tbeu matio Heap-Based Buffer Overflow Vulnerability in strdup_vprintf Function

A critical heap-based buffer overflow vulnerability has been identified in tbeu matio version 1.5.28. The issue arises in the strdup_vprintf function within src/io.c, specifically at line 67. This vulnerability can be exploited remotely, leading to an out-of-bounds read, a potential application crash, and could be used to execute arbitrary code.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption, allowing for arbitrary code execution or causing the application to crash.

Reproduction

The vulnerability can be reproduced by compiling the application with AddressSanitizer enabled, using Clang as the compiler. After building the application, a fuzzer can be used to automate the process of sending inputs that trigger the vulnerability. The fuzzer can be compiled with the same libraries used to build the application, excluding the fuzzing engine, and then executed with a crafted input that causes the buffer overflow.