-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description explicitly states that the function _vbi_strndup_iconv in libzvbi up to version 0.2.43 is affected by an integer overflow. Version 0.2.44 contains the fix.
66a1c9bdf3a7f105a5c02070cc6de0d949513c58) and the patched version (v0.2.44: 5169a428d51c3ae8ff7b0897e8a687d8e05e37b5) using get_repo_tags and compare_two_commits.ca1672134b3e2962cd392212c73f44f8f4cb489f has the message 'src/conv.c, src/io-sim.c, src/search.c: Avoid integer overflow leading to heap overflow', strongly indicating it contains the relevant fix.get_commit_infos. The commit modifies src/conv.c, which is where _vbi_strndup_iconv is expected to reside.src/conv.c explicitly shows fixes for integer overflows in memory allocation size calculations for functions strndup_identity and strndup_utf8_ucs2. These fixes involve adding checks before calling vbi_malloc to ensure the calculated size has not overflowed (e.g., if (src_size > (src_size + 4)) or if (src_length > (src_length * 3 + 1)))._vbi_strndup_iconv was not in the summarized patch from get_commit_infos, the vulnerability description's specificity, combined with the nature of fixes in the same file within the identified commit, leads to a high confidence that _vbi_strndup_iconv had a similar integer overflow vulnerability in its memory allocation logic that was remediated by this commit. The pattern of vulnerability and fix is consistent with the changes observed for other functions in src/conv.c.Ongoing coverage of React2Shell