(no title)

The affected version 2.73rc6 is quite interesting, because it is from 2015, and it is not the version the relevant code was introduced in, that is even older (guessing 2.62). Why fuzz some random release candidate from ten years ago?

Even more interesting v2.77 from 2017 (commits 5614413 and 2282787 to be precise) changed the code and added an (++i == maxlen) check at the place that is being highlighted by CVE-2025-12198 as lacking an (i < maxlen) check. The commit message says it fixed a crash and thanks a friend for fuzzing the config file.

Now i am not well versed in heap smashing with C, so don't confuse my lack of skill with an expert opinion, but i have a hard time understanding how that check is circumvented in recent versions of the code. Any explanation would be welcome.

But more than that someone should verify if this PoC works in recent versions. As a prerequisite it should be shared internationally.