libzvbi Integer Overflow Vulnerability Leading to Heap Overflow

A critical integer overflow vulnerability has been identified in libzvbi versions prior to 0.2.43. This vulnerability occurs in the function vbi_capture_sim_load_caption within the file src/io-sim.c. The integer overflow can be exploited remotely, leading to a heap overflow. This vulnerability has been publicly disclosed and is available for exploitation.

Impact

Exploitation of this vulnerability causes an integer overflow, which can lead to a heap overflow. Such heap overflows can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by appending data to a string that is already at its maximum length, causing an overflow. This can be done by sending a specially crafted stream to the vbi_capture_sim_load_caption function. The function will then attempt to reallocate the buffer to accommodate the new data, but due to the overflow, the buffer will be incorrectly sized. This misallocation can be exploited to overwrite memory and potentially execute arbitrary code.

Remediation

Users are advised to upgrade to libzvbi version 0.2.44, which addresses this vulnerability. The updated version is available on the project's GitHub release page.