Miggo Logo

CVE-2022-33065: Multiple signed integers overflow in function au_read_header in src/au.c and in functions...

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.04656%
Published
7/18/2023
Updated
4/4/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on the commit 58428ae9c66029e1890f28b098041900707008c8, which was identified as closing the relevant GitHub issues and addressing the CVE. The diff of this commit shows changes in src/au.c and src/mat4.c.

In src/au.c, the function au_read_header was modified to change how it checks for potential overflow when calculating psf->dataoffset + au_header->data_size. The original check was insufficient and could lead to an overflow.

In src/mat4.c, the function mat4_read_header had several arithmetic operations involving data read from the file header (matrix rows, columns, byte width). These operations, such as rows * cols to determine frame count, and frames * bytewidth to determine data size, were vulnerable to integer overflows. The patch added explicit pre-condition checks to ensure these multiplications and subsequent additions would not overflow.

The function mat4_open is listed as vulnerable because it calls mat4_read_header, making it an entry point for the exploitation of the vulnerabilities within mat4_read_header.

The UBSAN logs from the GitHub issues directly pointed to lines within these functions where integer overflows were occurring, further corroborating that these functions are indeed the vulnerable ones. The patch directly addresses these reported overflow locations by adding or modifying checks around arithmetic operations involving externally controlled data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* si*n** int***rs ov*r*low in *un*tion *u_r***_*****r in sr*/*u.* *n* in *un*tions m*t*_op*n *n* m*t*_r***_*****r in sr*/m*t*.* in Li*sn**il*, *llows *n *tt**k*r to **us* **ni*l o* S*rvi** or ot**r unsp**i*i** imp**ts.

Reasoning

T** *n*lysis *o*us** on t** *ommit `****************************************`, w*i** w*s i**nti*i** *s *losin* t** r*l*v*nt *it*u* issu*s *n* ***r*ssin* t** *V*. T** *i** o* t*is *ommit s*ows ***n**s in `sr*/*u.*` *n* `sr*/m*t*.*`. In `sr*/*u.*`, t*