Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.

we found wild-addr-write by fuzzing flac-master:

    ==217==ERROR: AddressSanitizer: SEGV on unknown address 0xb6029a2c (pc 0x0822a2ae bp 0xffeb31e8 sp 0xffeb30a0 T0)
    ==217==The signal is caused by a WRITE memory access.
    SCARINESS: 30 (wild-addr-write)
        #0 0x822a2ad in FLAC__bitwriter_write_raw_uint32_nocheck /src/flac/src/libFLAC/bitwriter.c
        #1 0x8229a42 in FLAC__bitwriter_write_raw_uint32 /src/flac/src/libFLAC/bitwriter.c:369:9
        #2 0x8218ec3 in FLAC__frame_add_header /src/flac/src/libFLAC/stream_encoder_framing.c:227:6
        #3 0x820557b in process_subframes_ /src/flac/src/libFLAC/stream_encoder.c:3365:7
        #4 0x81d940f in process_frame_ /src/flac/src/libFLAC/stream_encoder.c:3096:6
        #5 0x81f3770 in FLAC__stream_encoder_process_interleaved /src/flac/src/libFLAC/stream_encoder.c:2298:9
        #6 0x81bfa80 in FLAC::Encoder::Stream::process_interleaved(int const*, unsigned int) /src/flac/src/libFLAC++/stream_encoder.cpp:370:29
        #7 0x81ac167 in LLVMFuzzerTestOneInput /src/flac-fuzzers/fuzzer_encoder.cpp:141:46
        #8 0x80ac766 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
        #9 0x8098c13 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
        #10 0x809e318 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
        #11 0x80c3167 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
        #12 0xf7539636 in __libc_start_main (/lib32/libc.so.6+0x18636)
        #13 0x8073c38 in _start (/out/flac/fuzzer_encoder+0x8073c38)
    

here is my debug info:  
bw->buffer was realloc here

    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=62914562) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) n
    130		bw->buffer = new_buffer;
    (gdb) l
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    133	}
    134
    (gdb) p new_buffer
    $1 = (bwword *) 0x7abd7800
    (gdb) p new_capacity
    $2 = 250956800
    

later, bw->buffer was freed but it's value NOT set to 0

    156	static inline void *safe_realloc_(void *ptr, size_t size)
    157	{
    158		void *oldptr = ptr;
    159		void *newptr = realloc(ptr, size);
    160		if(size > 0 && newptr == 0)
    161			free(oldptr);
    162		return newptr;
    (gdb) n
    159		void *newptr = realloc(ptr, size);
    (gdb) n
    160		if(size > 0 && newptr == 0)
    (gdb) p newptr
    $4 = (void *) 0x0
    (gdb) p size
    $5 = 1006448640
    (gdb) n
    161			free(oldptr);
    (gdb) p oldptr
    $6 = (void *) 0x7abd7800
    (gdb) n
    162		return newptr;
    (gdb) n
    safe_realloc_mul_2op_ (ptr=0x7abd7800, size1=4, size2=251612160) at ../../include/share/alloc.h:206
    206	}
    (gdb) n
    bitwriter_grow_ (bw=0xf5a00a90, bits_to_add=20971521) at bitwriter.c:128
    128		if(new_buffer == 0)
    (gdb) l
    123		FLAC__ASSERT(0 == (new_capacity - bw->capacity) % FLAC__BITWRITER_DEFAULT_INCREMENT);
    124		FLAC__ASSERT(new_capacity > bw->capacity);
    125		FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
    126
    127		new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
    128		if(new_buffer == 0)
    129			return false;
    130		bw->buffer = new_buffer;
    131		bw->capacity = new_capacity;
    132		return true;
    (gdb) p bw->buffer
    $7 = (bwword *) 0x7abd7800
    (gdb) p bw->capacity
    $8 = 250956800
    (gdb) n
    129			return false

CVE-2020-22219: wild-addr-write found by fuzz · Issue #215 · xiph/flac

Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.

'701846?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21890: Invalid Bug ID

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

CVE-2020-21469: Buffer overflow when continuously send SIGHUP to postgres

Buffer Overflow vulnerability in function C_IStream::read in PluginEXR.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function C\_IStream::read of PluginEXR.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.  
Asan log as below:

\==2194\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf3b06d00 at pc 0x08087ebd bp 0xffe389d8 sp 0xffe385b0
WRITE of size 329845 at 0xf3b06d00 thread T0
    #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
    #1 0x883a341 in \_ReadProc(void\*, unsigned int, unsigned int, void\*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
    #2 0x816a96f in C\_IStream::read(char\*, int) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:66:26
    #3 0x851cd1f in Imf\_2\_2::(anonymous namespace)::readPixelData(Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, char\*&, int&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:440:25
    #4 0x8519bd7 in Imf\_2\_2::(anonymous namespace)::newLineBufferTask(IlmThread\_2\_2::TaskGroup\*, Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, int, int, Imf\_2\_2::OptimizationMode) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1033:14
    #5 0x8519bd7 in Imf\_2\_2::ScanLineInputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:44
    #6 0x849dba8 in Imf\_2\_2::InputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:815:23
    #7 0x81638a2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:428:9
    #8 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #9 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #10 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #11 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #12 0x806f8f5 in \_start (/home/FreeImage/test+0x806f8f5)

0xf3b06d00 is located 0 bytes to the right of 6144\-byte region \[0xf3b05500,0xf3b06d00)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
    #1 0x8510c1f in Imf\_2\_2::EXRAllocAligned(unsigned int, unsigned int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfSystemSpecific.h:139:12
    #2 0x8510c1f in Imf\_2\_2::ScanLineInputFile::initialize(Imf\_2\_2::Header const&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58
    #3 0x8511e19 in Imf\_2\_2::ScanLineInputFile::ScanLineInputFile(Imf\_2\_2::Header const&, Imf\_2\_2::IStream\*, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #4 0x8496904 in Imf\_2\_2::InputFile::initialize() /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #5 0x8498d15 in Imf\_2\_2::InputFile::InputFile(Imf\_2\_2::IStream&, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:450:13
    #6 0x8161d1f in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:193:18
    #7 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #8 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #9 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #10 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16

SUMMARY: AddressSanitizer: heap\-buffer\-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
  0x3e760d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x3e760da0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==2194\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21426: FreeImage / Bugs / #300 heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp

dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y

Skip to content

**Heap-based Buffer Overflow in the makevar() function**

Hi,

I found a **heap buffer overflow write of size 1** in the makevar() function, in dpic.y on dpic 2021.04.10 (commit: d317e406)

Heap buffer overflow issue: for loop in https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5769 as given below:

    void
    makevar(char *s, int ln, double varval)
    {
      nametype *vn, *lastvar, *namptr;
      int j, tstval;
      for (j = 0; j < ln; j++) { chbuf[chbufi + j] = s[j]; }
      ...

And, as per the code, https://gitlab.com/aplevich/dpic/-/blob/master/main.c#L1777

chbuf = malloc (sizeof (chbufarray)); if (chbuf==NULL){ fatal(9); } the sizeof chbufarray of char datatype is: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.h#L78

    typedef Char chbufarray[CHBUFSIZ + 1];

and upper limit of chbuf buffers is CHBUFSIZ which is of 4095 limit so sizeof (chbufarray) becomes 4096 and while running the executable, the value of chbufi can be seen as 4089 for this test file, so it means any value which is greater than 6 will cause heap buffer overflow write in the makevar() function for loop, in this case.

    if ln (second input parameter of makevar()) is 7:
        chbuf[4089 + 6] = s[6];
        chbuf[4095] = s[6];
    
    if ln is greater than 7 like 8 or 9:
        chbuf[4089 + 7] = s[6];
        which is, chbuf[4096] = s[6]; // heap buffer overflow of write 1 byte

And, as per the code: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5735 as given below, it can be seen as many makevar() function has second input parameter greater than 7

    void
    mkOptionVars(void)
    {
        makevar("dpicopt", 7, drawmode);
        if (safemode) { i = 1; } else { i = 0; }
        makevar("optsafe", 7, i);
        makevar("optMFpic", 8, MFpic);
        makevar("optMpost", 8, MPost);
        makevar("optPDF", 6, PDF);
        makevar("optPGF", 6, PGF);
        makevar("optPict2e", 9, Pict2e);
        makevar("optPS", 5, PS);
        makevar("optPSfrag", 9, PSfrag);
        makevar("optPSTricks", 11, PSTricks);
        makevar("optSVG", 6, SVG);
        makevar("optTeX", 6, TeX);
        makevar("opttTeX", 7, tTeX);
        makevar("optxfig", 7, xfig);
        ...

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap\_bof\_write\_test

the issue can be reproduced by running:

dpic heap_bof_write_test

With ASAN report

    =================================================================
    ==582741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001100 at pc 0x000000538ae3 bp 0x7ffead55dc90 sp 0x7ffead55dc88
    WRITE of size 1 at 0x621000001100 thread T0
        #0 0x538ae2 in makevar /home/bsdboy/projects/again/dpic/dpic.y:5769:48
        #1 0x511042 in mkOptionVars /home/bsdboy/projects/again/dpic/dpic.y:5748:5
        #2 0x4de391 in yyparse /home/bsdboy/projects/again/dpic/dpic.y:495:19
        #3 0x4dbcb4 in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c65d in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c65d)
    
    0x621000001100 is located 0 bytes to the right of 4096-byte region [0x621000000100,0x621000001100)
    allocated by thread T0 here:
        #0 0x4978bd in malloc (/home/bsdboy/projects/again/dpic/dpic+0x4978bd)
        #1 0x4dbb9d in main /home/bsdboy/projects/again/dpic/main.c:1779:11
        #2 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/projects/again/dpic/dpic.y:5769:48 in makevar
    Shadow bytes around the buggy address:
      0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff8220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==582741==ABORTING

Edited May 09, 2021 by Neeraj Pal

CVE-2021-33388: Heap-based Buffer Overflow in the makevar() function (#8) · Issues · Dwight Aplevich / dpic · GitLab

A heap buffer overflow in r_read_le32 function in radare25.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread crash in RAnal.hexagon (tests\_64900) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **4 additions** and **1 deletion**.

5 changes: 4 additions & 1 deletion libr/anal/p/anal\_hexagon.c

Expand Up

@@ -10,8 +10,11 @@

#include "hexagon\_anal.h"

  

static int hexagon\_v6\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len, RAnalOpMask mask) {

HexInsn hi \= {0};;

HexInsn hi \= {0};

ut32 data \= 0;

if (len < 4) {

return 0;

}

data \= r\_read\_le32 (buf);

int size \= hexagon\_disasm\_instruction (data, &hi, (ut32) addr);

op\->size \= size;

Expand Down

**0 comments on commit 027cd9b**

Please sign in to comment.

CVE-2022-28072: Fix oobread crash in RAnal.hexagon (tests_64900) ##crash · radareorg/radare2@027cd9b

A heap buffer overflow in vax_opfunction in radare2 5.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread in VAX disassembler (tests\_64920) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

2 changes: 1 addition & 1 deletion libr/anal/p/anal\_vax.c

Expand Up

@@ -150,7 +150,7 @@ static int vax\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len,

case 0xfb: // calls

op\->type \= R\_ANAL\_OP\_TYPE\_CALL;

op\->size \= 7;

{

if (len \> 6) {

int oa \= 3;

ut32 delta \= buf\[oa\];

delta |= (ut32)(buf\[oa + 1\]) << 8;

Expand Down

**0 comments on commit 49b0ceb**

Please sign in to comment.

CVE-2022-28069: Fix oobread in VAX disassembler (tests_64920) ##crash · radareorg/radare2@49b0ceb

A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0.

Expand Up @@ -383,21 +383,18 @@ static inline ut64 dwarf\_read\_offset(bool is\_64bit, const ut8 \*\*buf, const ut8 \* if (is\_64bit) { result \= READ64 (\*buf); } else { result \= READ32 (\*buf); result \= (ut64)READ32 (\*buf); } return result; }  
static inline ut64 dwarf\_read\_address(size\_t size, const ut8 \*\*buf, const ut8 \*buf\_end) { ut64 result; switch (size) { case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: result \= 0; \*buf += size; eprintf ("Weird dwarf address size: %zu.", size); Expand Down Expand Up @@ -1857,8 +1854,7 @@ static const ut8 \*parse\_attr\_value(const ut8 \*obuf, int obuf\_len, \* @param sdb \* @return const ut8\* Updated buffer \*/ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { size\_t i; for (i \= 0; i < abbrev\->count \- 1; i++) { memset (&die\->attr\_values\[i\], 0, sizeof (die\->attr\_values\[i\])); Expand All @@ -1868,9 +1864,8 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD  
RBinDwarfAttrValue \*attribute \= &die\->attr\_values\[i\];  
bool is\_valid\_string\_form \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string) && attribute\->string.content; bool is\_string \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string); bool is\_valid\_string\_form \= is\_string && attribute\->string.content; // TODO does this have a purpose anymore? // Or atleast it needs to rework becase there will be // more comp units -> more comp dirs and only the last one will be kept Expand All @@ -1880,7 +1875,6 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD } die\->count++; }  
return buf; }  
Expand Down

CVE-2022-28068: Fix oobread crash in DWARF parser (tests_64924) ##crash · radareorg/radare2@637f4bd

dpic 2021.01.01 has a Global buffer overflow in theyylex() function in main.c and reads out of the bound array.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Topics Snippets
    
*   Register
*   Sign in

*   Dwight Aplevich
*   dpic
*   Commits
*   d317e406

**Commit d317e406** authored Apr 10, 2021 by  **Dwight Aplevich**

Browse files

**Improved robustness to fuzzed input**

parent 68ab9432

*   Changes 33

Expand all Hide whitespace changes

Inline Side-by-side

*   Neeraj Pal @bsdb0y
    
    mentioned in issue #8 (closed)
    
    · May 09, 2021
    
    mentioned in issue #8 (closed)
    
    mentioned in issue #8
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #9 (closed)
    
    · May 09, 2021
    
    mentioned in issue #9 (closed)
    
    mentioned in issue #9
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #10 (closed)
    
    · May 09, 2021
    
    mentioned in issue #10 (closed)
    
    mentioned in issue #10
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #11 (closed)
    
    · May 09, 2021
    
    mentioned in issue #11 (closed)
    
    mentioned in issue #11
    
    Toggle commit list
    

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2021-32422: Improved robustness to fuzzed input (d317e406) · Commits · Dwight Aplevich / dpic · GitLab

Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in FreeImage 3.19.0 [r1859] allows remote attackers to ru narbitrary code via use of crafted psd file.

1.PluginICO.cpp/LoadStandardIcon( )/heap\_overflow  
When the program reads a ico file, it will be handed to the Load function of the 'PluginICO.cpp' file, but in the '332' line of the program, when the 'io->read\_proc' function is executed, the size of the "height \* pitch" are not considered, which will cause the heap\_overflow.  
  
  
From the above,we can find that the "FreeImage\_GetBits" function return a pointer,which corresponds to the buffer as follows.  
  
The buffer size is (0x259aa44df50 + 0x663 - 259aa44df50) 0xa3  
  
  
At the same time ,the "handle" stores the pointer to the ICO data we read in. Moreover,we can see that the buffer has read the ico data when the 'io->read\_proc' function is executed.  
  
Also the size of the "height \* pitch" can be controlled.  
Finally,it will cause the heap overflow if we make the "height \* pitch" is greater than the size of buffer. Moreover, it may has the risk of arbitrary code execution.

2.PSDParser.cpp/ReadImageLine( )/heap\_overflow  
When the program reads a psd file, it will be handed to the Load function of the 'PSDParser.cpp' file, but in the '1298' line of the program, when the 'memcpy' function is executed, the size of the "lineSize" are not considered, which will cause the heap\_overflow.  
  
  
  
The lineSize is determined by the nWidth we passed in,which is controllable.  
  
The buffer size of "dst" is (0x19f53cdffe0 + 0x2013 -0x0000019f53ce1f90) 0x63  
  
  
Also the content of "src" comes from the psd file we read in.  
Finally,it will cause the heap overflow when the 'memcpy' function is executed,if we make the 'lineSize' is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.

3.PSDParser.cpp/UnpackRLE( )/Integer overflow  
A Integer overflow in line "1328" of the "psdParser::UnpackRLE" function in "PSDParser.cpp". Where the "srcSize" is an unsigned integer. But it is still recognized as a positive number in the memory when "srcSize-=len" is a negative number(0xffffff94). Eventually results in "srcSize > 0", which causes rle\_line to generate an out-of-bounds read.  
  

4.PSDParser.cpp/psdThumbnail::Read( )/heap\_overflow  
When the program reads a psd file, it will be handed to the Load function of the 'PSDParser.cpp' file, but in the '801' line of the "psdThumbnail::Read", when the 'memcpy' function is executed, the size of the "\_Width \* \_BitPerPixel" are not considered, which will cause the heap\_overflow.  
  
The buffer size of "dst\_line\_start" is (0x231fdfde8f0 + 0x70b - 0x00000231fdfdefe4 ) 0x17 and the "\_Width \* \_BitPerPixel" is determined by the nWidth we passed in,which is controllable.  
  
In the code above，the "io->read\_proc(line\_start, \_WidthBytes, 1, handle)" function is executed, where the "handle" stores the pointer to the psd data we read in. Also the "\_WidthBytes" is controllable,which means the content of "line\_start" is controllable.  
  
Finally,it will cause the heap overflow when the 'memcpy' function is executed,if we make the "\_Width \* \_BitPerPixel" is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.

Author by avscx.z@dbappsecurity.com.cn

 

Last edit: Avscx 2020-08-07

Tag

#buffer_overflow