1985246 – (CVE-2020-36430) CVE-2020-36430 libass: heap-based buffer overflow in decode_chars because the wrong integer data type is used for subtraction

Bug 1985246 (CVE-2020-36430) - CVE-2020-36430 libass: heap-based buffer overflow in decode_chars because the wrong integer data type is used for subtraction

Summary: CVE-2020-36430 libass: heap-based buffer overflow in decode_chars because the...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-36430
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1985247 1985248
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-23 08:52 UTC by Marian Rehak
Modified:	2021-10-28 05:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-28 05:28:38 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marian Rehak 2021-07-23 08:52:06 UTC

libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction.

References:

https://github.com/libass/libass/commit/017137471d0043e0321e377ed8da48e45a3ec632
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libass/OSV-2020-2099.yaml
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26674

Comment 1 Marian Rehak 2021-07-23 08:52:41 UTC

Created libass tracking bugs for this issue:

Affects: epel-all [bug 1985248]
Affects: fedora-all [bug 1985247]

Note You need to log in before you can comment on or make changes to this bug.