Heap on Arzedlab 🪵

Exploring Integer Overflow: libxml2 Integer Overflow, which leads to OOB

Fri, 22 Aug 2025 00:00:00 +0000

Exploring Integer Overflow: libxml2 Integer Overflow OOB

In everyday life, numbers feel endless. You can always count one higher, or subtract one more. But computers don’t work like that. Inside your machine, numbers are stored in fixed-sized containers and when you push them past their limits, strange things happen. When a calculation produces a value that’s too large or too small for its container, we get integer overflow or integer underflow.

EXIM: CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Mon, 26 May 2025 00:00:00 +0000

EXIM: Analysis 4.92.1-R

This is just as re-analysis to better understand, the reporter and author of there vulnerabileties is company Qualys official link: https://www.qualys.com/2021/05/04/21nails/21nails.txt

CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Callers of pdkim_finish_bodyhash()

main() → receive_msg() → dkim_exim_verify_finish()

dkim_exim_verify_finish() be called to verify DKIM (DomainKeys Identified Mail) signature, then calls pdkim_feed_finish() , which calls pdkim_finish_bodyhash()

DKIM (DomainKeys Identified Mail) looks like this.

Code of the function pdkim_finish_bodyhash()

...
 /* VERIFICATION --------------------------------------------------------- */
 /* Be careful that the header sig included a bodyash */

 if ( sig->bodyhash.data
 && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
 {
 DEBUG(D_acl) debug_printf("PDKIM [%s] Body hash compared OK\n", sig->domain);
 }
 else
 {
 DEBUG(D_acl)
 {
	debug_printf("PDKIM [%s] Body hash signature from headers: ", sig->domain);
	pdkim_hexprint(sig->bodyhash.data, sig->bodyhash.len);
	debug_printf("PDKIM [%s] Body hash did NOT verify\n", sig->domain);
	}
 sig->verify_status = PDKIM_VERIFY_FAIL;
 sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
 }
...

Unfortunately, at line 826, sig->bodyhash.data is attacker-controlled (through a “DKIM-Signature:” mail header) and memcmp() is called without checking first that sig->bodyhash.len is equal to b->bh.len: memcmp() can read sig->bodyhash.data out-of-bounds. If the acl_smtp_dkim is set (it is unset by default), an unauthenticated remote attacker may transform this vulnerability into an information disclosure; we have not fully explored this possibility.

CVE-2021-36414: heap-buffer-overflow MP4Box

Tue, 04 Apr 2023 00:00:00 +0000

CVE-2021-36414

A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.

Here: the main problem is dividing into zero

Assigning block_size:

block_size = ent ? ent->sampleDelta : 160;

This line uses the conditional (ternary) operator to assign a value to block_size.
It checks if ent is not NULL.
- If ent is valid (i.e., not NULL), block_size is assigned the value of ent->sampleDelta.
- If ent is NULL, block_size is assigned a default value of 160.