{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1760995243, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"28e2b36b793a330d26e71e4f189ea32f", "commit": {"type":"commit", "time": 1759939418, "time_ofs": 60, "oid_tree": { "oid": "22dc70e7c66ee00fa23ff9f315b398661f449ad3", "alias": []}, "oid":{ "oid": "2b715249f39291c86443b969a1088d59b6a89b78", "alias": []}, "msg": "NN-2025-0105: UPNG out of bounds write", "sig_commit": { "git_time": { "time": 1759939418, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1758717840, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }}, "body": "NN-2025-0105: UPNG out of bounds write\n\nThis document contains sensitive information collected during our\nsecurity research activities related with the Libwebsockets library\nmaintained by Andy Green (warmcat).\n\n+-------------------------------------------------------------------------------------------------------+\n| Report information |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Vendor | warmcat |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vendor URL | https://libwebsockets.org/git/libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected component | libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected version | 4.4 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vulnerability | CWE-787: Out-of-bounds Write |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Base Score | 6.0 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |\n+-------------------------------------+-----------------------------------------------------------------+\n\n+-----------------------------------------------------------------------------+\n| Security Researcher(s) |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Name | **Email address** |\n+-------------------------------------+---------------------------------------+\n| Raffaele Bova | labs-advisory@nozominetworks.com |\n+-------------------------------------+---------------------------------------+\n\nLibwebsockets is a C library that provides client and server\nimplementation for various protocols (e.g., HTTP, websockets, MQTT) and\nmore.\n\nNozomi Networks Lab discovered a \u0022CWE-787: Out-of-bounds Write\u0022 in the\nlatest software version of libwebsockets, specifically in the upng\ncomponent.\n\nThe vulnerability allows an attacker to write past the bounds of a heap\nallocated buffer, that may lead to a crash.\n\nThe issue is caused by the initialization of `bypl` struct member,\nwhenever the multiplication of width by bypp overflows, resulting in\n`bypl` being 0, later on the buffer `u-\u003einf.out` will only be allocated a\nbuffer of size `u-\u003einf.info_size` and the buffer `u-\u003eu.lines` will then\npoint right after the end of the allocated buffer, thus any subsequent\noperation on the lines buffer will write or read past heap allocated\nmemory.\n\nThis bug may lead to a crash or other undesirable effects in the\n`unfilter_scanline` function, as the recon buffer directly points inside\nthe lines buffer.\n\n\n\nWe have provided a patch to add a sanity check for the maximum possible\nvalue of width, making sure that the multiplication will not overflow,\nas bypp is derived by bpp, and width is also multiplied by bpp, a check\nthat `width * bpp` will not overflow is needed.\n" , "diff": "diff --git a/lib/misc/upng.c b/lib/misc/upng.c\nindex becab64..dd6b370 100644\n--- a/lib/misc/upng.c\n+++ b/lib/misc/upng.c\n@@ -458,7 +458,7 @@ lws_upng_decode(lws_upng_t* u, const uint8_t **_pos, size_t *_size)\n \t\t\t/* 32KB gz sliding window */\n \t\t\tu-\u003einf.info_size \u003d 32768 + 512;\n \t\t\tu-\u003eu.bpp\t \u003d lws_upng_get_bpp(u);\n-\t\t\tif (!u-\u003eu.bpp)\n+\t\t\tif (!u-\u003eu.bpp || u-\u003ewidth \u003e\u003d (UINT_MAX / u-\u003eu.bpp))\n \t\t\t\treturn LWS_SRET_FATAL + 14;\n \n \t\t\tu-\u003eu.y\t\t\u003d 0;\n","s":{"c":1760971171,"u": 7939}} ],"g": 726,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}