A potentially exploitable out of bounds write vulnerability in vt100.c was found. Vulnerable code: static void (*vt_keyb)(int, int);/* Gets called for NORMAL/APPL switch. */ static void (*termout)(const char *, int);/* Gets called to output a string. */ static int escparms[8]; /* Cumulated escape sequence. */ static int ptr; /* Index into escparms array. */ static long vt_tabs[5]; /* Tab stops for max. 32*5 = 160 columns. */ //... /* See if a number follows */ if (c >= '0' && c <= '9') { escparms[ptr] = 10*escparms[ptr] + c - '0'; return; } /* Separation between numbers ? */ if (c == ';') { if (ptr < 15) ptr++; return; } With crafted input, attacker can write out of bounds of escparms array and could potentially overwrite ptr pointer.
Acknowledgments: Name: Alexander Peslyak (Openwall)
Created minicom tracking bugs for this issue: Affects: fedora-all [bug 1443129]
Public via http://www.openwall.com/lists/oss-security/2017/04/18/5