Comodo Antivirus LZX Decompression Heap Overflow
Posted by deepcore on March 24, 2016 – 7:27 am
Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It’s possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
Post a reply
You must be logged in to post a comment.