Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

**Description**

heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    
    # You need to try running poc several times to see the asan result.
    ./dec265/dec265 ./poc
    

**ASAN**

    =================================================================
    ==3684026==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000000658 at pc 0x5621bef6c512 bp 0x7ffe781d0d70 sp 0x7ffe781d0d60
    READ of size 4 at 0x61b000000658 thread T0
        #0 0x5621bef6c511 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int) eva/put/libde265/libde265/motion.cc:1443
        #1 0x5621bef6d403 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1564
        #2 0x5621bef8da6a in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1622
        #3 0x5621bef8da6a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:2112
        #4 0x5621bef8da6a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/motion.cc:2195
        #5 0x5621bee53806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/slice.cc:4145
        #6 0x5621bee5d5ff in read_coding_unit(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4513
        #7 0x5621bee61e7f in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4647
        #8 0x5621bee61df6 in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4644
        #9 0x5621bee64696 in decode_substream(thread_context*, bool, bool) eva/put/libde265/libde265/slice.cc:4750
        #10 0x5621bee6afc9 in read_slice_segment_data(thread_context*) eva/put/libde265/libde265/slice.cc:5063
        #11 0x5621bed2d8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:854
        #12 0x5621bed34e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:956
        #13 0x5621bed387eb in decoder_context::decode_some(bool*) eva/put/libde265/libde265/decctx.cc:741
        #14 0x5621bed4a57a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:699
        #15 0x5621bed4c645 in decoder_context::decode_NAL(NAL_unit*) eva/put/libde265/libde265/decctx.cc:1241
        #16 0x5621bed4d508 in decoder_context::decode(int*) eva/put/libde265/libde265/decctx.cc:1329
        #17 0x5621bed0746c in main eva/put/libde265/dec265/dec265.cc:784
        #18 0x7f2636829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #19 0x7f2636829e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #20 0x5621bed09ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)
    
    0x61b000000658 is located 80 bytes to the right of 1416-byte region [0x61b000000080,0x61b000000608)
    allocated by thread T0 here:
        #0 0x7f26370b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
        #1 0x5621bed48f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:635
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49467: heap-buffer-overflow `libde265/libde265/motion.cc:1443` in `derive_combined_bipredictive_merging_candidates` · Issue #434 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

**Description**

global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    ./dec265/dec265 ./poc
    

**ASAN**

    ==1753516==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e8318665e at pc 0x7f6e83139f09 bp 0x7fffda7f3620 sp 0x7fffda7f3610
    READ of size 1 at 0x7f6e8318665e thread T0
        #0 0x7f6e83139f08 in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4493
        #1 0x7f6e8313abda in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #2 0x7f6e8313b941 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
        #3 0x7f6e8313d29d in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
        #4 0x7f6e830ca881 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
        #5 0x7f6e830cca4d in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
        #6 0x7f6e830ccfe5 in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
        #7 0x7f6e830d4ec2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
        #8 0x7f6e830d5a4d in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
        #9 0x7f6e830d6308 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
        #10 0x55b9a8c5fd26 in main libde265/dec265/dec265.cc:784
        #11 0x7f6e81e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7f6e81e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x55b9a8c60ca4 in _start (libde265/dec265/.libs/dec265+0x5ca4)
    
    0x7f6e8318665e is located 14 bytes to the right of global variable 'ctxIdxMap' defined in 'slice.cc:1964:22' (0x7f6e83186640) of size 16
    SUMMARY: AddressSanitizer: global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0fee50628c70: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 01 f9 f9
      0x0fee50628c80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 01
      0x0fee50628c90: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
      0x0fee50628ca0: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 00 00 00 02
      0x0fee50628cb0: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
    =>0x0fee50628cc0: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9[f9]f9 f9 f9 f9
      0x0fee50628cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1753516==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49468: global-buffer-overflow in read_coding_unit · Issue #432 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.

**Description**

heap-buffer-overflow libde265/libde265/motion.cc:1860 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    
    # You need to try running poc several times to see the asan result.
    ./dec265/dec265 ./poc
    

**ASAN**

    ==1982966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001b10 at pc 0x56501e786954 bp 0x7ffc66164680 sp 0x7ffc66164670
    READ of size 4 at 0x61b000001b10 thread T0
        #0 0x56501e786953 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) libde265/libde265/motion.cc:1860
        #1 0x56501e787950 in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) libde265/libde265/motion.cc:1990
        #2 0x56501e79c58a in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) libde265/libde265/motion.cc:2063
        #3 0x56501e79c58a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) libde265/libde265/motion.cc:2155
        #4 0x56501e79c58a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) libde265/libde265/motion.cc:2195
        #5 0x56501e662806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) libde265/libde265/slice.cc:4145
        #6 0x56501e66c4cb in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4506
        #7 0x56501e670f59 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #8 0x56501e670df6 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4644
        #9 0x56501e670f59 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #10 0x56501e673696 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
        #11 0x56501e679fc9 in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
        #12 0x56501e53c8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
        #13 0x56501e543e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
        #14 0x56501e5477eb in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
        #15 0x56501e55957a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
        #16 0x56501e55b645 in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
        #17 0x56501e55c508 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
        #18 0x56501e51646c in main libde265/dec265/dec265.cc:784
        #19 0x7fd4aa229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #20 0x7fd4aa229e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #21 0x56501e518ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)
    
    0x61b000001b10 is located 8 bytes to the right of 1416-byte region [0x61b000001580,0x61b000001b08)
    allocated by thread T0 here:
        #0 0x7fd4aaab61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
        #1 0x56501e557f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:635
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow libde265/libde265/motion.cc:1860 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49465: heap-buffer-overflow `libde265/libde265/motion.cc:1860` in `derive_spatial_luma_vector_prediction` · Issue #435 · strukturag/libde265


The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session.






CVE-2023-6333

Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine.

Expand Up

@@ -178,6 +178,21 @@ describe('camera controller test', () => {

);

await chaiAssert.isRejected(promise, 'Invalid filename');

});

it('should return 400, bad request, invalid filename', async () \=> {

const rtspCameraController \= RtspCameraController(gladys, rtspCameraService);

const req \= {

params: {

folder: 'camera-1',

file: '\`index1.tslala',

},

};

const resWriteStream \= {};

const promise \= rtspCameraController\['get /api/v1/service/rtsp-camera/camera/streaming/:folder/:file'\].controller(

req,

resWriteStream,

);

await chaiAssert.isRejected(promise, 'Invalid filename');

});

it('should return 400, bad request, invalid session id', async () \=> {

const rtspCameraController \= RtspCameraController(gladys, rtspCameraService);

const req \= {

Expand Down

CVE-2023-47440: Update HLS chunk regex by Pierre-Gilles · Pull Request #1918 · GladysAssistant/Gladys

gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_resolve_url media_tools/mpd.c:4589.

1、Version  
./MP4Box -version  
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master  
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/

Please cite our work in your research:  
GPAC Filters: https://doi.org/10.1145/3339825.3394929  
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_LINUX\_DVB GPAC\_DISABLE\_3D

2、ASAN Log  
\[DASH\] Updated manifest:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Manifest after update:  
P#1: start 0 - duration 0 - xlink none  
\[DASH\] Setting up period start 0 duration 0 xlink none ID DID1  
\[DASH\] Cannot compute default segment duration  
\[DASH\] AS#1 changed quality to bitrate 10 kbps - Width 1280 Height 720 FPS 30/1 (playback speed 1)  
\[DASH\] AS#2 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#3 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#4 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#5 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)  
\[DASH\] AS#6 changed quality to bitrate 120 kbps - Width 384 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#7 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] AS#8 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] Segment duration unknown - cannot estimate current startNumber  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] No ROUTE entity on HTTP request  
\[DASH\] AST at init 1621274304781  
\[DASH\] At current time 78824071088 ms: Initializing Timeline: startNumber=1 segmentNumber=78824071 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.88241e+07)  
\[DASH\] Unable to resolve initialization URL: Bad Parameter  
Filter dashin failed to setup: Bad Parameter  
Filters not connected:  
fout (dst=crash24\_dash.mpd:gpac:segdur=10000/1000:profile=full:!sap:buf=1500:!check\_dur:pssh=v:subs\_sidx=0) (idx=1)  
Arg segdur set but not used  
Arg profile set but not used  
Arg !sap set but not used  
Arg buf set but not used  
Arg !check\_dur set but not used  
Arg pssh set but not used  
Arg subs\_sidx set but not used  
Error DASHing file: Bad Parameter

\=================================================================  
\==3766==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 50 byte(s) in 1 object(s) allocated from:  
#0 0x7f8f1245b9a7 in \_\_interceptor\_strdup ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:454  
#1 0x7f8f112d489f in gf\_mpd\_resolve\_url media\_tools/mpd.c:4589  
#2 0x7f8f11303e24 in gf\_dash\_resolve\_url media\_tools/dash\_client.c:3447

SUMMARY: AddressSanitizer: 50 byte(s) leaked in 1 allocation(s).

3、Reproduction  
./MP4Box -dash 10000 $poc

4、poc  
crash24.zip

5、Impact  
This vulnerability is capable of causing crashes, or lead to dos.

6、 Env  
Linux dr0v-virtual-machine 6.2.0-36-generic #37 SMP PREEMPT\_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86\_64 x86\_64 x86\_64 GNU/Linux  
AFL++ 4.09a

7、Credit  
dr0v

CVE-2023-48958: LeakSanitizer: detected memory leaks in in gf_mpd_resolve_url media_tools/mpd.c:4589 · Issue #2689 · gpac/gpac

Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formAdvancedSetListSet.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49404: TENDA/w30e/tenda_w30e_setAdvancedSetList/w30e_setAdvancedSetList.md at main · GD008/TENDA

Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function UploadCfg.

CVE-2023-49405: TENDA/w30e/tenda_w30e_UploadCfg/w30e_UploadCfg.md at main · GD008/TENDA

Tenda W30E V16.01.0.12(4843) was discovered to contain a Command Execution vulnerability via the function /goform/telnet.

CVE-2023-49406: TENDA/w30e/tenda_w30e_telnet/w30e_telnet.md at main · GD008/TENDA

A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information.

**Ultimate Building Blocks for Data Center Acceleration**

Construct Your Tailored AI Solutions from the Largest NVIDIA MGX™ Systems Portfolio

**Empowering the Future of Content Production**

Supermicro and AMD Solutions Help Studios and Filmmakers Bring Magic to Life

**Accelerate Everything AI**

Introducing GPU Acceleration for a Complete Range of Enterprise Workloads

**New Generation**

Supermicro’s 15+ Server Families Will Support the Upcoming 5th Gen Intel® Xeon® Processors (Formerly Codenamed Emerald Rapids)

**Webinar Accelerate Everything  
in the Data Center  
and at the Edge**

A conversation about fast cars and faster servers with Timothy Prickett Morgan, Supermicro, and Intel®

**Open Storage Summit ’23**

Developing storage solutions to meet the demands of AI, HPC and data-intensive workloads

Starting from August 15th

**Rack Scale Solutions**

Accelerated Time-To-Delivery of Plug and Play Racks with Proven Quality and Reliability

**SuperBlade®**

Highest Performance with Advanced Networking and NVMe

**Twin Family**

Enterprise Optimized Hyper-Converged Infrastructure

**5G, IoT & Edge Computing**

Connecting the Intelligent World from Devices to the Cloud

**GPU Systems**

AI / Deep Learning and HPC Optimized Servers

**All-Flash EDSFF Storage**

Cloud-Density Storage Systems Optimized For Software-Defined Data Centers

**A+ Solutions (AMD EPYC™)**

Broadest Portfolio Optimized to Deliver Superior Performance

**Building Blocks**

Industry’s broadest selection of high quality hardware for fully application optimized server, storage, embedded/IoT, and workstation solutions

**Made in Silicon Valley**

The Wall Street Journal Conversation with Charles Liang, Founder, President & CEO, Supermicro and Ramin Beheshti, Former Chief Product & Technology Officer, Dow Jones

Watch Video

**JumpStart: Free Bare Metal Access to Supermicro Servers with the latest Intel® and AMD™ Processors**

**COMPUTEX ’23 Keynote: Charles Liang with Special Guest Jensen Huang**

**Rakuten Symphony – Powered by Supermicro 5G Systems**

**Rack Scale Plug and Play Solutions from Supermicro**

**Supermicro 5G Edge Solutions Empowering the Deskless Workforce with Taqtile and Intel**

**Data Center Refresh and Expansion**

**How On-Premises Deployment Can Overcome Six Critical AI Challenges**

**Harness the Power of AI with Supermicro and NVIDIA Omniverse Enterprise**

**A Journey to Make High-End Cloud Gaming Faster, More Secure & More Accessible**

Click here to use Legacy Supermicro.com Site

Source

CVE