Matio Heap-Based Memory Corruption Vulnerability in Mat_VarCreateStruct()

A heap-based memory corruption vulnerability has been identified in the Matio library version 1.5.28. The issue arises in the Mat_VarCreateStruct() function when the nfields parameter does not align with the actual number of strings in the fields array. This mismatch can lead to out-of-bounds memory reads and improper memory deallocations during cleanup, potentially causing a segmentation fault or heap corruption. The vulnerability exists because the function does not validate that the fields array contains the expected number of non-NULL strings, allowing uninitialized memory to be accessed and freed incorrectly, which can result in undefined behavior.

Impact

Exploitation of this vulnerability can cause heap-based memory corruption, leading to a segmentation fault or general heap corruption. In environments where Matio is used to process user-supplied .mat files or construct structs based on user input, this vulnerability could be triggered remotely.

Reproduction

The vulnerability can be reproduced by calling the Mat_VarCreateStruct() function with a nfields value that exceeds the actual number of fields provided. This can be done by allocating an array of fields with only one valid string while setting nfields to a higher value, such as 16. After creating the struct, the variable can be freed using Mat_VarFree(), which will attempt to deallocate the improperly managed memory, causing a segmentation fault.

Remediation

It is recommended to add validation in the Mat_VarCreateStruct() function to ensure that the fields parameter is either NULL (when nfields is 0) or contains exactly nfields non-NULL pointers.