ckd_calloc_[234]d() out-of-bounds read

Question

ckd_calloc_[234]d() out-of-bounds read

guidovranken opened this issue 5 years ago · 1 comments

The following leads to an out-of-bounds read in ckd_free_2d (can be observed with valgrind of AddressSanitizer). It happens whenever the first argument to ckd_calloc_2d is 0. This also applies to the 3d and 4d counterparts.

#include <sphinxbase/ckd_alloc.h>

int main(void)
{
    void* p = ckd_calloc_2d(0, 2, 3);
    ckd_free_2d(p);
    return 0;
}

Answer 1 · 2020-03-21T10:57:43.000Z

If you acknowledge and fix this, could you please credit 'ForAllSecure Mayhem'?

Thanks