CVE-2023-45681
CVSS V2 None
CVSS V3 None
Description
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
Overview
- CVE ID
- CVE-2023-45681
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-10-20T23:26:56.100Z
- Last Modified Date
- 2023-10-20T23:26:56.100Z
Weakness Enumerations
References
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-45681 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45681 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-25 09:59:50 | Added to TrackCVE |