libzvbi Integer Overflow Vulnerability in vbi_search_new Function

A critical integer overflow vulnerability has been identified in libzvbi versions prior to 0.2.44. The issue arises in the vbi_search_new function within src/search.c, where the pat_len argument is manipulated, leading to an integer overflow. This vulnerability can be exploited remotely, and the resulting heap overflow could be used for various impacts, including crashing the application or causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes an integer overflow, leading to a heap overflow. Such heap overflows can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by calling the vbi_search_new function with a pat_len value that triggers the integer overflow. This can be done by manipulating the input to the function to exceed the expected range, causing the length parameter to wrap around and create a smaller allocation than intended. The overflowed allocation can then be exploited by writing beyond the allocated memory, leading to a heap overflow.

Remediation

Users are advised to upgrade to libzvbi version 0.2.44, which addresses this vulnerability. The patched version is available on the project's GitHub releases page.