freeing stack buffer in utf8asn1str

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

N/A

N/A

libcurl 安全漏洞

libcurl是cURL开源的一个免费且易于使用的客户端 URL 传输库。 libcurl ASN1 8.6.0到8.8.0版本存在安全漏洞，该漏洞源于当检测到无效字段并返回错误时，utf8asn1str()函数会调用free()释放一个4字节的本地栈缓冲区。有些现代malloc实现会接受输入指针并将其添加到可用内存块列表中，可能导致覆盖附近的堆栈内存，引起程序崩溃。

N/A

N/A