Threats Tagged 'cwe-193'

LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element past its end. In fixed versions the array is sized to hold the largest possible nesting.

nanoMODBUS versions up to 1.23.0 have an off-by-one buffer overflow vulnerability in the recv_msg_header() function of the Modbus/TCP server. This flaw allows remote unauthenticated attackers to write one byte beyond the end of a 260-byte buffer by sending a specially crafted MBAP frame with a Length field set to 255. The overflow corrupts an adjacent buffer-index field, causing denial of service via invalid memory accesses. On bare-metal and RTOS systems without memory protection, it can also lead to one-byte information disclosure and unintended writes to registers during the Write Multiple Registers handler execution.

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.