GDAL vendored HDF-EOS out-of-bounds read via size_t underflow (CVE-2026-8213)

漏洞概述 CVE-2026-8213: 在GDAL的vendored HDF-EOS库中，通过 下溢导致的越界读取漏洞。 影响范围 受影响版本: GDAL 3.13.0dev-4c681a376 Commit: 4c681ad376 漏洞类型: 越界读取 触发条件: 当 元数据值为空时， 返回0，导致 发生下溢，进而引发栈上的越界读取。 修复方案 当前状态: 页面中未提供具体的修复方案，但建议更新到最新版本或应用官方提供的补丁。 POC代码 ```c GDSFldlsrch (fmts/hdf4/hdf-eos/GDapi.c) strips quotes from a metadata-derived string using memmove(name, name+1, strlen(name)-2) and name[strlen(name)-2] without checking that strlen(name) >= 2. When the FieldList metadata value is empty (strlen(name)=0), the expression strlen(name)-2 wraps to SIZE_MAX-1 (18446744073709551614) due to unsigned underflow, causing memmove to attempt a read of ~18 exabytes from the stack — immediate crash. Version: GDAL 3.13.0dev-4c681a376 Commit: 4c681ad376 Root cause (GDapi.c): char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList = NULL; char name = NULL; char FieldList =

目標達成すべての支援者に感謝 — 100%達成しました！

GDAL vendored HDF-EOS out-of-bounds read via size_t underflow (CVE-2026-8213)

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

GDAL vendored HDF-EOS out-of-bounds read via size_t underflow (CVE-2026-8213)

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！