An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JP…

A heap buffer overflow vulnerability exists in the fetch_jpg() function within xdrv_10_scripter.ino in Tasmota firmware through version 15.3.0.3. The vulnerability occurs when processing JPEG streams where the Content-Length header value exceeds 65535, causing integer overflow in a uint16_t variable. This results in allocation of a smaller buffer than the actual data being read, leading to heap corruption. Remote attackers can exploit this vulnerability to cause buffer overflow conditions. The issue affects the scripter driver component of Tasmota firmware used in IoT devices.