Description
It is possible to trigger an out-of-bounds read in monero-blockchain-import when importing a corrupt blockchain and not verifying blocks and transitions during import (--verify 0).
Using a corrupt importfile, the attacker has full control over bufferblock in importfromfile (blockchain_import.cpp).
As txs as well as blk originate from the bootstrap::blockpackage bp generated in blockchainimport, they can be set to arbitrary values by the attacker. In particular, if bp is crafted such that bp.txs.size() > bp.block.txhashes.size(), then an out-of-bounds memory corruption happens in the for loop when accessing blk.txhashes.
Since there is no actual tx, adding the tx will fail, and that should be it. Since this is local, there is no information leak.
BVSS:1.1/B:N/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:L/AI:N