FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

zydis -- heap buffer overflow

Affected packages
zydis < 3.2.1

Details

VuXML ID d487d4fc-43a8-11ed-8b01-b42e991fc52e
Discovery 2021-11-08
Entry 2022-10-04

Zyantific reports:

Zydis users of versions v3.2.0 and older that use the string functions provided in zycore in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like ZyanStringAppend to make incorrect calculations for the new target size, resulting in heap memory corruption.

References

CVE Name CVE-2021-41253
URL https://www.cvedetails.com/cve/CVE-2021-41253