CVE-2019-14877

2020-03-1916:15:13

Google

osv.dev

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.5%

JSON

In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. The access to _wds and _sign will trigger a null pointer dereference bug in case of a memory allocation failure.

CPENameOperatorVersion
newlibeqcygwin-2_8_1-release
newlibeqcygwin-2_11_0-release
newlibeqnewlib-2_4_0
newlibeqcygwin-2_4_0-release
newlibeqnewlib-3.1.0
newlibeqbinu_ss_19990502
newlibeqnewlib-snapshot-20151023
newlibeqcygwin-2_5_2-release
newlibeqcygwin-2_7_0-release
newlibeqnewlib-2_3_0

Name	Operator	Version
newlib	eq	cygwin-2_8_1-release
newlib	eq	cygwin-2_11_0-release
newlib	eq	newlib-2_4_0
newlib	eq	cygwin-2_4_0-release
newlib	eq	newlib-3.1.0
newlib	eq	binu_ss_19990502
newlib	eq	newlib-snapshot-20151023
newlib	eq	cygwin-2_5_2-release
newlib	eq	cygwin-2_7_0-release
newlib	eq	newlib-2_3_0