Several Buffer Overflow vulnerabilities have been discovered in Notepad++ that can be exploited by threat actors for malicious purposes. The severities of these vulnerabilities vary from 5.5 (Medium ) to 7.8 (High).
The vulnerabilities are based on heap buffer write overflow and heap buffer read overflow on some functions and libraries used by Notepad++ software, identified by Gitlab security researcher Jaroslav Lobačevski (@JarLob).
Notepad++ is an open-source C++-based source code editor that works in Microsoft x86, x64, and AArch64-based architectures. Notepad++ supports tabbed editing and allows working with multiple files in a single window. Don Ho developed it.
Notepad++ has not patched these vulnerabilities. However, according to their coordinated disclosure policy, GitLab published these vulnerabilities along with the proof-of-concept.
CVE(s):
CVE-2023-40031: Heap buffer write overflow in Utf8_16_Read::convert
Notepad++ uses a function called Utf8_16_Read::convert, which converts UTF16 to UTF8 encoding. This function has a flaw since it assumes that for every two UTF16 encoded bytes, three UTF8 encoded bytes are needed. If the chunk of bytes is set to an odd value like 9, the calculation becomes incompatible, resulting in a buffer overflow.
CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar
This vulnerability exists because the array index order is dependent on the size of the mCharToFreqOrder buffer that a threat actor can exploit by specially crafting a file leading to a Global buffer read overflow. In addition, the application also uses a uchardet library that supports this operation.
CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState
A diverged copy of uchardet library is being used by Notepad++, which was found to be vulnerable to Global buffer read overflow. This was because the array index byteCls is dependent on the size of the charLenTable buffer, which a specially crafted file can exploit.
CVE-2023-40166: Heap buffer read overflow in FileManager::detectLanguageFromTextBegining
When opening a file, Notepad++ calls the function FileManager::loadFile, which allocates a fixed-size buffer, followed by FileManager::loadFileData, loading the first block of data to the buffer.
After this, it calls the detectLanguageFromTextBegining to identify the file's starting point's content type. The flaw exists since the loop FileManager::detectLanguageFromTextBegining does not check if the i+longestlength < dataLen, resulting in a buffer overflow.
Patches are yet to be confirmed by Notepad++ for fixing these vulnerabilities. GitLab has published a complete report about this vulnerability, which mentions the proof-of-concept, example code, and other information.