VYPR
← All advisories
High severityNVD Advisory· Published Jul 22, 2020· Updated Aug 4, 2024

CVE-2020-15904

CVE-2020-15904

Description

A heap buffer overflow in bsdiff4 before 1.2.0 allows remote attackers to write out-of-bounds memory via a crafted patch file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in bsdiff4 before 1.2.0 allows remote attackers to write out-of-bounds memory via a crafted patch file.

Vulnerability

CVE-2020-15904 is a heap buffer overflow vulnerability discovered in the patching routine of the bsdiff4 library, affecting versions prior to 1.2.0 [1]. The root cause is a lack of bounds checking when processing patch file data, which can lead to writes beyond the allocated memory boundaries [1][2].

Exploitation

An attacker can trigger the overflow by supplying a specially crafted patch file to an application using the vulnerable bsdiff4 library [1]. The attack does not require any special privileges—the victim would simply need to apply the malicious patch file using the affected software [1].

Impact

Successful exploitation allows an attacker to write arbitrary data to heap memory outside the allocated buffer, potentially leading to memory corruption [1]. This could be leveraged to achieve arbitrary code execution or cause denial of service [4]. The vulnerability is rated with a CVSS score of 9.8, indicating critical severity [1].

Mitigation

The issue has been fixed in bsdiff4 version 1.2.0 [2][3]. Users should update to this version or later to mitigate the risk. No workarounds are documented; applying patches only from trusted sources is a general security best practice.

References
  1. NVD - CVE-2020-15904
  2. bsdiff4/CHANGELOG.txt at 9a84c2ee01f5ba0742d18c9f3b3d5244ae7fb302 · ilanschnell/bsdiff4
  3. bsdiff4/CHANGELOG.txt at master · ilanschnell/bsdiff4
  4. advisory-database/vulns/bsdiff4/PYSEC-2020-30.yaml at main · pypa/advisory-database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bsdiff4PyPI
< 1.2.01.2.0

Affected products

2

Patches

1
49a4cee2feef

apply patch from Robert Scott to fix - shifting some bounds checking

https://github.com/ilanschnell/bsdiff4Ilan SchnellJul 14, 2020via ghsa
commit
1 file changed · +7 2
  • bsdiff4/core.c+7 2 modified
    @@ -431,8 +431,7 @@ static PyObject* patch(PyObject* self, PyObject* args)
         y = PyLong_AsLong(PyTuple_GET_ITEM(tuple, 1));
         z = PyLong_AsLong(PyTuple_GET_ITEM(tuple, 2));
         if (newpos + x > newDataLength ||
-                diffPtr + x > diffBlock + diffBlockLength ||
-                extraPtr + y > extraBlock + extraBlockLength) {
+                diffPtr + x > diffBlock + diffBlockLength) {
             PyMem_Free(newData);
             PyErr_SetString(PyExc_ValueError, "corrupt patch (overflow)");
             return NULL;
@@ -444,6 +443,12 @@ static PyObject* patch(PyObject* self, PyObject* args)
                 newData[newpos + j] += origData[oldpos + j];
         newpos += x;
         oldpos += x;
+        if (newpos + y > newDataLength ||
+                extraPtr + y > extraBlock + extraBlockLength) {
+            PyMem_Free(newData);
+            PyErr_SetString(PyExc_ValueError, "corrupt patch (overflow)");
+            return NULL;
+        }
         memcpy(newData + newpos, extraPtr, y);
         extraPtr += y;
         newpos += y;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.