z2d OOB composition could lead to invalid memory access and corruption
z2d is a pure Zig 2D graphics library. Versions of z2d after `0.5.1` and up to and including `0.6.0`, when writing from one surface to another using `z2d.compositor.StrideCompositor.run`, and higher-level operations when the anti-aliasing mode is set to `.default` (such as `Context.fill`, `Context.stroke`, `painter.fill`, and `painter.stroke`), the source surface can be completely out-of-bounds on the x-axis, but not on the y-axis, by way of a negative offset. This results in an overflow of the value controlling the length of the stride. In non-safe optimization modes (consumers compiling with `ReleaseFast` or `ReleaseSmall`), this could potentially lead to invalid memory accesses or corruption.
This issue is patched in version `0.6.1`. Users on an untagged version after `v0.5.1` and before `v0.6.1` are advised to update to address the vulnerability. Those still on Zig `0.13.0` are recommended to downgrade to `v0.5.1`.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-119 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE | CWE-122 | CWE-122: Heap-based Buffer Overflow |
| CWE | CWE-190 | CWE-190: Integer Overflow or Wraparound |
Type: CWE
Description: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Type: CWE
Description: CWE-122: Heap-based Buffer Overflow
Type: CWE
Description: CWE-190: Integer Overflow or Wraparound
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 4.0 | 7.3 | HIGH | CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Version: 4.0
Base score: 7.3
Base severity: HIGH
Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H