PointCloudLibrary zlib Library Inftrees Component Improper Pointer Arithmetic Vulnerability

A vulnerability has been identified in the zlib library's inftrees.c component, which is included with PointCloudLibrary (PCL) versions prior to 1.14.0 or those that explicitly disable the use of the system zlib. This vulnerability arises from improper pointer arithmetic, potentially allowing context-dependent attackers to cause undefined behavior. In PCL versions 1.14.0 and later, the library defaults to the system's zlib installation, unless the user opts out.

Impact

Exploitation of this vulnerability could lead to undefined behavior, which may include memory corruption or other unpredictable program behavior.

Reproduction

To reproduce this vulnerability, use a version of PointCloudLibrary prior to 1.14.0 or one that has been configured to not use the system zlib. This can be done by setting the WITH_SYSTEM_ZLIB option to FALSE. Once the appropriate version and configuration are set, the vulnerability can be triggered by the conditions that exploit the improper pointer arithmetic in the inftrees.c component.

Remediation

Users can upgrade to PointCloudLibrary version 1.15.0 or later, which addresses this vulnerability by using the system zlib installation by default. If version 1.15.0 is not available, ensure that the PCL version is 1.14.0 or later and that the WITH_SYSTEM_ZLIB option is set to TRUE.