An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but its off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it cant affect adjacent memory blocks, and thus just leads to a crash while processing.
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Squid | Squid-cache | 3.0 (including) | 3.5.28 (including) |
| Squid | Squid-cache | 4.0 (including) | 4.7 (including) |
| Squid | Squid-cache | 5.0 (including) | 5.0.1 (including) |
| Red Hat Enterprise Linux 8 | RedHat | squid:4-8030020200828070549.30b713e6 | * |
| Squid | Ubuntu | devel | * |
| Squid | Ubuntu | eoan | * |
| Squid | Ubuntu | focal | * |
| Squid | Ubuntu | groovy | * |
| Squid | Ubuntu | hirsute | * |
| Squid | Ubuntu | trusty | * |
| Squid | Ubuntu | upstream | * |
| Squid3 | Ubuntu | bionic | * |
| Squid3 | Ubuntu | precise/esm | * |
| Squid3 | Ubuntu | trusty | * |
| Squid3 | Ubuntu | xenial | * |