Memory
x/12gx 0x555555559290gdb session
Heap layout · chunk A → chunk B
strcpy writes left → right · base
0x555555559290
name[32]
32 B · strcpy target
auth
8 B
service
24 B
metadata
name[32]
auth flag
service
overflowed
The vulnerable source
heap-two.c#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct auth {
char name[32];
int auth;
};
struct auth *auth;
char *service;
int main(int argc, char **argv) {
auth = malloc(sizeof(*auth));
memset(auth, 0, sizeof(*auth));
service = strdup("owner");
if (strcmp(argv[1], "auth") == 0) {
strcpy(auth->name, argv[2]); /* no bounds check */
}
if (auth->auth) {
printf("you have logged in already!\n");
}
return 0;
}Phoenix heap-two → CVE-2025-43300
| Phoenix heap-two | CVE-2025-43300 (ImageIO) | |
|---|---|---|
| Vulnerable call | strcpy(auth->name, argv[2]) | DNG SamplesPerPixel loop |
| Attacker-controlled length | argv[2] length | SamplesPerPixel vs SOF3 |
| Buffer size | name[32] | per-component sample buffer |
| What gets corrupted | Adjacent auth flag | Adjacent heap object / vtable |
| Outcome | Authentication bypass | Sandbox RCE |
| Class | Linear OOB heap write (CWE-787) | |