LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow via the function bit_calc_CRC at bits.c.

**system info**

Ubuntu x86\_64, clang 6.0, dwg2dxf(0.12.4.4608)

**Command line**

./programs/dwg2dxf -b -m @@ -o /dev/null

**AddressSanitizer output**

\==8982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000592 at pc 0x0000005289e1 bp 0x7fffffffca80 sp 0x7fffffffca78  
READ of size 1 at 0x616000000592 thread T0  
#0 0x5289e0 in bit\_calc\_CRC /testcase/libredwg/src/bits.c:3257:29  
#1 0x7059b1 in decode\_preR13 /testcase/libredwg/src/decode\_r11.c:760:14  
#2 0x53245a in dwg\_decode /testcase/libredwg/src/decode.c:209:23  
#3 0x50d759 in dwg\_read\_file /testcase/libredwg/src/dwg.c:254:11  
#4 0x50c454 in main /testcase/libredwg/programs/dwg2dxf.c:258:15  
#5 0x7ffff6e22c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#6 0x419ee9 in \_start (/testcase/libredwg/programs/dwg2dxf+0x419ee9)

0x616000000592 is located 0 bytes to the right of 530-byte region \[0x616000000380,0x616000000592)  
allocated by thread T0 here:  
#0 0x4d2750 in calloc /fuzzer/build/llvm\_tools/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:74  
#1 0x50cdd0 in dat\_read\_file /testcase/libredwg/src/dwg.c:91:33  
#2 0x50d708 in dwg\_read\_file /testcase/libredwg/src/dwg.c:247:15  
#3 0x50c454 in main /testcase/libredwg/programs/dwg2dxf.c:258:15  
#4 0x7ffff6e22c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /testcase/libredwg/src/bits.c:3257:29 in bit\_calc\_CRC  
Shadow bytes around the buggy address:  
0x0c2c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c2c7fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c2c7fff80b0: 00 00\[02\]fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c2c7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==8982==ABORTING

**poc**

https://gitee.com/cxlzff/fuzz-poc/raw/master/libredwg/bit\_calc\_CRC\_bof

CVE-2022-33026: heap-buffer-overflow exists in the function bit_calc_CRC in bits.c · Issue #484 · LibreDWG/libredwg

In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::DecodePixelData.

**desc**

There is a heap based buffer overflow in tinyexr::DecodePixelData before 20220506 that could cause remote code execution depending on the usage of this program.

**asan output**

    ==2363537==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009210 at pc 0x000000563bd4 bp 0x7fffffffc4b0 sp 0x7fffffffc4a8
    READ of size 1 at 0x629000009210 thread T0
        #0 0x563bd3 in tinyexr::cpy4(float*, float const*) /tinyexr/./BUILD/tinyexr.h:759:12
        #1 0x563bd3 in tinyexr::DecodePixelData(unsigned char**, int const*, unsigned char const*, unsigned long, int, int, int, int, int, int, int, int, unsigned long, unsigned long, TEXRAttribute const*, unsigned long, TEXRChannelInfo const*, std::vector<unsigned long, std::allocator<unsigned long> > const&) /tinyexr/./BUILD/tinyexr.h:3593:13
        #2 0x505f79 in tinyexr::DecodeTiledPixelData(unsigned char**, int*, int*, int const*, unsigned char const*, unsigned long, int, int, int, int, int, int, int, int, unsigned long, unsigned long, TEXRAttribute const*, unsigned long, TEXRChannelInfo const*, std::vector<unsigned long, std::allocator<unsigned long> > const&) /tinyexr/./BUILD/tinyexr.h:4115:10
        #3 0x505f79 in tinyexr::DecodeTiledLevel(TEXRImage*, TEXRHeader const*, tinyexr::OffsetData const&, std::vector<unsigned long, std::allocator<unsigned long> > const&, int, unsigned char const*, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /tinyexr/./BUILD/tinyexr.h:4841:16
        #4 0x504abc in tinyexr::DecodeChunk(TEXRImage*, TEXRHeader const*, tinyexr::OffsetData const&, unsigned char const*, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /tinyexr/./BUILD/tinyexr.h:5015:19
        #5 0x519246 in tinyexr::DecodeEXRImage(TEXRImage*, TEXRHeader const*, unsigned char const*, unsigned char const*, unsigned long, char const**) /tinyexr/./BUILD/tinyexr.h:5756:15
        #6 0x519246 in LoadEXRImageFromMemory /tinyexr/./BUILD/tinyexr.h:6444:10
        #7 0x53f3bf in LLVMFuzzerTestOneInput /tinyexr/./SRC/test/fuzzer/fuzz.cc:20:9
        #8 0x4fbaad in fuzzfile(char*) /tinyexr/../../../harness/aflharness.cc:35:5
        #9 0x4fbc06 in main /tinyexr/../../../harness/aflharness.cc:52:13
        #10 0x7ffff7a51082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x41e65d in _start (/tinyexr/fuzzrun/harness+0x41e65d)
    
    0x629000009210 is located 0 bytes to the right of 16400-byte region [0x629000005200,0x629000009210)
    allocated by thread T0 here:
        #0 0x4f8c17 in operator new(unsigned long) /fuzz/fuzzdeps/llvm-project-11.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x55b2b2 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:114:27
        #2 0x55b2b2 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:443:20
        #3 0x55b2b2 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:343:20
        #4 0x55b2b2 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:358:33
        #5 0x55b2b2 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:302:9
        #6 0x55b2b2 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:508:9
        #7 0x55b2b2 in tinyexr::DecodePixelData(unsigned char**, int const*, unsigned char const*, unsigned long, int, int, int, int, int, int, int, int, unsigned long, unsigned long, TEXRAttribute const*, unsigned long, TEXRChannelInfo const*, std::vector<unsigned long, std::allocator<unsigned long> > const&) /tinyexr/./BUILD/tinyexr.h:3484:32
        #8 0x505f79 in tinyexr::DecodeTiledPixelData(unsigned char**, int*, int*, int const*, unsigned char const*, unsigned long, int, int, int, int, int, int, int, int, unsigned long, unsigned long, TEXRAttribute const*, unsigned long, TEXRChannelInfo const*, std::vector<unsigned long, std::allocator<unsigned long> > const&) /tinyexr/./BUILD/tinyexr.h:4115:10
        #9 0x505f79 in tinyexr::DecodeTiledLevel(TEXRImage*, TEXRHeader const*, tinyexr::OffsetData const&, std::vector<unsigned long, std::allocator<unsigned long> > const&, int, unsigned char const*, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /tinyexr/./BUILD/tinyexr.h:4841:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /tinyexr/./BUILD/tinyexr.h:759:12 in tinyexr::cpy4(float*, float const*)
    Shadow bytes around the buggy address:
      0x0c527fff91f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fff9200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fff9210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fff9220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c527fff9240: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fff9270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fff9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2363537==ABORTING
    

**reproduce**

*   compile this project using address sanitizer
*   run ./test/fuzzer ./poc

CVE-2022-34300: heap overflow in tinyexr::DecodePixelData · Issue #167 · syoyo/tinyexr

Lrzip v0.651 was discovered to contain multiple invalid arithmetic shifts via the functions get_magic in lrzip.c and Predictor::init in libzpaq/libzpaq.cpp. These vulnerabilities allow attackers to cause a Denial of Service via unspecified vectors.

****Describe the bug****

UndefinedBehaviorSanitizer: two runtime errors that expose invalid integer shifts in the library.

****To Reproduce****

Built lrzip using clang-10 with CXXFLAGS and/or CFLAGS ='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 3495188

****UBSAN Output****

    $ ./lrzip -d ./id:000000,sig:06,src:000057+000060,time:234495,op:splice,rep:8,trial:0 -o asd
    Output filename is: asd
    lrzip.c:208:36: runtime error: left shift of 2149580800 by 32 places cannot be represented in type 'i64' (aka 'long')
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lrzip.c:208:36 in 
    Invalid expected size -9214364837600034554
    
    $ ./lrzip -d ../../fizzbench-second-bench/cve-unique/lrzip-lrzip_decompress_fuzzer/id:000001,sig:06,src:000124+000094,time:315933,op:splice,rep:2,trial:3 -o output
    Output filename is: output
    Decompressing...
    libzpaq/libzpaq.cpp:804:58: runtime error: left shift of negative value -70
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libzpaq/libzpaq.cpp:804:58 in 
    

testcases:  
testcases.zip

CVE-2022-33067: UndefinedBehaviorSanitizer: invalid shifts · Issue #224 · ckolivas/lrzip

Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID.

**Conversation**

 

add a comment to \`container\` in \`quicklist.h\`.
Because \`PLAIN\` and \`PACKED\` are not as easy to understand as \`NONE\`
and \`LISTPACK\` and we don't have a detailed comment on it.

Co-authored-by: Oran Agra <oran@redislabs.com>

\`the redis object pointer was populated.\` -> \`the sds pointer was populated.\`
We don't populate the redis object pointer in this function.

Till now, on MacOS we only used to enable SO\_KEEPALIVE,
but we didn't set the interval which is configurable via the \`tcp-keepalive\` config.
This adds support for that on MacOS, to match what we already do on Linux.

update macros ZIPLIST\_ENTRY\_END i think the right definition is ((zl)+intrev32ifbe(ZIPLIST\_BYTES(zl))-ZIPLIST\_END\_SIZE)

 

…#10663)

When user uses the same input key for SDIFF as the first one, the result must be empty, so we don't need to process the elements to test.

This method is like the one done in zset‘s \`zsetChooseDiffAlgorithm\`

Co-authored-by: Oran Agra <oran@redislabs.com>

In general, our error handler make sure the error
object is always a table. In some rare cases (such
as OOM error), the error handler will not be called
and the error object will be a string. The PR expose
the error even if its a string and not a table.

Currently there is no way to test it but if it'll ever happen,
it is better to propagate this string upwards than just
generate a generic error without any specific info.

 

\* Module API doc script: Mark unreleased API functions

\* fix broken quotes in generate-module-api-doc.rb

Co-authored-by: Oran Agra <oran@redislabs.com>

)

this seems to have been an oversight. syncing the flags so that NOTIFY\_NEW is available to modules.
missing in redis#10512

 

also fixing already defined constants build warning while at it.

Co-authored-by: Oran Agra <oran@redislabs.com>

Fixed RM\_Scan() usage example: \`RedisModuleCursor\` -> \`RedisModuleScanCursor\`

…edis#10661)

If we want to support bits that can be overlapping, we need to make sure
that:
1. we don't use the same bit for two return values.
2. values should be sorted so that prefer ones (matching more
   bits) come first.

Unintentional change in redis#9644 (since RC1) meant that an empty \`--save ""\` config
from command line, wouldn't have clear any setting from the config file

Added tests to cover that, and improved test infra to take additional
command line args for redis-server

fix some typo in "t\_zset.c".
1. \`zzlisinlexrange\` the function name mentioned in the comment is misspelled.
2. fix typo in function name\`zarndmemberReplyWithListpack\` -> \`zrandmemberReplyWithListpack\`

Changed cursor's type from \`int\` to \`unsigned long\`
allows handling database or key with more than 2^31 elements

Set \`old\_li\` to NULL to avoid linking it again on error.
Before the fix, loading an already existing library will cause the existing library to be added again. This cause not harm other then wrong statistics. The statistics that are effected  by the issue are:
\* \`libraries\_count\` and \`functions\_count\` returned by \`function stats\` command
\* \`used\_memory\_functions\` returned on \`info memory\` command
\* \`functions.caches\` returned on \`memory stats\` command

…0683)

It used to returns slots as strings, like:
\`\`\`
redis> cluster shards
1) 1) "slots"
   2) 1) "10923"
      2) "16383"
\`\`\`

CLUSTER SHARDS docs and the top comment of redis#10293 says that it returns integers.
Note other commands like CLUSTER SLOTS, it returns slots as integers.
Use addReplyLongLong instead of addReplyBulkLongLong, now it returns slots as integers:
\`\`\`
redis> cluster shards
1) 1) "slots"
   2) 1) (integer) 10923
      2) (integer) 16383
\`\`\`

This is a small breaking change, introduced in 7.0.0 (7.0 RC3, redis#10293)

Fixes redis#10680

I suggest to use "\[fpclassify\](https://en.cppreference.com/w/cpp/numeric/math/fpclassify)" for float
comparison with zero, because of expression "value == 0" with value very close to zero can be
considered as true with some performance compiler optimizations.

Note: this code was introduced by 9d520a7 to accept zset scores that get ERANGE in conversion
due to precision loss near 0.
But with Intel compilers, ICC and ICX, where optimizations for 0 check are more aggressive, "==0" is
true for mentioned functions, however should not be. Behavior is seen starting from O2.
This leads to a failure in the ZSCAN test in scan.tcl

Fix redis#10552

We no longer piggyback getkeys\_proc to hold the RedisModuleCommand struct, when exists

Others:
Use \`doesCommandHaveKeys\` in \`RM\_GetCommandKeysWithFlags\` and \`getKeysSubcommandImpl\`.
It causes a very minor behavioral change in commands that don't have actual keys, but have a spec
with \`CMD\_KEY\_NOT\_KEY\`.
For example, before this command \`COMMAND GETKEYS SPUBLISH\` would return
\`Invalid arguments specified for command\` but not it returns \`The command has no key arguments\`

…t dirty counter to 0 if we enable save (redis#10691)

## FLUSHALL
We used to restore the dirty counter after \`rdbSave\` zeroed it if we enable save.
Otherwise FLUSHALL will not be replicated nor put into the AOF.

And then we do increment it again below.
Without that extra dirty++, when db was already empty, FLUSHALL
will not be replicated nor put into the AOF.

We now gonna replace all that dirty counter magic with a call
to forceCommandPropagation (REPL and AOF), instead of all the
messing around with the dirty counter.
Added tests to cover three part (dirty counter, REPL, AOF).

One benefit other than cleaner code is that the \`rdb\_changes\_since\_last\_save\` is correct in this case.

## FLUSHDB
FLUSHDB was not replicated nor put into the AOF when db was already empty.
Unlike DEL on a non-existing key, FLUSHDB always does something, and that's to call the module hook. 
So basically FLUSHDB is never a NOP, and thus it should always be propagated.
Not doing that, could mean that if a module does something in that hook, and wants to
avoid issues of that hook being missing on the replica if the db is empty, it'll need to do complicated things.

So now FLUSHDB add call forceCommandPropagation, we will always propagate FLUSHDB.
Always propagating FLUSHDB seems like a safe approach that shouldn't have any drawbacks (other than looking odd)

This was mentioned in redis#8972

## Test section:
We actually found it while solving a race condition in the BGSAVE test (other.tcl).
It was found in extra\_ci Daily Arm64 (test-libc-malloc).
\`\`\`
\[exception\]: Executing test client: ERR Background save already in progress.
ERR Background save already in progress
\`\`\`

It look like \`r flushdb\` trigger (schedule) a bgsave right after \`waitForBgsave r\` and before \`r save\`.
Changing flushdb to flushall, FLUSHALL will do a foreground save and then set the dirty counter to 0.

… spaces for MULTI\_ARG configs parsing. And allow options value to use the -- prefix (redis#10660)

## Take one bulk string with spaces for MULTI\_ARG configs parsing
Currently redis-server looks for arguments that start with \`--\`,
and anything in between them is considered arguments for the config.
like: \`src/redis-server --shutdown-on-sigint nosave force now --port 6380\`

MULTI\_ARG configs behave differently for CONFIG command, vs the command
line argument for redis-server.
i.e. CONFIG command takes one bulk string with spaces in it, while the
command line takes an argv array with multiple values.

In this PR, in config.c, if \`argc > 1\` we can take them as is,
and if the config is a \`MULTI\_ARG\` and \`argc == 1\`, we will split it by spaces.

So both of these will be the same:
\`\`\`
redis-server --shutdown-on-sigint nosave force now --shutdown-on-sigterm nosave force
redis-server --shutdown-on-sigint nosave "force now" --shutdown-on-sigterm nosave force
redis-server --shutdown-on-sigint nosave "force now" --shutdown-on-sigterm "nosave force"
\`\`\`

## Allow options value to use the \`--\` prefix
Currently it decides to switch to the next config, as soon as it sees \`--\`, 
even if there was not a single value provided yet to the last config,
this makes it impossible to define a config value that has \`--\` prefix in it.

For instance, if we want to set the logfile to \`--my--log--file\`,
like \`redis-server --logfile --my--log--file --loglevel verbose\`,
current code will handle that incorrectly.

In this PR, now we allow a config value that has \`--\` prefix in it.
\*\*But note that\*\* something like \`redis-server --some-config --config-value1 --config-value2 --loglevel debug\`
would not work, because if you want to pass a value to a config starting with \`--\`, it can only be a single value.
like: \`redis-server --some-config "--config-value1 --config-value2" --loglevel debug\`

An example (using \`--\` prefix config value):
\`\`\`
redis-server --logfile --my--log--file --loglevel verbose
redis-cli config get logfile loglevel
1) "loglevel"
2) "verbose"
3) "logfile"
4) "--my--log--file"
\`\`\`

### Potentially breaking change
\`redis-server --save --loglevel verbose\` used to work the same as \`redis-server --save "" --loglevel verbose\`
now, it'll error!

Before this commit, all source files including those that are not going
to be compiled were used. Some of these files are platform specific and
won't even pre-process on another platform. With GCC/Clang, that's not
an issue and they'll simply ignore them, but ICC aborts in this case.

This commit only attempts to generate Makefile.dep from the actual set
of C source files that will be compiled.

…G flag for volatile configurations. (redis#10713)

This fixes a possible regression in Redis 7.0.0, in which doing CONFIG SET
on a TLS config would not reload the configuration in case the new config is
the same file as before.

A volatile configuration is a configuration value which is a reference to the
configuration data and not the configuration data itself. In such a case Redis
doesn't know if the config data changed under the hood and can't assume a
change happens only when the config value changes. Therefore it needs to
be applied even when setting a config value to the same value as it was before.

The purpose of the test is to kill the child while it is running.
From the last two lines we can see the child exits before being killed.
\`\`\`
- Module fork started pid: 56998
\* <fork> fork child started
- Killing running module fork child: 56998
\* <fork> fork child exiting
signal-handler (1652267501) Received SIGUSR1 in child, exiting now.
\`\`\`

In this commit, we pass an argument to \`fork.create\` indicating how
long it should sleep. For the fork kill test, we use a longer time to
avoid the child exiting before being killed.

Other changes:
use wait\_for\_condition instead of hardcoded \`after 250\`.
Unify the test for failing fork with the one for killing it (save time)

…10645)

Updated the comments for:
info command
lmpopCommand and blmpopCommand
sinterGenericCommand 

Fix the missing "key" words in the srandmemberCommand function
For LPOS command, when rank is 0, prompt user that rank could be
positive number or negative number, and add a test for it

Alias was mistakenly forgotten when the sub commands introduced as json files.

since the sharded pubsub is different with pubsub, it's better to give users a hint to make it more clear.

This allows the module to know the usable size of an allocation
it made, rather than the consumed size.

…truct (redis#10697)

Move the client flags to a more cache friendly position within the client struct
we regain the lost 2% of CPU cycles since v6.2 ( from 630532.57 to 647449.80 ops/sec ).
These are due to higher rate of calls to getClientType due to changes in redis#9166 and redis#10020

…M check bug, and new RM\_Call checks. (redis#10786)

\* Fix broken protocol when redis can't persist to RDB (general commands, not
  modules), excessive newline. regression of redis#10372 (7.0 RC3)
\* Fix broken protocol when Redis can't persist to AOF (modules and
  scripts), missing newline.
\* Fix bug in OOM check of EVAL scripts called from RM\_Call.
  set the cached OOM state for scripts before executing module commands too,
  so that it can serve scripts that are executed by modules.
  i.e. in the past EVAL executed by RM\_Call could have either falsely
  fail or falsely succeeded because of a wrong cached OOM state flag.
\* Fix bugs with RM\_Yield:
  1. SHUTDOWN should only accept the NOSAVE mode
  2. Avoid eviction during yield command processing.
  3. Avoid processing master client commands while yielding from another client
\* Add new two more checks to RM\_Call script mode.
  1. READONLY You can't write against a read only replica
  2. MASTERDOWN Link with MASTER is down and \`replica-serve-stale-data\` is set to \`no\`
\* Add new RM\_Call flag to let redis automatically refuse \`deny-oom\` commands
  while over the memory limit. 
\* Add tests to cover various errors from Scripts, Modules, Modules
  calling scripts, and Modules calling commands in script mode.

Add tests:
\* Looks like the MISCONF error was completely uncovered by the tests,
  add tests for it, including from scripts, and modules
\* Add tests for NOREPLICAS from scripts
\* Add tests for the various errors in module RM\_Call, including RM\_Call that
  calls EVAL, and RM\_call in "eval mode". that includes:
  NOREPLICAS, READONLY, MASTERDOWN, MISCONF

The important part is that read-only scripts (not just EVAL\_RO
and FCALL\_RO, but also ones with \`no-writes\` executed by normal EVAL or
FCALL), will now be permitted to run during CLIENT PAUSE WRITE (unlike
before where only the \_RO commands would be processed).

Other than that, some errors like OOM, READONLY, MASTERDOWN are now
handled by processCommand, rather than the command itself affects the
error string (and even error code in some cases), and command stats.

Besides that, now the \`may-replicate\` commands, PFCOUNT and PUBLISH, will
be considered \`write\` commands in scripts and will be blocked in all
read-only scripts just like other write commands.
They'll also be blocked in EVAL\_RO (i.e. even for scripts without the
\`no-writes\` shebang flag.

This commit also hides the \`may\_replicate\` flag from the COMMAND command
output. this is a \*\*breaking change\*\*.

background about may\_replicate:
We don't want to expose a no-may-replicate flag or alike to scripts, since we
consider the may-replicate thing an internal concern of redis, that we may
some day get rid of.
In fact, the may-replicate flag was initially introduced to flag EVAL: since
we didn't know what it's gonna do ahead of execution, before function-flags
existed). PUBLISH and PFCOUNT, both of which because they have side effects
which may some day be fixed differently.

code changes:
The changes in eval.c are mostly code re-ordering:
- evalCalcFunctionName is extracted out of evalGenericCommand
- evalExtractShebangFlags is extracted luaCreateFunction
- evalGetCommandFlags is new code

Apparently, GCC 11.2.0 has a new fancy warning for misleading indentations.
It prints a warning when BRET(b) is on the same line as the loop.

 

…, and inserting comments around module and acl configs (redis#10761)

A regression from redis#10285 (redis 7.0).
CONFIG REWRITE would put lines with: \`include\`, \`rename-command\`,
\`user\`,  \`loadmodule\`, and any module specific config in a comment.

For ACL \`user\`, \`loadmodule\` and module specific configs would be
re-inserted at the end (instead of updating existing lines), so the only
implication is a messy config file full of comments.

But for \`rename-command\` and \`include\`, the implication would be that
they're now missing, so a server restart would lose them.

Co-authored-by: Oran Agra <oran@redislabs.com>

Skip the print on AOF\_NOT\_EXIST status.

 

Redis 7 adds some new alias config like \`hash-max-listpack-entries\` alias \`hash-max-ziplist-entries\`.

If a config file contains both real name and alias like this:
\`\`\`
hash-max-listpack-entries 20
hash-max-ziplist-entries 20
\`\`\`

after set \`hash-max-listpack-entries\` to 100 and \`config rewrite\`, the config file becomes to:
\`\`\`
hash-max-listpack-entries 100
hash-max-ziplist-entries 20
\`\`\`

we can see that the alias config is not modified, and users will get wrong config after restart.

6.0 and 6.2 doesn't have this bug, since they only have the \`slave\` word alias.

Co-authored-by: Oran Agra <oran@redislabs.com>

\* Update time independent string compare to use hash length

On line 4068, redis has a logical nodeIsSlave(myself) on the outer if layer,
which you can delete without having to repeat the decision

…and instantaneous\_output\_repl\_kbps. (redis#10810)

A supplement to redis#10062
Split \`instantaneous\_repl\_total\_kbps\` to \`instantaneous\_input\_repl\_kbps\` and \`instantaneous\_output\_repl\_kbps\`. 
## Work:
This PR:
- delete 1 info field:
    - \`instantaneous\_repl\_total\_kbps\`
- add 2 info fields:
    - \`instantaneous\_input\_repl\_kbps / instantaneous\_output\_repl\_kbps\`
## Result:
- master
\`\`\`
total\_net\_input\_bytes:26633673
total\_net\_output\_bytes:21716596
total\_net\_repl\_input\_bytes:0
total\_net\_repl\_output\_bytes:18433052
instantaneous\_input\_kbps:0.02
instantaneous\_output\_kbps:0.00
instantaneous\_input\_repl\_kbps:0.00
instantaneous\_output\_repl\_kbps:0.00
\`\`\`
- slave
\`\`\`
total\_net\_input\_bytes:18433212
total\_net\_output\_bytes:94790
total\_net\_repl\_input\_bytes:18433052
total\_net\_repl\_output\_bytes:0
instantaneous\_input\_kbps:0.00
instantaneous\_output\_kbps:0.05
instantaneous\_input\_repl\_kbps:0.00
instantaneous\_output\_repl\_kbps:0.00
\`\`\`

Trying to avoid people opening crash report issues about module crashes and ARM QEMU bugs.

Current documentation only states a single GET token is needed which is not true. Marking the command with multiple\_token.

Currently generate-command.help.rb dose not handle the
multiple\_token flag, handle this flag in this PR.
The format is the same as redis-cli rendering.
\`\`\`diff
- bitfield\_ro key GET encoding offset \[encoding offset ...\]
+ bitfield\_ro key GET encoding offset \[GET encoding offset ...\]
\`\`\`

Re run generate-command-code.py which was forget in redis#10820.
Also change the flag value from string to bool, like "true" to true

Correcting the introduction version of the command \`BITFIELD\_RO\`
Command added by commit: b3e4abf 

Add history info of the \`FULL\` modifier in \`XINFO STREAM\`
Modifier was added by commit: 1e2aee3

(Includes output from \`./utils/generate-command-code.py\`)

Currently, we only increment stat\_rdb\_saves in rdbSaveBackground,
we should also increment it in the SAVE command.

We concluded there's no need to increment when:
1. saving a base file for an AOF
2. when saving an empty rdb file to delete an old one
3. when saving to sockets (not creating a persistence / snapshot file)

The stat counter was introduced in redis#10178

\* fix a wrong comment in startSaving

This change fixes failing \`integration/logging.tcl\` test in Gentoo with
musl libc, where \`ldd\` returns
\`\`\`
libc.so => /lib/ld-musl-x86\_64.so.1 (0x7f9d5f171000)
\`\`\`
unlike Alpine's
\`\`\`
libc.musl-x86\_64.so.1 => /lib/ld-musl-x86\_64.so.1 (0x7f82cfa16000)
\`\`\`
The solution is to extend matching pattern introduced in redis#8532.

 oranagra changed the base branch from unstable to 7.0

Jun 8, 2022

CVE-2022-33105: Release 7.0.1 by oranagra · Pull Request #10829 · redis/redis

Red Hat Security Advisory 2022-5116-01 - An update for puppet-firewall is now available for Red Hat OpenStack Platform 16.2.3 (Train). An issue was address where unmanaged rules could leave the system in an unsafe state via duplicate a comment.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (puppet-firewall) security update  
Advisory ID:       RHSA-2022:5116-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5116  
Issue date:        2022-06-22  
CVE Names:         CVE-2022-0675  
====================================================================  
1. Summary:

An update for puppet-firewall is now available for Red Hat OpenStack  
Platform 16.2.3 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Manages Firewalls such as iptables

Security Fix(es):

* unmanaged rules could leave system in an unsafe state via duplicate  
comment (CVE-2022-0675)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2071567 - CVE-2022-0675 puppetlabs-firewall: unmanaged rules could leave system in an unsafe state via duplicate comment

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
puppet-firewall-3.4.0-1.94f707cgit.el8ost.src.rpm

noarch:  
puppet-firewall-3.4.0-1.94f707cgit.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
puppet-firewall-3.4.0-1.94f707cgit.el8ost.src.rpm

noarch:  
puppet-firewall-3.4.0-1.94f707cgit.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0675  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrNY+9zjgjWX9erEAQjp3g//dr6StKxO2eItYO72aTw0lhuSlnbuVBi4  
XjyoK/MmgMD7mmIOivMH8x0SQez3i8bbVuNBxY0vzKaBCt2F0A0rvAjU6CfHfQ9X  
/W0vgYVU25JqCkLa1LKA/uAS4wU3q2RsmRQQkozh93oKGvrxyv1Oavopct34sDUL  
RaQmvWNpGDM7N4fwsZjZlAaF+zs/LcjnFavBnRM/2V7J49C/SfINpwDWj80rek+j  
OY234ef9l1QnbKybUX6HVCiQv7aGifcJSqK/Eg+DrZ5U0CaDGYM4zPECIg/HbW44  
Z59ezU0gOMOZKbFDd/JsP7F6r0CGEZn+7buL2pDplXJiXQU+/KCb9GGW1kavIJ8B  
PjuXMG38UwTJTDFJ88sPJlU2nHvGADAUPciymUBCJ/uRYemN5g2qpUw3XNUGPXrD  
zDsP6SY0CTjWDTcdq8fY6m3H1sqe+cICxww/gWhRf+uLaCHtAN/Blt9rKAkdXxNn  
+BPlNcSUtCStt7B1WWA0kiU+uE84t9if4jSQ9E30qusYYkAOhoJG2mIMBnCuaRoX  
MOE8X87XJMSFptq+y0rHQnPeG++W/qnsZ1Ck++9rNQwrP0Qme7PbcyLn9Yozkd00  
4QqyaBWq+CwKGAkO6CCkloq8HImfelXPr1lq2GdartSiZoLnbOITLL+cqmmBV61W  
c2vGSnm9MKo=lq7X  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5116-01

Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.53 packages and security update  
Advisory ID:       RHSA-2022:4965-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4965  
Issue date:        2022-06-16  
CVE Names:         CVE-2022-1708   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.53 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.7 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.7.53. There are no images for this advisory.

Security Fix(es):

* cri-o: memory exhaustion on the node when access to the kube api  
(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.7 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

6. Package List:

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el7.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.src.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el8.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm  
cri-tools-1.20.0-4.el8.src.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm

ppc64le:  
conmon-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-tools-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debuginfo-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debugsource-1.20.0-4.el8.ppc64le.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm

s390x:  
conmon-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.s390x.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-tools-1.20.0-4.el8.s390x.rpm  
cri-tools-debuginfo-1.20.0-4.el8.s390x.rpm  
cri-tools-debugsource-1.20.0-4.el8.s390x.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-tools-1.20.0-4.el8.x86_64.rpm  
cri-tools-debuginfo-1.20.0-4.el8.x86_64.rpm  
cri-tools-debugsource-1.20.0-4.el8.x86_64.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1708  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqsa+9zjgjWX9erEAQjCBA//XuKHMB5VFNuOT18z4OljxD7g++8m5ajV  
HFQNdP5hmtcE3FLiPd5aJjyheDnHhr4wWH7GsjSQ7CUWRPZymh/1LJJNs5FZwUxT  
QGt2vY2Nms8qcwPo3kstKBLPNtY+0Fj6X7s2chcChsh+rc/pLXI1g6B1GkoT1Rj7  
sr+uVu1UuCbydao6duDRjIPTuSTEHGUHUPtVoOdrGXibGBObxaZlhsZuh8j0iNx9  
w0V2sEDxd34y8cohYfr/qvtMfHD3urGOKbMAVYDCBJPo0WoOLRqim4NN2YVHOgL4  
6pUlUNoVvrd5PQ4Gb+xg0E9LOwfNGpoYmOHU84BlH5GcOqVfJWJCD5zMEwp4/3uz  
hYgQNUH4JMur3Weg5Mum8bpQR3R5WirsPWF+wz6plL3VAL8mAHoJb9SEmVK6vkA/  
/LsMo6bDXRboliTuRTP7cggcV+Zl9IFCKbzQScMlOp8icsKWrczarhiPLNB3G1Nf  
k8I8LwzqwlZ/yBXmarPTRTbApqszNz5VITaUVOsDS+0tfZLXBP56IcYzR6z9q/HD  
J5WDx5c+UQ2PQKMiYIJR+kM2EBus1uxl+7l6QxVIDngYISdlcFi8Lgd6uw6CD/xn  
4/DEyT6BwVu6VfEO7jKBBqb/zuiy7hydIZOZWJHuxGjimBcJqezbJWD7DxU9a8Ov  
IsMS+CwIlZo=  
=quew  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4965-01

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. 
Any combination was considered valid.

This allows an attacker to republish an existing `PeerRecord` with a different `PeerId`.


**Failure to verify the public key of a \`SignedEnvelope\` against the \`PeerId\` in a \`PeerRecord\`**

High severity GitHub Reviewed Published Jun 17, 2022 • Updated Jun 17, 2022

GHSA-wc36-xgcc-jwpr: Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/error.c:1769 which leads to a denial of service vulnerability.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Step to reproduce:

1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)  
2.compile with --enable-sanitizer  
3.run MP4Box -add poc.nhml -new new.mp4  
Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report  
poc.zip

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==344428==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7fcb7d118779 bp 0x7ffe1832c550 sp 0x7ffe1832c480 T0)
    ==344428==The signal is caused by a READ memory access.
    ==344428==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x7fcb7d118779 in gf_blob_get /home/lly/pro/gpac_asan/src/utils/error.c:1769:12
        #1 0x7fcb7d0eb2ea in gf_fileio_from_blob /home/lly/pro/gpac_asan/src/utils/os_file.c:1287:13
        #2 0x7fcb7d0eb2ea in gf_fopen_ex /home/lly/pro/gpac_asan/src/utils/os_file.c:1314:14
        #3 0x7fcb7dc90328 in nhmldmx_send_sample /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1101:9
        #4 0x7fcb7dc90328 in nhmldmx_process /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1341:7
        #5 0x7fcb7dbbc997 in gf_filter_process_task /home/lly/pro/gpac_asan/src/filter_core/filter.c:2441:7
        #6 0x7fcb7db9e965 in gf_fs_thread_proc /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1664:3
        #7 0x7fcb7db9de60 in gf_fs_run /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1901:2
        #8 0x7fcb7d6bf708 in gf_media_import /home/lly/pro/gpac_asan/src/media_tools/media_import.c:1486:2
        #9 0x526ea9 in import_file /home/lly/pro/gpac_asan/applications/mp4box/fileimport.c:1289:7
        #10 0x4eb996 in do_add_cat /home/lly/pro/gpac_asan/applications/mp4box/main.c:4257:10
        #11 0x4e7d46 in mp4boxMain /home/lly/pro/gpac_asan/applications/mp4box/main.c:5746:13
        #12 0x7fcb7c9400b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x429a4d in _start (/home/lly/pro/gpac_asan/bin/gcc/MP4Box+0x429a4d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/lly/pro/gpac_asan/src/utils/error.c:1769:12 in gf_blob_get
    ==344428==ABORTING

CVE-2021-41458: SEGV on unknown address in MP4Box at src/utils/error.c:1769 in gf_blob_get · Issue #1910 · gpac/gpac

A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Mailing Lists
*   Code
*   Cvs
*   Tickets ▾
    *   Bugs
    *   Feature Requests
    *   Support Requests
    *   Patches
*   News
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2021-09-02

Created: 2021-09-02

Private: No

**System Env**

Ubuntu 16.04(server)

Kernel: _Linux ubuntu 5.0.5-050005-generic #201903271212 SMP Wed Mar 27 16:14:07 UTC 2019 x8664 x8664 x8664 GNU/Linux_

gif2rgb 5.14

gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)

**Configure**

export CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" \\  
export LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"

**Command**

./gif2rgb @@

**Output**

\[ 4389.814860\] Call Trace:
\[ 4389.815518\]  dump\_stack+0x63/0x8a
\[ 4389.815529\]  dump\_header+0x54/0x308
\[ 4389.815540\]  ? sched\_clock+0x9/0x10
\[ 4389.815549\]  oom\_kill\_process.cold.29+0xb/0x1d6
\[ 4389.815558\]  out\_of\_memory+0x1bc/0x480
\[ 4389.815568\]  \_\_alloc\_pages\_slowpath+0xb68/0xea0
\[ 4389.815578\]  \_\_alloc\_pages\_nodemask+0x2c4/0x2e0
\[ 4389.815589\]  alloc\_pages\_current+0x81/0xe0
\[ 4389.815599\]  \_\_page\_cache\_alloc+0x6a/0xa0
\[ 4389.815609\]  filemap\_fault+0x403/0x8a0
\[ 4389.815619\]  ? xas\_load+0xc/0x80
\[ 4389.815628\]  ? xas\_find+0x157/0x190
\[ 4389.815637\]  ? filemap\_map\_pages+0x84/0x380
\[ 4389.815647\]  ext4\_filemap\_fault+0x31/0x44
\[ 4389.815657\]  \_\_do\_fault+0x3c/0x130
\[ 4389.815667\]  \_\_handle\_mm\_fault+0xe4b/0x1280
\[ 4389.815677\]  ? \_\_switch\_to\_asm+0x34/0x70
\[ 4389.815687\]  handle\_mm\_fault+0xe1/0x210
\[ 4389.815696\]  \_\_do\_page\_fault+0x23a/0x4c0
\[ 4389.815706\]  do\_page\_fault+0x2e/0xe0
\[ 4389.815715\]  ? page\_fault+0x8/0x30
\[ 4389.815723\]  page\_fault+0x1e/0x30
\[ 4389.815743\] RIP: 0033:0x560d4760fed8
\[ 4389.815755\] Code: Bad RIP value.
\[ 4389.815763\] RSP: 002b:000000c420251cb0 EFLAGS: 00010283
\[ 4389.815771\] RAX: 0000560d491fcde0 RBX: 0000000000000001 RCX: 0000560d48a716c0
\[ 4389.815780\] RDX: 0000000000000018 RSI: 40442b34b36c38f7 RDI: 000000c420413970
\[ 4389.815788\] RBP: 000000c420251ce0 R08: 00007fff4c5c30b0 R09: 00007fff4c5c3080
\[ 4389.815796\] R10: 00000000000a1c8e R11: 0000000000001125 R12: 0000000000000000
\[ 4389.815803\] R13: 0000000000000018 R14: 0000000000000054 R15: 0000000000000100
\[ 4389.815812\] Mem-Info:
\[ 4389.815823\] active\_anon:772579 inactive\_anon:154814 isolated\_anon:0
                active\_file:14 inactive\_file:19 isolated\_file:0
                unevictable:0 dirty:0 writeback:0 unstable:0
                slab\_reclaimable:9443 slab\_unreclaimable:19149
                mapped:21 shmem:1 pagetables:4096 bounce:0
                free:21609 free\_pcp:0 free\_cma:0
\[ 4389.815832\] Node 0 active\_anon:3090316kB inactive\_anon:619256kB active\_file:56kB inactive\_file:76kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84kB dirty:0kB writeback:0kB shmem:4kB shmem\_thp: 0kB shmem\_pmdmapped: 0kB anon\_thp: 0kB writeback\_tmp:0kB unstable:0kB all\_unreclaimable? yes
\[ 4389.815840\] Node 0 DMA free:15620kB min:268kB low:332kB high:396kB active\_anon:252kB inactive\_anon:0kB active\_file:0kB inactive\_file:0kB unevictable:0kB writepending:0kB present:15988kB managed:15904kB mlocked:0kB kernel\_stack:0kB pagetables:0kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
\[ 4389.815850\] lowmem\_reserve\[\]: 0 2908 3843 3843 3843
\[ 4389.815859\] Node 0 DMA32 free:54632kB min:50932kB low:63664kB high:76396kB active\_anon:2357544kB inactive\_anon:618328kB active\_file:112kB inactive\_file:224kB unevictable:0kB writepending:0kB present:3129152kB managed:3039312kB mlocked:0kB kernel\_stack:16kB pagetables:7248kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
…….
\[ 4389.815932\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=1048576kB
\[ 4389.815940\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=2048kB
\[ 4389.815948\] 116 total pagecache pages
\[ 4389.815957\] 25 pages in swap cache
\[ 4389.815965\] Swap cache stats: add 1380554, delete 1380498, find 9812/20857
\[ 4389.815973\] Free swap  \= 0kB
\[ 4389.815981\] Total swap \= 998396kB
\[ 4389.815989\] 1048429 pages RAM
\[ 4389.815996\] 0 pages HighMem/MovableOnly
\[ 4389.816004\] 45224 pages reserved
\[ 4389.816012\] 0 pages cma reserved
\[ 4389.816019\] 0 pages hwpoisoned
\[ 4389.816027\] Tasks state (memory values in pages):
\[ 4389.816035\] \[  pid  \]   uid  tgid total\_vm      rss pgtables\_bytes swapents oom\_score\_adj name
    ……
\[ 4389.817580\] \[   1640\]     0  1640     5702        1    90112      477             0 bash
\[ 4389.817588\] \[   1901\]     0  1901    24862        9   233472      238             0 sshd
\[ 4389.817597\] \[   1956\]     0  1956     5724       61    86016      439             0 bash
\[ 4389.817607\] \[   2416\]     0  2416 5368727780   926778 11087872   221610             0 gif2rgb
\[ 4389.817615\] oom-kill:constraint\=CONSTRAINT\_NONE,nodemask\=(null),cpuset\=/,mems\_allowed\=0,global\_oom,task\_memcg\=/user.slice,task\=gif2rgb,pid\=2416,uid\=0
\[ 4389.817643\] Out of memory: Kill process 2416 (gif2rgb) score 918 or sacrifice child
\[ 4389.819906\] Killed process 2416 (gif2rgb) total-vm:21474911120kB, anon-rss:3707108kB, file-rss:4kB, shmem-rss:0kB
\[ 4389.912731\] oom\_reaper: reaped process 2416 (gif2rgb), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB

**1 Attachments**

**Discussion**

Log in to post a comment.

Tag

#c++