Zserio Framework BitStreamReader Integer Overflow Vulnerability Leading to Denial-of-Service

A high-severity integer overflow vulnerability has been identified in the Zserio framework, specifically in the BitStreamReader component, prior to version 2.18.1. On 32-bit platforms, the readBytes() and readString() functions improperly handle variable-sized data, allowing an overflowed value to bypass bounds checks. This flaw enables the code to read up to 512 MB from a buffer only a few bytes long, resulting in a segmentation fault. This vulnerability impacts Zserio's C++ runtime and could disrupt Advanced Driver-Assistance Systems (ADAS) functionality in affected vehicles.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition. However, given Zserio's role in the Navigation Data Standard (NDS) used by major automotive manufacturers, such as Toyota and BMW, this vulnerability could have broader implications for vehicle functionality.

Reproduction

The vulnerability can be reproduced on a 32-bit platform by using a payload that encodes a variable size of 536,870,912 bytes. This payload, when processed by the readVarSize() function, causes an integer overflow in the setBitPosition() method, bypassing the necessary bounds check. Following this, the readBytes() function attempts to read 512 MB from a buffer that is only a few bytes long, resulting in a segmentation fault.

Remediation

Users are advised to update to Zserio version 2.18.1 or later, where this vulnerability has been fixed.