Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-45663— Disclosure of uninitialized memory in stbi__tga_load in stb_image

CVSS 5.3 · Medium EPSS 0.14% · P34
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-45663

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Disclosure of uninitialized memory in stbi__tga_load in stb_image
Source: NVD (National Vulnerability Database)
Vulnerability Description
stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对未经初始化资源的使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
stb_image 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
stb是一款用于C/C ++的单文件公共域库。 stb_image 存在安全漏洞,该漏洞源于可能会导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
nothingsstb <= 2.28 -

II. Public POCs for CVE-2023-45663

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-45663

登录查看更多情报信息。

Same Patch Batch · nothings · 2023-10-20 · 14 CVEs total

CVE-2023-456817.3 HIGHOut of bounds heap buffer write in stb_vorbis
CVE-2023-456797.3 HIGHAttempt to free an uninitialized memory pointer in vorbis_deinit in stb_vorbis
CVE-2023-456777.3 HIGHHeap buffer out of bounds write in start_decoder in stb_vorbis
CVE-2023-456767.3 HIGHMulti-byte write heap buffer overflow in start_decoder in stb_vorbis
CVE-2023-456667.3 HIGHPossible double-free or memory leak in stbi__load_gif_main in stb_image
CVE-2023-456647.3 HIGHDouble-free in stbi__load_gif_main_outofmem in stb_image
CVE-2023-456786.5 MEDIUMOff-by-one heap buffer write in start_decoder in stb_vorbis
CVE-2023-456756.5 MEDIUM0 byte write heap buffer overflow in start_decoder in stb_vorbis
CVE-2023-456626.5 MEDIUMMulti-byte read heap buffer overflow in stbi__vertical_flip in stb_image
CVE-2023-456616.5 MEDIUMWild address read in stbi__gif_load_next in stb_image
CVE-2023-456825.3 MEDIUMWild address read in vorbis_decode_packet_rest in stb_vorbis
CVE-2023-456805.3 MEDIUMNull pointer dereference in vorbis_deinit in stb_vorbis
CVE-2023-456675.3 MEDIUMNull pointer dereference because of an uninitialized variable in stb_image

IV. Related Vulnerabilities

Same product: stb
Same vendor: nothings
Same weakness: CWE-908

V. Comments for CVE-2023-45663

No comments yet

Leave a comment