Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function 'formWifiBasicSet.'

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40844: Digging/Tenda/AC6/bof/2/2.md at main · XYIYM/Digging

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function "sub_73004."

CVE-2023-40843: Digging/Tenda/AC6/bof/8/8.md at main · XYIYM/Digging

Tengda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function "R7WebsSecurityHandler."

CVE-2023-40842: Digging/Tenda/AC6/bof/4/4.md at main · XYIYM/Digging

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function "add_white_node,"

CVE-2023-40841: Digging/Tenda/AC6/bof/5/5.md at main · XYIYM/Digging

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function "fromGetWirelessRepeat."

CVE-2023-40840: Digging/Tenda/AC6/bof/6/6.md at main · XYIYM/Digging

* Buffer Overflow vulnerability in qdrant v.1.3.2 allows a remote attacker cause a denial of service via the chucnked_vectors.rs component.

Wrong dim when create collection may cause db service down

**Current Behavior**

Denial of Service, Users can not use the vector database normally

**Steps to Reproduce**

some bugs related with the dim of vector when create collection, which can cause DoS  
Details

version: 1.3.2

at https://github.com/qdrant/qdrant/blob/master/lib/segment/src/vector\_storage/chunked\_vectors.rs#L28, it check cannot be 0, but vector\_size may be zero if dim too big such as 2\*\*63. Then it will divide zero

if dim is too big, the vector::new will failed on my 128G memory server, and service will down.  
PoC

    from qdrant_client import QdrantClient
    from qdrant_client import models
    
    c = QdrantClient(host="127.0.0.1", port=6333)
    c.recreate_collection(
        collection_name="test",
        vectors_config=models.VectorParams(size=2**63, distance=models.Distance.COSINE),
    )
    
    # [2023-05-30T08:25:32.996Z ERROR qdrant::startup] Panic occurred in file lib/segment/src/vector_storage/chunked_vectors.rs at line 28: attempt to divide by zero
    

    c = QdrantClient(host="127.0.0.1", port=6333)
    c.recreate_collection(
        collection_name="test",
        vectors_config={
            "payload": models.VectorParams(size=2**59, distance=models.Distance.DOT),
        }
    )
    
    #memory allocation of 2305843009213693952memory allocation of  bytes failed
    #2305843009213693952 bytes failed
    #Aborted (core dumped)
    

**Possible Solution**

check the value range

P.S This bug can also effect the cloud service

CVE-2023-38975: Wrong dim when create collection may cause db service down · Issue #2268 · qdrant/qdrant

A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-40889

**Heap-based buffer overflow in ZBar**

Moderate severity GitHub Reviewed Published Aug 29, 2023 to the GitHub Advisory Database • Updated Aug 30, 2023

**Affected versions**

<= 0.23.90

**Description**

A heap-based buffer overflow exists in the qr\_reader\_match\_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-40889
*   https://hackmd.io/@cspl/B1ZkFZv23

Published to the GitHub Advisory Database

Aug 29, 2023

Last updated

Aug 30, 2023

GHSA-mhp6-jvpx-2p4m: Heap-based buffer overflow in ZBar

\# ZBar Heap-based Buffer Overflow Vulnerability ### CVE Number CVE-2023-40889 ### Summary A heap-based buffer overflow exists in the \*qr\_reader\_match\_centers\* function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. ### Tested Versions ZBar 0.23.90 ### Product URLs https://github.com/mchehab/zbar/releases/tag/0.23.90   ### Crash Information \`\`\`sh ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000e1bf6 at pc 0x7f22e913836b bp 0x7fff893b6590 sp 0x7fff893b6588 READ of size 1 at 0x6040000e1bf6 thread T0 #0 0x7f22e913836a in qr\_reader\_match\_centers /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:3903:18 #1 0x7f22e913a2ef in \_zbar\_qr\_decode /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9 #2 0x7f22e910f004 in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/img\_scanner.c:806:5 #3 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #4 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:97 #5 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #6 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #7 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #8 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #9 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #10 0x7f22e4ea1bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #11 0x41dd49 in \_start (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dd49) 0x6040000e1bf6 is located 0 bytes to the right of 38-byte region \[0x6040000e1bd0,0x6040000e1bf6) allocated by thread T0 here: #0 0x513488 in calloc (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x513488) #1 0x7f22e9133b0f in qr\_reader\_match\_centers /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:3895:25 #2 0x7f22e913a2ef in \_zbar\_qr\_decode /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9 #3 0x7f22e910f004 in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/img\_scanner.c:806:5 #4 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #5 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:97 #6 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #7 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #8 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #9 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #10 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #11 0x7f22e4ea1bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 \`\`\`

CVE-2023-40889: ZBar Heap-based Buffer Overflow Vulnerability - HackMD

\# ZBar Heap-based Buffer Overflow Vulnerability ### CVE Number CVE-xxxx-xxxxx (unassigned) ### Summary A heap-based buffer overflow exists in the \*qr\_reader\_match\_centers\* function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. ### Tested Versions ZBar 0.23.90 ### Product URLs https://github.com/mchehab/zbar/releases/tag/0.23.90   ### Crash Information \`\`\`sh ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000e1bf6 at pc 0x7f22e913836b bp 0x7fff893b6590 sp 0x7fff893b6588 READ of size 1 at 0x6040000e1bf6 thread T0 #0 0x7f22e913836a in qr\_reader\_match\_centers /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:3903:18 #1 0x7f22e913a2ef in \_zbar\_qr\_decode /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9 #2 0x7f22e910f004 in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/img\_scanner.c:806:5 #3 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #4 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:97 #5 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #6 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #7 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #8 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #9 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #10 0x7f22e4ea1bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #11 0x41dd49 in \_start (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dd49) 0x6040000e1bf6 is located 0 bytes to the right of 38-byte region \[0x6040000e1bd0,0x6040000e1bf6) allocated by thread T0 here: #0 0x513488 in calloc (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x513488) #1 0x7f22e9133b0f in qr\_reader\_match\_centers /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:3895:25 #2 0x7f22e913a2ef in \_zbar\_qr\_decode /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/qrcode/qrdec.c:4029:9 #3 0x7f22e910f004 in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar/zbar/img\_scanner.c:806:5 #4 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #5 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:97 #6 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #7 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #8 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #9 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #10 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #11 0x7f22e4ea1bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 \`\`\`

A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

\# ZBar Stack-based Buffer Overflow Vulnerability ### CVE Number CVE-2023-40890 ### Summary A stack-based buffer overflow vulnerability exists in the \*lookup\_sequence\* function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. ### Tested Versions ZBar 0.23.90 ### Product URLs https://github.com/mchehab/zbar/releases/tag/0.23.90   ### Crash Information \`\`\`sh ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8c2052b8 at pc 0x7fd25c0d6ba3 bp 0x7ffe8c205130 sp 0x7ffe8c205128 WRITE of size 4 at 0x7ffe8c2052b8 thread T0 #0 0x7fd25c0d6ba2 in lookup\_sequence /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:703:12 #1 0x7fd25c0d6ba2 in match\_segment\_exp /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:763 #2 0x7fd25c0d6ba2 in decode\_char /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1086 #3 0x7fd25c0cda9b in decode\_finder /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1222:14 #4 0x7fd25c0cda9b in \_zbar\_decode\_databar /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:1242 #5 0x7fd25c0c5c52 in zbar\_decode\_width /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder.c:270:15 #6 0x7fd25c0c378a in process\_edge /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/scanner.c:173:16 #7 0x7fd25c0c378a in zbar\_scan\_y /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/scanner.c:261 #8 0x7fd25c0c0a6f in zbar\_scan\_image /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/img\_scanner.c:773:17 #9 0x5503cb in zbar::ImageScanner::scan(zbar::Image&) /usr/local/include/zbar/ImageScanner.h:113:16 #10 0x5503cb in LLVMFuzzerTestOneInput /home/fuzzer/ramdisk\_fuzz/libfuzz/src/fuzz.cpp:98 #11 0x42fb77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const\*, unsigned long) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42fb77) #12 0x43a3e4 in fuzzer::Fuzzer::MutateAndTestOne() (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43a3e4) #13 0x43ba4f in fuzzer::Fuzzer::Loop(std::vector<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >, fuzzer::fuzzer\_allocator<std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > > > const&) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x43ba4f) #14 0x42ae0c in fuzzer::FuzzerDriver(int\*, char\*\*\*, int (\*)(unsigned char const\*, unsigned long)) (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x42ae0c) #15 0x41dc82 in main (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dc82) #16 0x7fd257e53bf6 in \_\_libc\_start\_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #17 0x41dd49 in \_start (/home/fuzzer/ramdisk\_fuzz/libfuzz/fuzzer+0x41dd49) Address 0x7ffe8c2052b8 is located in stack of thread T0 at offset 376 in frame #0 0x7fd25c0ce46f in decode\_char /home/fuzzer/ramdisk\_fuzz/ZBar\_backup/zbar/decoder/databar.c:955 This frame has 6 object(s): \[32, 120) 'bestsegs.i' (line 716) \[160, 248) 'segs.i333' (line 716) \[288, 376) 'seq.i' (line 716) <== Memory access at offset 376 overflows this variable \[416, 544) 'iseg.i' (line 718) \[576, 592) 'd.i' (line 645) \[608, 616) 'emin' (line 958) \`\`\`

Tag

#buffer_overflow