Headline
CVE-2022-35017: Poc/CVE-2022-35017.md at main · Cvjark/Poc
Advancecomp v2.3 was discovered to contain a heap buffer overflow.
=================================================================
==95486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f1 at pc 0x000000549906 bp 0x7ffc1e70ea10 sp 0x7ffc1e70ea08
READ of size 16 at 0x6020000000f1 thread T0
#0 0x549905 in mng_delta_addition /home/bupt/Desktop/advancecomp/lib/mng.c:406:13
#1 0x5446c7 in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:550:4
#2 0x5446c7 in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
#3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
#4 0x5074e6 in convert_f_mng(adv_fz_struct*, adv_fz_struct*, unsigned int*, unsigned int*, adv_scroll_info_struct*, bool, bool) /home/bupt/Desktop/advancecomp/remng.cc:479:8
#5 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
#6 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
#7 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
#8 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
#9 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
#10 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
#11 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#12 0x41f289 in _start (/home/bupt/Desktop/advancecomp/advmng+0x41f289)
0x6020000000f1 is located 0 bytes to the right of 1-byte region [0x6020000000f0,0x6020000000f1)
allocated by thread T0 here:
#0 0x4b1850 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x54332a in mng_read_delta /home/bupt/Desktop/advancecomp/lib/mng.c:455:18
#2 0x54332a in mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:656:9
#3 0x5418da in adv_mng_read /home/bupt/Desktop/advancecomp/lib/mng.c:748:9
#4 0x4fbd7d in convert_mng(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:593:3
#5 0x4fc3dd in convert_mng_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/advancecomp/remng.cc:614:3
#6 0x4ffc08 in remng_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/bupt/Desktop/advancecomp/remng.cc:950:4
#7 0x50b705 in remng_all(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:985:3
#8 0x5102d4 in process(int, char**) /home/bupt/Desktop/advancecomp/remng.cc:1249:3
#9 0x511a98 in main /home/bupt/Desktop/advancecomp/remng.cc:1268:3
#10 0x7f3b95b0ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_addition
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 01 fa
=>0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fd fa fa[01]fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==95486==ABORTING
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/advancecomp/lib/mng.c:406:13 in mng_delta_additionRelated news
Ubuntu Security Notice USN-5838-1
Ubuntu Security Notice 5838-1 - It was discovered that AdvanceCOMP did not properly manage memory while performing read operations on MNG file. If a user were tricked into opening a specially crafted MNG file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service. It was discovered that AdvanceCOMP did not properly manage memory while performing read operations on ZIP file. If a user were tricked into opening a specially crafted ZIP file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service.