Therefore, up to 16 bytes can be read out of bounds on the line with the statement `memcpy(&ipaddr->u8, iphc_ptr, postcount) `. But no similar check is done before decompressing the IPv6 address. In versions 4.9 and prior, when processing the various IPv6 header fields during IPHC header decompression, Contiki-NG confirms the received packet buffer contains enough data as needed for that field. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.Ĭontiki-NG is an operating system for internet-of-things devices. This can remotely crash any Fast-DDS process. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. This issue may be used to leak internal memory allocation information.Įprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. This happens because two_back points to a memory address lower than the start of the buffer out. A crafted image file may trigger out of bounds memcpy read in `stbi_gif_load_next`. Stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |