An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service.

POC:  
zip\_poc.zip

There exisits one invalid memroy access issue in zzip\_disk\_entry\_to\_file\_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. This bug can be triggered by the executable unzzip-mem.

$ unzzip-mem $poc

**ASAN:SIGSEGV**

\==8254==ERROR: AddressSanitizer: SEGV on unknown address 0x1772507f (pc 0xb772ff16 sp 0xbfce6a10 bp 0x0101db82 T0)  
#0 0xb772ff15 in zzip\_disk\_entry\_to\_file\_header /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272  
#1 0xb77390d8 in zzip\_mem\_entry\_new /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:201  
#2 0xb77390d8 in zzip\_mem\_disk\_load /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:160  
#3 0xb77386c7 in zzip\_mem\_disk\_open /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:94  
#4 0x80ce02e in unzzip\_cat /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:72  
#5 0x80d0fae in unzzip\_extract /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:143  
#6 0x80cd5f0 in main /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzip.c:187  
#7 0xb74d7af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)  
#8 0x80caa74 in \_start (/home/rookie/asan/zziplib-master/build/bin/unzzip-mem+0x80caa74)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272 zzip\_disk\_entry\_to\_file\_header  
\==8254==ABORTING

CVE-2020-18770: one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c · Issue #69 · gdraheim/zziplib

Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.

poc

**0x00 Introduction**

In exempi 2.5.0, I found a heap-based buffer over-read bug in function ID3\_Support::ID3v2Frame::getFrameValue, the ASAN report is as below.

    liwc@ubuntu:~/exempi-master_asan/exempi$ ./exempi -x poc
    processing file poc
    dump_xmp for file poc
    =================================================================
    ==79549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed1 at pc 0x0000004be2ae bp 0x7fffc062ec30 sp 0x7fffc062ec20
    READ of size 4 at 0x60200000eed1 thread T0
        #0 0x4be2ad in GetUns32BE ../../../source/EndianUtils.hpp:152
        #1 0x4c2256 in ID3_Support::ID3v2Frame::getFrameValue(unsigned char, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:702
        #2 0x4de2a0 in MP3_MetaHandler::ProcessXMP() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:334
        #3 0x48aafd in XMPFiles::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, char const**, unsigned int*, XMP_PacketInfo*) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1471
        #4 0x47fac8 in WXMPFiles_GetXMP_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:331
        #5 0x41e353 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, XMP_PacketInfo*) (/home/liwc/exempi-master_asan/exempi/exempi+0x41e353)
        #6 0x40c0f1 in xmp_files_get_new_xmp /home/liwc/exempi-master/exempi/exempi.cpp:346
        #7 0x408d07 in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:244
        #8 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #9 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #10 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #11 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #12 0x407a58 in _start (/home/liwc/exempi-master_asan/exempi/exempi+0x407a58)
    
    0x60200000eed3 is located 0 bytes to the right of 3-byte region [0x60200000eed0,0x60200000eed3)
    allocated by thread T0 here:
        #0 0x7f7b7c53b712 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99712)
        #1 0x4c10c6 in ID3_Support::ID3v2Frame::read(XMP_IO*, unsigned char) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:579
        #2 0x4dd4ae in MP3_MetaHandler::CacheFileData() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:220
        #3 0x48874f in DoOpenFile /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1076
        #4 0x488f8a in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1179
        #5 0x47e415 in WXMPFiles_OpenFile_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:233
        #6 0x41dab4 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/home/liwc/exempi-master_asan/exempi/exempi+0x41dab4)
        #7 0x40bd79 in xmp_files_open_new /home/liwc/exempi-master/exempi/exempi.cpp:294
        #8 0x408ccb in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:242
        #9 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #10 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #11 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #12 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../source/EndianUtils.hpp:152 GetUns32BE
    Shadow bytes around the buggy address:
      0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
      0x0c047fff9dc0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
    =>0x0c047fff9dd0: fa fa 01 fa fa fa 04 fa fa fa[03]fa fa fa 03 fa
      0x0c047fff9de0: fa fa 00 04 fa fa 05 fa fa fa 00 04 fa fa fd fd
      0x0c047fff9df0: fa fa 00 05 fa fa fd fa fa fa 05 fa fa fa 00 00
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==79549==ABORTING

**0x01 Analysis**

I debugged the poc with gdb so that I found the key of this issue.

    bool ID3v2Frame::getFrameValue ( XMP_Uns8 /*majorVersion*/, XMP_Uns32 logicalID, std::string* utf8string )
    {
    
    	XMP_Assert ( (this->content != 0) && (this->contentSize >= 0) && (this->contentSize < 20*1024*1024) );
    
    	if ( this->contentSize == 0 ) {
    		utf8string->erase();
    		return true; // ...it is "of interest", even if empty contents.
    	}
    
    	XMP_Int32 pos = 0;
    	XMP_Uns8 encByte = 0;
    	// WCOP does not have an encoding byte, for all others: use [0] as EncByte, advance pos
    	if ( logicalID != 0x57434F50 ) { // pos1
    		encByte = this->content[0];
    		pos++;
    	}
    
    	// mode specific forks, COMM or USLT
    	bool commMode = ( (logicalID == 0x434F4D4D) || (logicalID == 0x55534C54) );
    
    	switch ( encByte ) { // pos2
    
    		case 0: //ISO-8859-1, 0-terminated
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    
    			char* localPtr  = &this->content[pos];
    			size_t localLen = this->contentSize - pos;
    			ReconcileUtils::Latin1ToUTF8 ( localPtr, localLen, utf8string );
    			break;
    
    		}
    
    		case 1: // Unicode, v2.4: UTF-16 (undetermined Endianess), with BOM, terminated 0x00 00
    		case 2: // UTF-16BE without BOM, terminated 0x00 00
    		{
    			...
    		}
    
    		case 3: // UTF-8 unicode, terminated \0
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    		
    			if ( (GetUns32BE ( &this->content[pos]) & 0xFFFFFF00 ) == 0xEFBBBF00 ) { // pos3
    				pos += 3;	// swallow any BOM, just in case
    			}
    
    			utf8string->assign ( &this->content[pos], (this->contentSize - pos) );
    			break;
    		}
    
    		default:
    			XMP_Throw ( "unknown text encoding", kXMPErr_BadFileFormat ); //COULDDO assume latin-1 or utf-8 as best-effort
    			break;
    
    	}
    
    	return true;
    
    }	// ID3v2Frame::getFrameValue

At pos1, the logicalID did not equal 0x57434f50，so the if branch was satisfied and pos would incremented. Now the encByte was 0x3, the case 3 of switch statement at pos2 was satisfied. We noticed the size of heap buffer this->content was only 3 bytes and it started from 0x60200000eed0.

     →  655	 	if ( logicalID != 0x57434F50 ) {
        656	 		encByte = this->content[0];
        657	 		pos++;
        658	 	}
        659	 
        660	 	// mode specific forks, COMM or USLT
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "exempi", stopped, reason: SINGLE STEP
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    ...
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    gef➤  p logicalID 
    $1 = 0x54504f53
    gef➤  p this->content
    $2 = 0x60200000eed0 "\003\062\061"
    

Then it called the inline function GetUns32BE in EndianUtils.hpp:150 at pos3, and GetUns32BE read 4 bytes from the given addr. At this call site the given addr was 0x60200000eed1, so a 2-bytes heap-based buffer over-read happened.

We can patch this issue by check the length of this->content firstly.

**0x02 Reproduce**

    OS:Ubuntu 16.04 x86_64
    export CFLAGS="-fsanitize=address -ggdb"
    export CXXFLAGS="-fsanitize=address -ggdb"
    export LDFLAGS="-fsanitize=address -ggdb"
    sudo apt install libboost-dev
    sudo apt install libboost-test-dev
    ./autogen.sh
    ./configure --disable-shared
    make
    
    ./exampi/exempi -x POC -o out

**0x03 Discoverer**

WenChao Li of VARAS@IIE

CVE-2020-18651: A heap-based buffer over-read was found in ID3_Support.cpp (#13) · Issues · libopenraw / exempi · GitLab

A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.

Hi, there.

A Heap-buffer-overflow problem was discovered in wasm::WasmBinaryBuilder::visitBlock(wasm::Block\*) function in simple\_ast.h in /src/wasm/wasm-binary.cpp, as distributed in Binaryen 1.38.26. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error.  
POC.zip

git log

    commit 153ba18ba99dc4dcef29a61e1e586af3df8d921d (HEAD -> master, tag: version_65, origin/master, origin/HEAD)
    Author: Alon Zakai <alonzakai@gmail.com>
    Date:   Mon Jan 28 11:32:19 2019 -0800
    
        Handle EM_ASM/EM_JS in LLVM wasm backend O0 output (#1888)
    
        See emscripten-core/emscripten#7928 - we have been optimizing all wasms until now, and noticed this when the wasm object file path did not do so. When not optimizing, our methods of handling EM_ASM and EM_JS fail since the patterns are different.
    
        Specifically, for EM_ASM we hunt for emscripten_asm_const(X, where X is a constant, but without opts it may be a get of a local. For EM_JS, the function body may not just contain a const, but a block with a set of the const and a return of a get later.
    
        This adds logic to track gets and sets in basic blocks, which is sufficient to handle this.
    

The ASAN dumps the stack trace as follows:

    =================================================================
    ==10623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000456 at pc 0x55961cae7862 bp 0x7ffd73795210 sp 0x7ffd73795200
    READ of size 1 at 0x60e000000456 thread T0
        #0 0x55961cae7861 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) /binaryen/src/wasm/wasm-binary.cpp:1805
        #1 0x55961cad63bc in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1687
        #2 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #3 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #4 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #5 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #6 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #7 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #8 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #9 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #10 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #11 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #12 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #13 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #14 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #15 0x55961caed21f in wasm::WasmBinaryBuilder::readFunctions() /binaryen/src/wasm/wasm-binary.cpp:1129
        #16 0x55961caf597f in wasm::WasmBinaryBuilder::read() /binaryen/src/wasm/wasm-binary.cpp:678
        #17 0x55961cba18f7 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:52
        #18 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #19 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #20 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #21 0x55961c77ec39 in _start (/binaryen/build/bin/wasm-opt+0x1c5c39)
    
    0x60e000000456 is located 0 bytes to the right of 150-byte region [0x60e0000003c0,0x60e000000456)
    allocated by thread T0 here:
        #0 0x7fce2a302458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
        #1 0x55961df084ef in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x55961df084ef in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/include/c++/7/bits/stl_vector.h:172
        #4 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_create_storage(unsigned long) /usr/include/c++/7/bits/stl_vector.h:187
        #5 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_Vector_base(unsigned long, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:138
        #6 0x55961df084ef in std::vector<char, std::allocator<char> >::vector(unsigned long, char const&, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:297
        #7 0x55961df084ef in std::vector<char, std::allocator<char> > wasm::read_file<std::vector<char, std::allocator<char> > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, wasm::Flags::BinaryOption, wasm::Flags::DebugOption) /binaryen/src/support/file.cpp:42
        #8 0x55961cb9fbf2 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:44
        #9 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #10 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #11 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /binaryen/src/wasm/wasm-binary.cpp:1805 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*)
    Shadow bytes around the buggy address:
      0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8050: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==10623==ABORTING

CVE-2020-18378: Heap-buffer-overflow in /src/wasm/wasm-binary.cpp in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26 · Issue #1900 · WebAssembly/binaryen

Buffer Overflow vulnerability in function H5S_close in H5S.c in HDF5 1.10.4 allows remote attackers to run arbitrary code via creation of crafted file.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-18232: PAAFS/vul2 at master · winson2004aa/PAAFS

CVE-2020-18494: PAAFS/vul12 at master · magicSwordsMan/PAAFS

Buffer Overflow vulnerability in WEBP_Support.cpp in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted webp file.

**Commit acee2894** authored Jul 27, 2019 by  **Hubert Figuiere**

Browse files

**Bug #12 - Invalid WebP cause memory overflow.**

#12

parent 53379ec2

*   Changes 1

Hide whitespace changes

Inline Side-by-side

Supports Markdown

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2020-18652: Bug #12 - Invalid WebP cause memory overflow. (acee2894) · Commits · libopenraw / exempi · GitLab

There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.

'2848?cve=title' is not a valid bug number.

Please press **Back** and try again.

CVE-2020-18768: Invalid Bug ID

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Heap buffer overflow vulnerability in FilePOSIX::read in File.cpp in audiofile 0.3.6 may cause denial-of-service via a crafted wav file, this bug can be triggered by the executable sfconvert.

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.  
poc.zip

$uname -a  
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86\_64 GNU/Linux

**$./sfconvert poc.wav output format wave  
asan:**

\==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38  
WRITE of size 2 at 0x61a00001f708 thread T0  
#0 0x7f64fd42ee54 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x45e54)  
#1 0x7f64fd14b8cb in FilePOSIX::read(void\*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126  
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353  
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375  
#4 0x7f64fd14ee93 in \_AFfilehandle::readS16(short\*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397  
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289  
#6 0x7f64fd171751 in WAVEFile::readInit(\_AFfilesetup\*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733  
#7 0x7f64fd18067e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356  
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#10 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#11 0x401568 in \_start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region \[0x61a00001f280,0x61a00001f708)  
allocated by thread T0 here:  
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x7f64fd14c4f1 in \_AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80  
#2 0x7f64fd18042e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337  
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#5 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??  
Shadow bytes around the buggy address:  
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c347fffbee0: 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==90086==ABORTING

CVE-2020-18781: one heap buffer overflow in FilePOSIX::read in File.cpp · Issue #56 · mpruett/audiofile

Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file.

Source

CVE