OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x65fc97.

CVE-2022-35070

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0bc3.

CVE-2022-35062

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e412a.

CVE-2022-35061

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41a8.

CVE-2022-35063

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41b8.

CVE-2022-35066

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0a32.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059922/id124\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6c0a32.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow 

**Crash Detail**

    ==103532==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f98ea3af808 at pc 0x0000006c0a33 bp 0x7ffcdefa80f0 sp 0x7ffcdefa80e8
    READ of size 8 at 0x7f98ea3af808 thread T0
        #0 0x6c0a32  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0a32)
        #1 0x527687  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x527687)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7f98f803ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x7f98ea3af808 is located 8 bytes to the right of 1048576-byte region [0x7f98ea2af800,0x7f98ea3af800)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x526fd2  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x526fd2)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7f98f803ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0a32) 
    Shadow bytes around the buggy address:
      0x0ff39d46deb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff39d46dec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff39d46ded0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff39d46dee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff39d46def0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff39d46df00: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff39d46df10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff39d46df20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff39d46df30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff39d46df40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff39d46df50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==103532==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0a32)

CVE-2022-35060: Poc/CVE-2022-35060.md at main · Cvjark/Poc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x4adcdb in __asan_memset.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059928/id149\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x4adcdb.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==104877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000000db3 at pc 0x0000004adcdc bp 0x7fff70fd6650 sp 0x7fff70fd5e00
    WRITE of size 176 at 0x60b000000db3 thread T0
        #0 0x4adcdb in __asan_memset (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4adcdb)
        #1 0x5cd359  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5cd359)
        #2 0x4fea8d  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fea8d)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7f604b90ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x60b000000db3 is located 0 bytes to the right of 99-byte region [0x60b000000d50,0x60b000000db3)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x5cd14f  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5cd14f)
        #2 0x4fea8d  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fea8d)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7f604b90ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4adcdb) in __asan_memset
    Shadow bytes around the buggy address:
      0x0c167fff8160: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c167fff8170: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
      0x0c167fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c167fff8190: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c167fff81a0: fd fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
    =>0x0c167fff81b0: 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fa
      0x0c167fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==104877==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4adcdb) in __asan_memset

CVE-2022-35064: Poc/CVE-2022-35064.md at main · Cvjark/Poc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b544e.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059938/id208\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6b544e.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==108318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000005cb at pc 0x0000006b544f bp 0x7ffe3ffce110 sp 0x7ffe3ffce108
    READ of size 1 at 0x6120000005cb thread T0
        #0 0x6b544e  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b544e)
        #1 0x6b6bf3  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b6bf3)
        #2 0x5265aa  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5265aa)
        #3 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #4 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #5 0x7f0873f24c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x6120000005cb is located 0 bytes to the right of 267-byte region [0x6120000004c0,0x6120000005cb)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x6b69c5  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b69c5)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7f0873f24c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b544e) 
    Shadow bytes around the buggy address:
      0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c247fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff80b0: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa
      0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==108318==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b544e)

CVE-2022-35069: Poc/CVE-2022-35069.md at main · Cvjark/Poc

A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.

'2126824?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-3213: Invalid Bug ID

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Bridge | APSB22-49

Bulletin ID

Date Published

Priority

APSB22-49

September 13, 2022  

3

**Summary**

Adobe has released a security update for Adobe Bridge. This update addresses critical and important vulnerabilities that could lead to arbitrary code execution and memory leak.

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Bridge    

12.0.2 and earlier versions   

Windows  and macOS

Adobe Bridge    

11.1.3 and earlier versions 

Windows  and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.   

Product

Version

Platform

Priority     

Availability      

Adobe Bridge    

12.0.3

Windows and macOS    

3

Download Page    

Adobe Bridge    

11.1.4   

Windows and macOS      

3

Download Page      

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**  

**CVSS vector**

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35699

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35700

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35701  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35702  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35703  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35704  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35705  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35706  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35707  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35708  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35709  

Use After Free (CWE-416)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38425  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-35699, CVE-2022-35700, CVE-2022-35701, CVE-2022-35702, CVE-2022-35703, CVE-2022-35704, CVE-2022-35705, CVE-2022-35706, CVE-2022-35707, CVE-2022-35708, CVE-2022-35709, CVE-2022-38425
    

**Revisions**

December 6th, 2021: Added CVE details for CVE-2021-44185, CVE-2021-44186, CVE-2021-44187   

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

Tag

#buffer_overflow