Bug 2358118 (CVE-2025-3406)

Summary: CVE-2025-3406 stb: Nothings stb Header Array out-of-bounds read
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Nothings stb. This vulnerability allows out-of-bounds read via manipulation of the w argument in the stbhw_build_tileset_from_image function.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2358172, 2358173, 2358174, 2358175, 2358176, 2358177    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-08 04:01:07 UTC 
A vulnerability was found in Nothings stb up to f056911. It has been classified as problematic. Affected is the function stbhw_build_tileset_from_image of the component Header Array Handler. The manipulation of the argument w leads to out-of-bounds read. It is possible to launch the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Comment 2 Ben Beasley 2025-04-08 10:04:14 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2025-3406

The CVE contains little detail and no suggested mitigation.

It is easy to see how an incorrect image-width argument w to the function stbhw_build_tileset_from_image could result in an out-of-bounds read in the data buffer, but an API user only supplies the buffer size indirectly via the w and h arguments, so it’s incumbent on the API user to make sure they are sane – there is nothing that can be done within stbhw_build_tileset_from_image to further validate them.

I am inclined to suggest that this CVE is invalid: the API user must provide a consistent width, height, and data buffer. We don’t say that memcpy() is vulnerable because an API user could pass it the wrong size argument n.