openFPGALoader Heap Buffer Overflow Vulnerability in POF File Parser

A heap buffer overflow vulnerability has been identified in openFPGALoader versions through 3429d34. The issue arises in the POFParser::parseSection() function, where the parser reads a 32-bit size field from a .pof file without proper validation. This oversight allows for out-of-bounds access to heap memory when the parser processes a crafted .pof file. Notably, no FPGA hardware is needed to exploit this vulnerability.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, allowing for out-of-bounds memory access. This could result in information disclosure, as the leaked data may be written to an FPGA or saved to a file. Additionally, the vulnerability could cause the program to crash.

Reproduction

The vulnerability can be reproduced by creating a .pof file that includes an oversized size field, which the parser will process without proper checks. This can be done by using a Python script to craft the .pof file, specifying a size that exceeds the actual file length. After compiling the openFPGALoader with AddressSanitizer enabled, the crafted .pof file can be used to trigger the vulnerability, which will be evident from the AddressSanitizer's heap-buffer-overflow error message.