A flaw was discovered in htmodoc 1.9.12 in function parse_paragraph in ps-pdf.cxx ,this flaw possibly allows possible code execution and a denial of service via a crafted file.

Hi,

A heap overflow was found in function parse\_paragraph() in ps-pdf.cxx at line 5015. Didn't check whether prev->data is vaild.

    ── source:ps-pdf.cxx+5015 ────
       5010	 	{
       5011	 	  break;
       5012	 	}
       5013	 	else if (prev->markup == MARKUP_NONE)
       5014	 	{
                         // ch=0x0, prev=0x00007fffffffd058  →  0x000000000098ff10
    ●→ 5015	 	  int	ch = prev->data[strlen((char *)prev->data) - 1];
       5016
       5017	 	  if (_htmlUTF8)
       5018	 	    ch = _htmlUnicode[ch];
       5019
       5020	           if (ch == 173)
    ────────────────────────────────────
    gef➤  p prev
    $1 = (tree_t *) 0x98ff10
    gef➤  p prev->data
    Cannot access memory at address 0x98ff48
    

\*\*potential fix patch \*\*

    --- ./htmldoc/ps-pdf.cxx        
    +++ ./htmldoc/ps-pdf-tryfix.cxx 
    @@ -5012,7 +5012,11 @@
            }
            else if (prev->markup == MARKUP_NONE)
            {
    -         int   ch = prev->data[strlen((char *)prev->data) - 1];
    +         int ch;
    +         if (!prev->data[0])
    +           break;
    +
    +         ch = prev->data[strlen((char *)prev->data) - 1];
    
              if (_htmlUTF8)
                ch = _htmlUnicode[ch];
    

**Version:**  
1.9.12 commit \[ee77825\]  
**Env:**  
ubuntu 20.04 x86\_64  
clang version 11.0.0

**reproduce**  
./configure  
make  
./htmldoc -f ./check.ps \[poc\]

zipped poc

**detail info**

    ==1701892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b98f at pc 0x00000055d6fd bp 0x7ffe4c987670 sp 0x7ffe4c987668
    READ of size 1 at 0x60200000b98f thread T0
        #0 0x55d6fc in parse_paragraph(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5015:13
        #1 0x586fe1 in parse_heading(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4663:3
        #2 0x511582 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4197:11
        #3 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
        #4 0x584778 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7111:5
        #5 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
        #6 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #7 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #8 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #9 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
        #10 0x584b20 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7125:9
        #11 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
        #12 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
        #13 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
        #14 0x5098a4 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:803:3
        #15 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #16 0x7fde4d9200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #17 0x41d85d in _start (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x41d85d)
    
    0x60200000b98f is located 1 bytes to the left of 2-byte region [0x60200000b990,0x60200000b992)
    allocated by thread T0 here:
        #0 0x4838e4 in strdup (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x4838e4)
        #1 0x5cba34 in insert_space(tree_str*, tree_str*) /home/chiba/htmldoc/htmldoc/htmllib.cxx:2694:28
        #2 0x5c018a in htmlReadFile /home/chiba/htmldoc/htmldoc/htmllib.cxx:959:6
        #3 0x4e3b89 in read_file(char const*, tree_str**, char const*) /home/chiba/htmldoc/htmldoc/htmldoc.cxx:2492:9
        #4 0x4dfb8f in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1177:7
        #5 0x7fde4d9200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5015:13 in parse_paragraph(tree_str*, float, float, float, float, float*, float*, int*, int)
    Shadow bytes around the buggy address:
      0x0c047fff96e0: fa fa 00 07 fa fa fd fd fa fa 06 fa fa fa 03 fa
      0x0c047fff96f0: fa fa 07 fa fa fa 03 fa fa fa 07 fa fa fa 00 02
      0x0c047fff9700: fa fa 03 fa fa fa 03 fa fa fa 05 fa fa fa 06 fa
      0x0c047fff9710: fa fa 00 fa fa fa 00 02 fa fa fd fd fa fa 04 fa
      0x0c047fff9720: fa fa 06 fa fa fa 03 fa fa fa 07 fa fa fa 03 fa
    =>0x0c047fff9730: fa[fa]02 fa fa fa 00 fa fa fa 00 07 fa fa 03 fa
      0x0c047fff9740: fa fa 03 fa fa fa 05 fa fa fa 00 03 fa fa 03 fa
      0x0c047fff9750: fa fa 03 fa fa fa 05 fa fa fa 00 04 fa fa 00 06
      0x0c047fff9760: fa fa 05 fa fa fa 00 02 fa fa 03 fa fa fa 04 fa
      0x0c047fff9770: fa fa 05 fa fa fa 00 03 fa fa 03 fa fa fa 04 fa
      0x0c047fff9780: fa fa 05 fa fa fa 00 07 fa fa fd fd fa fa 02 fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1701892==ABORTING

CVE-2021-34119: Heap-buffer-overflow in function parse_paragraph() in ps-pdf.cxx · Issue #431 · michaelrsweet/htmldoc

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.

**stack-overflow on GNU libiberty/rust-demangle.c:1024 demangle\_type**

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

binutils (Ubuntu)

Confirmed

Undecided

Unassigned

**Bug Description**

stack-overflowon GNU libiberty/rust-demangle.c:84 peek when we run  
cat /crashes/poc | ./cxxfilt  
the version : binutils(2.36)  
/crashes/poc:  
F}��.\]\]��\_RYFB1\_��z^A^R\]M�^?N�^K^\]�J^@^@^@^@^@^@^@^@���������^A^@������\]^yCo#Mo?NCgyCo7MoPggCo~NMG^P#��=^F~@c�Cqot�\_ZooSk;^\]���������������������������\]^yCo7Mo?NCgyCo7MoPggCo~NMG^P#^R�7Cg^V^A\_���^?^@^A�\_ZooSoBbg6^@g^\_�@gg��g����!T^\[

asan output:  
root@f960c0e3747a:cat /crashes/poc | ./cxxfilt  
ASAN:SIGSEGV  
\=======\=======\=======\=======\=======\=======\=======\=======\=======\==  
\==35495==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcda322ff8 (pc 0x0000006a0e3f bp 0x7ffcda323000 sp 0x7ffcda322ff0 T0)  
    #0 0x6a0e3e in peek rust-demangle.c:84  
    #1 0x6a0f96 in next rust-demangle.c:105  
    #2 0x6a478f in demangle\_type rust-demangle.c:864  
    #3 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #4 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #5 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #6 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #7 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #8 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #9 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #10 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #11 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #12 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #13 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #14 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #15 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #16 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #17 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #18 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #19 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #20 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #21 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #22 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #23 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #24 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #25 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #26 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #27 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #28 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #29 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #30 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #31 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #32 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #33 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #34 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #35 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #36 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #37 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #38 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #39 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #40 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #41 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #42 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #43 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #44 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #45 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #46 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #47 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #48 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #49 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #50 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #51 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #52 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #53 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #54 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #55 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #56 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #57 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #58 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #59 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #60 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #61 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #62 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #63 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #64 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #65 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #66 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #67 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #68 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #69 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #70 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #71 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #72 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #73 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #74 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #75 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #76 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #77 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #78 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #79 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #80 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #81 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #82 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #83 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #84 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #85 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #86 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #87 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #88 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #89 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #90 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #91 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #92 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #93 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #94 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #95 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #96 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #97 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #98 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #99 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #100 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #101 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #102 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #103 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #104 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #105 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #106 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #107 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #108 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #109 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #110 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #111 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #112 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #113 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #114 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #115 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #116 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #117 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #118 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #119 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #120 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #121 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #122 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #123 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #124 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #125 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #126 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #127 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #128 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #129 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #130 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #131 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #132 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #133 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #134 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #135 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #136 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #137 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #138 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #139 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #140 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #141 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #142 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #143 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #144 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #145 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #146 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #147 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #148 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #149 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #150 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #151 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #152 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #153 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #154 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #155 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #156 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #157 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #158 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #159 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #160 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #161 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #162 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #163 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #164 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #165 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #166 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #167 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #168 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #169 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #170 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #171 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #172 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #173 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #174 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #175 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #176 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #177 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #178 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #179 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #180 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #181 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #182 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #183 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #184 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #185 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #186 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #187 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #188 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #189 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #190 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #191 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #192 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #193 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #194 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #195 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #196 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #197 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #198 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #199 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #200 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #201 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #202 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #203 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #204 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #205 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #206 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #207 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #208 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #209 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #210 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #211 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #212 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #213 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #214 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #215 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #216 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #217 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #218 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #219 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #220 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #221 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #222 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #223 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #224 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #225 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #226 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #227 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #228 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #229 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #230 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #231 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #232 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #233 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #234 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #235 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #236 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #237 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #238 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #239 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #240 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #241 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #242 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #243 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #244 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #245 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #246 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #247 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #248 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #249 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #250 0x6a5110 in demangle\_type rust-demangle.c:1024  
    #251 0x6a5110 in demangle\_type rust-demangle.c:1024

SUMMARY: AddressSanitizer: stack-overflow rust-demangle.c:84 peek  
\==35495==ABORTING

CVE-2021-32256: Bug #1927070 “stack-overflow on GNU libiberty/rust-demangle.c:10...” : Bugs : binutils package : Ubuntu

Heap-based buffer over-read in function png_convert_4 in file pngex.cc in AdvanceMAME through 2.1.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Tickets ▾
    *   Patches
    *   Feature Requests
    *   Bugs
*   Discussion
*   Donate
*   Git ▾
    *   advancecd
    *   makebootfat

Menu ▾ ▴

Status: open

Owner: nobody

Priority: 5

Updated: 2020-08-06

Created: 2020-08-06

Private: No

**System info**

Ubuntu x86\_64, clang 6.0, advmng (latest master fcf71a)

**Command line**

./advmng -c -q -e -r -x @@

**AddressSanitizer output**

\=================================================================
\==46247\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x602000000075 at pc 0x0000004dff5d bp 0x7ffd0b37a770 sp 0x7ffd0b379f20
READ of size 260 at 0x602000000075 thread T0
    #0 0x4dff5c in \_\_asan\_memcpy /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23
    #1 0x543a90 in png\_convert\_4(unsigned int, unsigned int, unsigned int, unsigned char\*, unsigned int, unsigned char\*, unsigned int, unsigned char\*\*, unsigned int\*, unsigned int\*) /home/seviezhou/advancecomp/pngex.cc:433:4
    #2 0x52a28f in extract(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \> const&) /home/seviezhou/advancecomp/remng.cc:766:4
    #3 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #4 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #5 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #6 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291
    #7 0x41cec8 in \_start (/home/seviezhou/advancecomp/advmng+0x41cec8)

0x602000000075 is located 0 bytes to the right of 5\-byte region \[0x602000000070,0x602000000075)
allocated by thread T0 here:
    #0 0x4e10d8 in \_\_interceptor\_malloc /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:88
    #1 0x5715be in mng\_read\_ihdr /home/seviezhou/advancecomp/lib/mng.c:139:18
    #2 0x5715be in mng\_read /home/seviezhou/advancecomp/lib/mng.c:650
    #3 0x56dfa2 in adv\_mng\_read /home/seviezhou/advancecomp/lib/mng.c:748:9
    #4 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #5 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #6 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #7 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23 in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fd fa fa\[05\]fa
  0x0c047fff8010: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==46247\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-23909: AdvanceMAME / Bugs / #285 A heap overflow in pngex.cc:433:4

An issue was discovered on atasm, version 1.09. A stack-buffer-overflow vulnerability in function aprintf() in asm.c allows attackers to execute arbitrary code on the system via a crafted file.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#23 stack-buffer-overflow in function aprintf()**

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-05-10

Created: 2021-04-06

Private: No

Hi,

While fuzzing ATasm 1.09, I found **stack-buffer-overflow** in function aprintf() in asm.c

strcat(line,buf); will result in stack overflow

\=================================================================
\==3256651\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffcaad2ff90 at pc 0x7f24f095b715 bp 0x7ffcaad2fe00 sp 0x7ffcaad2f590
WRITE of size 271 at 0x7ffcaad2ff90 thread T0
    #0 0x7f24f095b714 in vsprintf (/usr/lib/x86\_64\-linux\-gnu/libasan.so.5+0x9e714)
    #1 0x56362c585de7 in aprintf /home/atasm/src\-afl\-gcc/asm.c:330
    #2 0x56362c593603 in do\_xword /home/atasm/src\-afl\-gcc/asm.c:1312
    #3 0x56362c59d6d3 in proc\_sym /home/atasm/src\-afl\-gcc/asm.c:1586
    #4 0x56362c5a1f4a in do\_cmd /home/atasm/src\-afl\-gcc/asm.c:1995
    #5 0x56362c5a2424 in assemble /home/atasm/src\-afl\-gcc/asm.c:2034
    #6 0x56362c580341 in main /home/atasm/src\-afl\-gcc/asm.c:2446
    #7 0x7f24f06d60b2 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x270b2)
    #8 0x56362c581ddd in \_start (/home/atasm/src\-afl\-gcc/atasm+0xdddd)

Address 0x7ffcaad2ff90 is located in stack of thread T0 at offset 352 in frame
    #0 0x56362c585b7f in aprintf /home/atasm/src\-afl\-gcc/asm.c:322

  This frame has 4 object(s):
    \[32, 56) 'args' (line 326)
    \[96, 352) 'buf' (line 323)
    \[416, 672) 'line' (line 323) <== Memory access at offset 352 partially underflows this variable
    \[736, 992) 'buf' (line 1114)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86\_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf
Shadow bytes around the buggy address:
  0x10001559dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfc0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
  0x10001559dfd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10001559dff0: 00 00\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x10001559e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e010: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
  0x10001559e020: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e040: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==3256651\==ABORTING

reproduce:

atasm stack\_buffer\_over\_03\_aprintf

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-34123: ATasm: 6502 cross-assembler / Bugs

An Out of Bounds flaw was discovered in htmodoc 1.9.12 in function parse_tree() in toc.cxx, this possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.

Hi ,

In function parse\_tree() in toc.cxx, there is a out-of-bounds read bug.

If the value of heading_numbers[i] equal to 1000, then the heading_numbers[i] / 100 = 10 , but the length of array HUNDREDS and hundreds is 10, so out of bounds read occurred.

    232               case 'i' :
    233                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", hundreds[heading_numbers[i] / 100],     tens[(heading_numbers[i] / 10) % 10], ones[heading_numbers[i] % 10]);
    234                   break;
    235               case 'I' :
    236                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", HUNDREDS[heading_numbers[i] / 100],     TENS[(heading_numbers[i] / 10) % 10], ONES[heading_numbers[i] % 10]);
    237                   break;
    

**Version:**  
1.9.12 commit \[a5b87b9\]  
**Env:**  
ubuntu 20.04 x86\_64  
clang version 11.0.0

reproduce  
./configure  
make  
./htmldoc \[poc\]

oobr\_parse\_tree.poc.zip

\*\*more \*\*

gdb

    #3  0x00007ffff7a04f76 in __GI___snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:31
    #4  0x0000000000462ae9 in parse_tree (t=0xc50620) at toc.cxx:236
    #5  0x0000000000463047 in parse_tree (t=0xc500a0) at toc.cxx:375
    #6  0x0000000000463047 in parse_tree (t=0x99c9b0) at toc.cxx:375
    #7  0x0000000000463047 in parse_tree (t=0x968080) at toc.cxx:375
    #8  0x0000000000463047 in parse_tree (t=0x967900) at toc.cxx:375
    #9  0x0000000000463047 in parse_tree (t=0x9401c0) at toc.cxx:375
    #10 0x0000000000462439 in toc_build (tree=0x9401c0) at toc.cxx:81
    #11 0x000000000040cfa7 in main (argc=0x2, argv=0x7fffffffe368) at htmldoc.cxx:1275
    
    gef➤   p heading_numbers[i] / 100
    $24 = 0xa
    gef➤  p HUNDREDS[heading_numbers[i] / 100]
    $25 = 0x3131313131313149 <error: Cannot access memory at address 0x3131313131313149>
    
    
    

    ==311711== Invalid read of size 1
    ==311711==    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==311711==    by 0x4CFCE94: __vfprintf_internal (vfprintf-internal.c:1688)
    ==311711==    by 0x4D10119: __vsnprintf_internal (vsnprintf.c:114)
    ==311711==    by 0x4CE5F75: snprintf (snprintf.c:31)
    ==311711==    by 0x462AE8: parse_tree(tree_str*) (toc.cxx:236)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x462438: toc_build (toc.cxx:81)
    ==311711==    by 0x40CFA6: main (htmldoc.cxx:1275)
    ==311711==  Address 0x3131313131313149 is not stack'd, malloc'd or (recently) free'd

CVE-2021-34121: Out of bounds read in function  · Issue #433 · michaelrsweet/htmldoc

An issue was discovered in asn1c through v0.9.28. A NULL pointer dereference exists in the function _default_error_logger() located in asn1fix.c. It allows an attacker to cause Denial of Service.

The crash is caused by this debug/error message:

https://github.com/vlm/asn1c/blob/v0.9.28/libasn1fix/asn1fix\_enum.c#L82

    FATAL("HERE HERE HERE", 1);
    

It looks like some temporary message added while debugging some issue, but that assumption is hard to confirm as it was included in the initial import to git.

The FATAL macro effectively expands to something like this:

    printf("HERE HERE HERE" " in %s", 1, source_file_name);
    

leading to %s format applied to argument 1 (i.e. pointer 0x1) instead of the file name string.

The most trivial fix is to remove extraneous , 1 argument. A better fix would be to remove the FATAL call completely if it's not needed, or user proper message if it is needed.

CVE-2020-23911: A Segmentation fault in asn1fix_enum.c:82:5 · Issue #394 · vlm/asn1c

In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.

**Mark Wielaard** mark@klomp.org  
_Wed Mar 3 20:46:24 GMT 2021_

*   Previous message (by thread): \[Bug tools/27501\] eu-readelf hang while process crafted file
*   Next message (by thread): \[PATCH\] debuginfod-client: Don't compare a double to a long
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

We are going through vna\_next, vn\_next and vd\_next in a while loop.
Make sure that all offsets are sane. We don't want things to wrap
around so we go in cycles.

https://sourceware.org/bugzilla/show\_bug.cgi?id=27501

Signed-off-by: Mark Wielaard <mark@klomp.org\>
---
 src/ChangeLog |  5 +++++
 src/readelf.c | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 791015bb..14cd6cac 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2021-03-03  Mark Wielaard  <mark@klomp.org\>
+
+	\* readelf.c (handle\_symtab): Sanity check verneed vna\_next,
+	vn\_next and verdef vd\_next offsets.
+
 2021-03-02  Timm Bäder  <tbaeder@redhat.com\>
 
 	\* elfcompress.c (process\_file): Remove cleanup() function and
diff --git a/src/readelf.c b/src/readelf.c
index 715af3b3..b9740455 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -2554,7 +2554,9 @@ handle\_symtab (Ebl \*ebl, Elf\_Scn \*scn, GElf\_Shdr \*shdr)
 						 &vernaux\_mem);
 		      while (vernaux != NULL
 			     && vernaux->vna\_other != \*versym
-			     && vernaux->vna\_next != 0)
+			     && vernaux->vna\_next != 0
+			     && (verneed\_data->d\_size - vna\_offset
+				 >= vernaux->vna\_next))
 			{
 			  /\* Update the offset.  \*/
 			  vna\_offset += vernaux->vna\_next;
@@ -2571,6 +2573,9 @@ handle\_symtab (Ebl \*ebl, Elf\_Scn \*scn, GElf\_Shdr \*shdr)
 			/\* Found it.  \*/
 			break;
 
+		      if (verneed\_data->d\_size - vn\_offset < verneed->vn\_next)
+			break;
+
 		      vn\_offset += verneed->vn\_next;
 		      verneed = (verneed->vn\_next == 0
 				 ? NULL
@@ -2606,6 +2611,9 @@ handle\_symtab (Ebl \*ebl, Elf\_Scn \*scn, GElf\_Shdr \*shdr)
 			/\* Found the definition.  \*/
 			break;
 
+		      if (verdef\_data->d\_size - vd\_offset < verdef->vd\_next)
+			break;
+
 		      vd\_offset += verdef->vd\_next;
 		      verdef = (verdef->vd\_next == 0
 				? NULL
-- 
2.20.1

*   Previous message (by thread): \[Bug tools/27501\] eu-readelf hang while process crafted file
*   Next message (by thread): \[PATCH\] debuginfod-client: Don't compare a double to a long
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the Elfutils-devel mailing list

CVE-2021-33294: [COMMITTED] readelf: Sanity check verneed and verdef offsets in handle_symtab.

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

**Bug Description**

Hi, we find 151 input files and pcre2test could not terminate in 60 minutes while processing them, which may trigger some dead loops.

We select one simplest input file (decompress it) to analyze the bug and the results of our analysis are as follows. (Maybe there are other situations.)

**Bug Analysis**

We find an endless looping may in pcre2test.c:6860  
With the input (decompress it).

The relevant code snippet is as follows.

    li \= strtol((const char \*)p, &endptr, 10);
    i \= (int32\_t)li;
    if (i\-- \== 0) {// ...}
    // ...
    replen \= CAST8VAR(q) \- start\_rep;
    needlen += replen \* i;

      if (needlen >= dbuffer\_size)
      {
      // ...
6860: while (needlen >= dbuffer\_size) dbuffer\_size \*= 2;
      // ...
      }

1.  p = "-10", li = i = -10
2.  With i--, i = -11
3.  With replen = CAST8VAR(q) - start_rep;, replen = 1
4.  With initial value 10 and needlen += replen * i, needlen = -1 = 2 ^ 64 -1, as type(needlen) = size_t
5.  Then an endless looping occurs in line: 6860.
    *   In fact, the while entry condition is vulnerable. With needlen ∈ \[ 2 ^ 63, 2 ^ 64), the while is very easy to trap into endless looping.

**How to reproduce**

1.  Download the pcre2 source code with the official link and build it.
    *   ./autogen.sh
    *   CC=gcc CXX=g++ ./configure --disable-shared --prefix=...
    *   make -j 8
    *   make install
2.  Executing prec2test with the provided input files
    *   Decompress the zip to get all the input files.
    *   cd <your install directory>
    *   ./bin/pcre2test <any input file in the zip>

CVE-2022-41409: [Bug report] Endless looping in pcre2test (v10.41, commit id:3a1ad4 ) · Issue #141 · PCRE2Project/pcre2

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classified Listing plugin <= 2.4.5 versions.

**Solution**

 Fixed

Update the WordPress Classified Listing plugin to the latest available version (at least 2.4.6).

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Classified Listing Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.4.6.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37387: WordPress Classified Listing plugin <= 2.4.5 - Cross Site Request Forgery (CSRF) Leading To Thumbnail Removal Vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI - PluginPress Shortcode IMDB plugin <= 6.0.8 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Shortcode IMDB Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Source

CVE