libzvbi Integer Overflow Vulnerability in vbi_strndup_iconv_ucs2 Function

A vulnerability exists in libzvbi versions prior to 0.2.44, specifically within the vbi_strndup_iconv_ucs2 function in src/conv.c. The issue arises from an integer overflow caused by improper handling of the src_length argument, which can be exploited remotely, leading to a heap overflow. This vulnerability has been publicly disclosed and is accompanied by a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes an integer overflow, which can lead to a heap overflow. Such heap overflows can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by calling the vbi_strndup_iconv_ucs2 function with a user-controlled src_length that exceeds the buffer allocation calculations. This can be done by manipulating the input to the function to create an integer overflow, which then leads to a heap overflow when the function attempts to write data into the improperly allocated buffer.

Remediation

Users are advised to upgrade to libzvbi version 0.2.44, which addresses this vulnerability. The updated version is available on the libzvbi GitHub repository.