.
Wt ought to be more defensive here. There are three choices:

  • do not allow non-three divisible input. Simply throw an exception here. This seems excessive.

  • correct the requested length to be valid. Again, this is tampering with what Wt shouldn't tamper with.

  • correct the saltBuf variable, to contain two bytes more, ensuring any input always fits.

Only the last option seems to be a valid approach.

Of course, we should implement some tests (on length) to ensure its output is valid.

Actions
Copy link
 #1

Updated by Romain Mardulyn about 1 month ago

  • Status changed from New to InProgress
  • Assignee set to Romain Mardulyn
Actions
Copy link
 #2

Updated by Romain Mardulyn about 1 month ago

  • Status changed from InProgress to Review
  • Assignee deleted (Romain Mardulyn)
Actions
Copy link

Also available in: Atom PDF