A vulnerability was found in Nothings stb up to f056911. It has been classified as problematic. Affected is the function stbhw_build_tileset_from_image of the component Header Array Handler. The manipulation of the argument w leads to out-of-bounds read. It is possible to launch the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
http://nvd.nist.gov/vuln/detail/CVE-2025-3406 The CVE contains little detail and no suggested mitigation. It is easy to see how an incorrect image-width argument w to the function stbhw_build_tileset_from_image could result in an out-of-bounds read in the data buffer, but an API user only supplies the buffer size indirectly via the w and h arguments, so it’s incumbent on the API user to make sure they are sane – there is nothing that can be done within stbhw_build_tileset_from_image to further validate them. I am inclined to suggest that this CVE is invalid: the API user must provide a consistent width, height, and data buffer. We don’t say that memcpy() is vulnerable because an API user could pass it the wrong size argument n.