An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex-2  
For POC-new-gf\_isom\_box\_parse\_ex  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex-2  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex  
ASAN info:

\==25783\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000df80 is located 0 bytes to the right of 48-byte region \[0x60400000df50,0x60400000df80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9bf0:\[fa\]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25783==ABORTING

For POC-new-gf\_isom\_box\_parse\_ex-2

ASAN info：  
==25917\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000e000 is located 0 bytes to the right of 48-byte region \[0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25917==ABORTING

Edit

**This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d**

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_odf\_avc\_cfg\_write\_bs

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
(gdb) bt
#0  0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
#1  0x000000000055b1ff in gf\_odf\_avc\_cfg\_write ()
#2  0x00000000004f9ba1 in AVC\_RewriteESDescriptorEx ()
#3  0x00000000006cf2a8 in video\_sample\_entry\_Read ()
#4  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#5  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#6  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#7  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#8  0x00000000006d09d0 in stbl\_Read ()
#9  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#10 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#11 0x00000000006ce02b in minf\_Read ()
#12 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#13 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#14 0x00000000006cd2f0 in mdia\_Read ()
#15 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#16 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#17 0x00000000006d351d in trak\_Read ()
#18 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#19 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#20 0x00000000006ce545 in moov\_Read ()
#21 0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#22 0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#23 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#24 0x000000000051c48c in gf\_isom\_open\_file ()
#25 0x000000000041c082 in mp4boxMain ()
#26 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#27 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==25871\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0)
    #0 0x797a2a in gf\_odf\_avc\_cfg\_write\_bs odf/descriptors.c:567
    #1 0x79821e in gf\_odf\_avc\_cfg\_write odf/descriptors.c:631
    #2 0x68b393 in AVC\_RewriteESDescriptorEx isomedia/avc\_ext.c:1063
    #3 0xaddd66 in video\_sample\_entry\_Read isomedia/box\_code\_base.c:4408
    #4 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #5 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #6 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #7 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #8 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #9 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #10 0xae19df in stbl\_Read isomedia/box\_code\_base.c:5381
    #11 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #12 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #13 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #14 0xadb4fe in minf\_Read isomedia/box\_code\_base.c:3500
    #15 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #16 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #17 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #18 0xad96ef in mdia\_Read isomedia/box\_code\_base.c:3021
    #19 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #20 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #21 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #22 0xae8ad8 in trak\_Read isomedia/box\_code\_base.c:7129
    #23 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #24 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #25 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #26 0xadc064 in moov\_Read isomedia/box\_code\_base.c:3745
    #27 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #28 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #29 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #30 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #31 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #32 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #34 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf\_odf\_avc\_cfg\_write\_bs
==25871==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20163: AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 · Issue #1335 · gpac/gpac

In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.

There is a heap-buffer-overflow in function ImportRLEPixels of coders/miff.c whick can be reproduced as below.  
gm convert ./heap-buffer-overflow\_ImportRLEPixels /dev/null

\=================================================================
==27431==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fed1 at pc 0x00000071ab86 bp 0x7ffcc60ecb20 sp 0x7ffcc60ecb10
WRITE of size 1 at 0x61500000fed1 thread T0
    #0 0x71ab85 in ImportRLEPixels coders/miff.c:428
    #1 0x729d09 in ReadMIFFImage coders/miff.c:1850
    #2 0x477730 in ReadImage magick/constitute.c:1607
    #3 0x421598 in ConvertImageCommand magick/command.c:4365
    #4 0x436b0d in MagickCommand magick/command.c:8889
    #5 0x45f2ca in GMCommandSingle magick/command.c:17434
    #6 0x45f516 in GMCommand magick/command.c:17487
    #7 0x40cc65 in main utilities/gm.c:61
    #8 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x40cb78 in \_start (/home/graphicsmagick-code/utilities/gm+0x40cb78)

0x61500000fed1 is located 0 bytes to the right of 465-byte region \[0x61500000fd00,0x61500000fed1)
allocated by thread T0 here:
    #0 0x7f5e5228b602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4df677 in MagickRealloc magick/memory.c:494
    #2 0x501826 in OpenCache magick/pixel\_cache.c:2497
    #3 0x507f01 in ModifyCache magick/pixel\_cache.c:4584
    #4 0x4fb19e in SetCacheNexus magick/pixel\_cache.c:922
    #5 0x508d90 in SetCacheViewPixels magick/pixel\_cache.c:4881
    #6 0x508e6a in SetImagePixels magick/pixel\_cache.c:4947
    #7 0x7298da in ReadMIFFImage coders/miff.c:1831
    #8 0x477730 in ReadImage magick/constitute.c:1607
    #9 0x421598 in ConvertImageCommand magick/command.c:4365
    #10 0x436b0d in MagickCommand magick/command.c:8889
    #11 0x45f2ca in GMCommandSingle magick/command.c:17434
    #12 0x45f516 in GMCommand magick/command.c:17487
    #13 0x40cc65 in main utilities/gm.c:61
    #14 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/miff.c:428 ImportRLEPixels
Shadow bytes around the buggy address:
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27431==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190423 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64-pc-linux-gnu

Configured using the command:
  ./configure  'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

CVE-2019-19951: GraphicsMagick / Bugs / #608 heap-buffer-overflow in ImportRLEPixels of coders/miff.c

In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.

/home/graphicsmagick/utilities/gm convert ./heap\-buffer\-overflow\-READ\-0x08417e7a.webp ./test.pct
\==9938\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568
READ of size 1 at 0xf12147ff thread T0
    #0 0x8417e79 in EncodeImage coders/pict.c:1067
    #1 0x8421228 in WritePICTImage coders/pict.c:2408
    #2 0x80c6919 in WriteImage magick/constitute.c:2245
    #3 0x80c728f in WriteImages magick/constitute.c:2404
    #4 0x8072623 in ConvertImageCommand magick/command.c:6135
    #5 0x807ea51 in MagickCommand magick/command.c:8880
    #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #7 0x80abc86 in GMCommand magick/command.c:17465
    #8 0x80511ea in main utilities/gm.c:61
    #9 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)
    #10 0x80510f0  (/home/graphicsmagick/utilities/gm+0x80510f0)

0xf12147ff is located 1 bytes to the left of 65536\-byte region \[0xf1214800,0xf1224800)
allocated by thread T0 here:
    #0 0xf72bbdee in malloc (/usr/lib/i386\-linux\-gnu/libasan.so.2+0x96dee)
    #1 0x8132492 in MagickMalloc magick/memory.c:174
    #2 0x841f32a in WritePICTImage coders/pict.c:2126
    #3 0x80c6919 in WriteImage magick/constitute.c:2245
    #4 0x80c728f in WriteImages magick/constitute.c:2404
    #5 0x8072623 in ConvertImageCommand magick/command.c:6135
    #6 0x807ea51 in MagickCommand magick/command.c:8880
    #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #8 0x80abc86 in GMCommand magick/command.c:17465
    #9 0x80511ea in main utilities/gm.c:61
    #10 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap\-buffer\-overflow coders/pict.c:1067 EncodeImage
Shadow bytes around the buggy address:
  0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==9938\==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot\-20191208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002\-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (\> 32 bit)   yes
  Large Memory (\> 32 bit)  no
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG\-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64\-pc\-linux\-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '\--enable-shared=no'

Final Build Parameters:
  CC       \= gcc
  CFLAGS   \= \-fopenmp \-g \-fsanitize\=address \-Wall \-pthread
  CPPFLAGS \= \-I/usr/include/freetype2 \-I/usr/include/libxml2
  CXX      \= g++
  CXXFLAGS \= \-pthread
  LDFLAGS  \= 
  LIBS     \= \-ljbig \-lwebp \-lwebpmux \-llcms2 \-ltiff \-lfreetype \-ljasper \-ljpeg \-lpng12 \-lwmflite \-lXext \-lSM \-lICE \-lX11 \-llzma \-lbz2 \-lxml2 \-lz \-lm \-lpthread

CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c

HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core before 8.7.7 allows out-of-bounds access, as demonstrated by mishandling of an array copy during parsing of ICal data.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2019-19907: Kopano

ATasm 1.06 has a stack-based buffer overflow in the to_comma() function in asm.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#8 Stack-based buffer overflow in the to\_comma() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the to\_comma() function, in asm.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==15033\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffec9190ef0 at pc 0x0000004ce38e bp 0x7ffec9190e30 sp 0x7ffec9190e28
WRITE of size 1 at 0x7ffec9190ef0 thread T0
    #0 0x4ce38d in to\_comma /home/fcambus/atasm/src/asm.c:1126:11
    #1 0x4ce38d in do\_xbyte /home/fcambus/atasm/src/asm.c:1346:9
    #2 0x4cfe17 in proc\_sym /home/fcambus/atasm/src/asm.c:1553:7
    #3 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f32f46441e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffec9190ef0 is located in stack of thread T0 at offset 176 in frame
    #0 0x4cc7af in do\_xbyte /home/fcambus/atasm/src/asm.c:1299

  This frame has 2 object(s):
    \[32, 64) 'buf.i' (line 736)
    \[96, 176) 'buf' (line 1301) <== Memory access at offset 176 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/asm.c:1126:11 in to\_comma
Shadow bytes around the buggy address:
  0x10005922a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
\=>0x10005922a1d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00\[f3\]f3
  0x10005922a1e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a200: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x10005922a210: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10005922a220: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==15033\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19785: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the parse_expr() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#9 Stack-based buffer overflow in the parse\_expr() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the parse\_expr() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==29838\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fff079a8b00 at pc 0x0000004e0478 bp 0x7fff079a8a70 sp 0x7fff079a8a68
WRITE of size 1 at 0x7fff079a8b00 thread T0
    #0 0x4e0477 in parse\_expr /home/fcambus/atasm/src/setparse.c:83:13
    #1 0x4e236d in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:319:5
    #2 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #3 0x4d3deb in proc\_sym /home/fcambus/atasm/src/asm.c:1678:14
    #4 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #5 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #6 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #7 0x7fad7a5101e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #8 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7fff079a8b00 is located in stack of thread T0 at offset 128 in frame
    #0 0x4dfd9f in parse\_expr /home/fcambus/atasm/src/setparse.c:71

  This frame has 2 object(s):
    \[32, 36) 'v' (line 72)
    \[48, 128) 'expr' (line 73) <== Memory access at offset 128 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:83:13 in parse\_expr
Shadow bytes around the buggy address:
  0x100060f2d110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d150: f1 f1 f1 f1 04 f2 00 00 00 00 00 00 00 00 00 00
\=>0x100060f2d160:\[f3\]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d170: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x100060f2d180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100060f2d190: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100060f2d1a0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==29838\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19786: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the get_signed_expression() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#10 Stack-based buffer overflow in the get\_signed\_expression() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the get\_signed\_expression() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==10633\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffe5c1b3480 at pc 0x0000004e27ea bp 0x7ffe5c1b3210 sp 0x7ffe5c1b3208
WRITE of size 1 at 0x7ffe5c1b3480 thread T0
    #0 0x4e27e9 in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:179:14
    #1 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #2 0x4c8de1 in add\_label /home/fcambus/atasm/src/asm.c
    #3 0x4d5563 in do\_cmd /home/fcambus/atasm/src/asm.c:1934:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f1cbb2811e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffe5c1b3480 is located in stack of thread T0 at offset 608 in frame
    #0 0x4e08bf in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:157

  This frame has 4 object(s):
    \[32, 288) 'err.i' (line 136)
    \[352, 608) 'buf' (line 158) <== Memory access at offset 608 overflows this variable
    \[672, 928) 'work' (line 158)
    \[992, 1005) 'math' (line 162)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:179:14 in get\_signed\_expression
Shadow bytes around the buggy address:
  0x10004b82e640: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e650: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e660: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10004b82e690:\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10004b82e6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6b0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e6c0: 00 05 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==10633\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19787: ATasm: 6502 cross-assembler / Bugs

HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() function in string.c (when called from render_contents in ps-pdf.cxx) via a crafted HTML document.

Hi,

While fuzzing htmldoc with Honggfuzz, I found a stack-based buffer overflow in the hd\_strlcpy() function, in string.c.

Attaching a reproducer (gzipped so GitHub accepts it): test01.html.gz

Issue can be reproduced by running:

    htmldoc test01.html -f test01.ps
    

    =================================================================
    ==27915==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffefa66f0df at pc 0x000000494c40 bp 0x7ffefa66f070 sp 0x7ffefa66e838
    WRITE of size 3 at 0x7ffefa66f0df thread T0
        #0 0x494c3f in __asan_memcpy (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f)
        #1 0x556aa5 in hd_strlcpy /home/fcambus/htmldoc-1.9.7/htmldoc/string.c:191:3
        #2 0x509ee3 in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3765:5
        #3 0x4f3cfb in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3853:13
        #4 0x4f3f6c in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx
        #5 0x4e4fce in pspdf_export /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:860:5
        #6 0x4d17bb in main /home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc.cxx:1276:3
        #7 0x7f68626141e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
        #8 0x41d84d in _start (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x41d84d)
    
    Address 0x7ffefa66f0df is located in stack of thread T0 at offset 63 in frame
        #0 0x5084be in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3563
    
      This frame has 2 object(s):
        [32, 44) 'rgb' (line 3564)
        [64, 1088) 'number' (line 3570) <== Memory access at offset 63 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10005f4c5dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10005f4c5e10: 00 00 00 00 f1 f1 f1 f1 00 04 f2[f2]00 00 00 00
      0x10005f4c5e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==27915==ABORTING

CVE-2019-19630: Stack-based buffer overflow in the hd_strlcpy() function · Issue #370 · michaelrsweet/htmldoc

In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.

*   CVE-2019-19448
    *   Target
    *   Bug Type
    *   Abstract
    *   Reproduce
    *   Details
        *   Debug View
        *   Bug Causes
        *   KASAN logs
    *   Conclusion
    *   Discoverer
    *   Acknowledgments

**Target**

Linux kernel btrfs FileSystem

Linux Version

Availablity

5.0.21

True

5.3.11

True

**Bug Type**

Use After Free

**Abstract**

syncfs syscall after some operation with crafted image can cause use-after-free vulnerability in try_merge_free_space

**Reproduce**

gcc -o poc poc\_2019\_19448.c
mkdir mnt
mount poc\_2019\_19448.img ./mnt
cp poc ./mnt/
cd mnt
./poc

**Details****Debug View**

    ─────────────────────────────────────────────────────────── registers ────
    $rax   : 0x0000000000000001  →  0x0000000000000001
    $rbx   : 0xffff88806cf59138  →  0x0000000000000000  →  0x0000000000000000
    $rcx   : 0xffff888067a6aa80  →  0xffff88806cf59138  →  0x0000000000000000 →  0x0000000000000000
    $rdx   : 0x00000000000a17c8  →  0x00000000000a17c8
    $rsp   : 0xffff8880649bfa60  →  0x0000000000001001  →  0x0000000000001001
    $rbp   : 0xffff88806a2491a0  →  0xffff88806a2491a0  →  [loop detected]
    $rsi   : 0xffff88806a6388c0  →  0x0000607f92802900  →  0x0000607f92802900
    $rdi   : 0xffff88806cf59168  →  0x0000000000000000  →  0x0000000000000000
    $rip   : 0xffffffff81625d82  →  0x7d8349ffcbea59e8  →  0x7d8349ffcbea59e8
    $r8    : 0x00000000214fbdaa  →  0x00000000214fbdaa
    $r9    : 0xffffed100daa632c  →  0x0000000000000000  →  0x0000000000000000
    $r10   : 0x0000000000000001  →  0x0000000000000001
    $r11   : 0xffffed100daa632b  →  0x0000000000000000  →  0x0000000000000000
    $r12   : 0xffff888067a7c600  →  0x0000000000000001  →  0x0000000000000001
    $r13   : 0xffff88806cf59138  →  0x0000000000000000  →  0x0000000000000000
    $r14   : 0xffff888067a7c608  →  0xffff88806a2490d0  →  0x0000000000000001 →  0x0000000000000001
    $r15   : 0x0000000001c04000  →  0x0000000001c04000
    $eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflowresume virtualx86 identification]
    $cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
    ─────────────────────────────────────────────────────────────── stack ────
    0xffff8880649bfa60│+0x0000: 0x0000000000001001  →  0x0000000000001001	 ← $rsp
    0xffff8880649bfa68│+0x0008: 0xffff88806a2491c0  →  0x0000000000007000  →0x0000000000007000
    0xffff8880649bfa70│+0x0010: 0x000000016a2491a0  →  0x000000016a2491a0
    0xffff8880649bfa78│+0x0018: 0xffff88806a2491b8  →  0x0000000001c04000  →0x0000000001c04000
    0xffff8880649bfa80│+0x0020: 0xffff88806cf59158  →  0x0000000000006000  →0x0000000000006000
    0xffff8880649bfa88│+0x0028: 0xffffffff81625cd2  →  0x5541564118468d48  →0x5541564118468d48
    0xffff8880649bfa90│+0x0030: 0xffff888067a7c600  →  0x0000000000000001  →0x0000000000000001
    0xffff8880649bfa98│+0x0038: 0xffff88806a2491a0  →  0xffff88806a2491a0  →[loop detected]
    ───────────────────────────────────────────────────────── code:x86:64 ────
       0xffffffff81625d79 <try_merge_free_space+169> je     0xffffffff81625d92 <try_merge_free_space+194>
       0xffffffff81625d7b <try_merge_free_space+171> lea    rdi, [r13+0x30]
       0xffffffff81625d7f <try_merge_free_space+175> mov    BYTE PTR [rsp], al
     → 0xffffffff81625d82 <try_merge_free_space+178> call   0xffffffff812e47e0 <__asan_load8>
       ↳  0xffffffff812e47e0 <__asan_load8_noabort+0> movabs rax, 0xffff7fffffffffff
          0xffffffff812e47ea <__asan_load8_noabort+10> mov    rcx, QWORD PTR [rsp]
          0xffffffff812e47ee <__asan_load8_noabort+14> cmp    rdi, rax
          0xffffffff812e47f1 <__asan_load8_noabort+17> jbe    0xffffffff812e4824 <__asan_load8+68>
          0xffffffff812e47f3 <__asan_load8_noabort+19> lea    rax, [rdi+0x7]
          0xffffffff812e47f7 <__asan_load8_noabort+23> mov    rdx, rax
    ─────────────────────────────────────────────────────────── arguments ────
    __asan_load8 (
       long unsigned int var_0 = 0xffff88806cf59168 → 0x0000000000000000 → 0x0000000000000000
    )
    ───────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "", stopped, reason: BREAKPOINT
    [#1] Id 2, Name: "", stopped, reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────── trace ────
    [#0] 0xffffffff81625d82 → try_merge_free_space(ctl=0xffff888067a7c600, info=0xffff88806a2491a0, update_stat=<optimized out>)
    [#1] 0xffffffff81629539 → __btrfs_add_free_space(fs_info=<optimized out>,ctl=0xffff888067a7c600, offset=<optimized out>, bytes=0x1000)
    [#2] 0xffffffff81580277 → btrfs_add_free_space(block_group=<optimized out>, block_group=<optimized out>, size=<optimized out>, bytenr=<optimized out>)
    [#3] 0xffffffff81580277 → unpin_extent_range(fs_info=0xffff8880650968a0, start=0x1c04000, end=<optimized out>, return_free_space=<optimized out>)
    [#4] 0xffffffff815849ba → btrfs_finish_extent_commit(trans=0xffff88806bb3a150)
    [#5] 0xffffffff815ae355 → btrfs_commit_transaction(trans=0xffff88806bb3a150)
    [#6] 0xffffffff813499e2 → __sync_filesystem(wait=<optimized out>, sb=<optimized out>)
    [#7] 0xffffffff813499e2 → sync_filesystem(sb=0xffff88806487f700)
    [#8] 0xffffffff81349b07 → __do_sys_syncfs(fd=<optimized out>)
    [#9] 0xffffffff81349b07 → __se_sys_syncfs(fd=<optimized out>)
    ──────────────────────────────────────────────────────────────────────────
    
    Thread 2 hit Breakpoint 1, 0xffffffff81625d82 in try_merge_free_space (ctl=0xffff888067a7c600, info=0xffff88806a2491a0, update_stat=<optimized out>) at fs/btrfs/free-space-cache.c:2191
    2191	in fs/btrfs/free-space-cache.c
    gef➤  p right_info
    $13 = (struct btrfs_free_space *) 0xffff88806cf59138
    gef➤  p left_info
    $14 = (struct btrfs_free_space *) 0xffff88806cf59138
    gef➤
    

local variable right_info equals left_info.

**Bug Causes**

**fs/btrfs/free-space-cache.c:2191** (link)

static bool try\_merge\_free\_space(struct btrfs\_free\_space\_ctl \*ctl,
			  struct btrfs\_free\_space \*info, bool update\_stat)
{
	struct btrfs\_free\_space \*left\_info;
	struct btrfs\_free\_space \*right\_info;
	bool merged = false;
	u64 offset = info->offset;
	u64 bytes = info->bytes;

	/\*
	 \* first we want to see if there is free space adjacent to the range we
	 \* are adding, if there is remove that struct and add a new one to
	 \* cover the entire range
	 \*/
\[1\]	right\_info = tree\_search\_offset(ctl, offset + bytes, 0, 0);
	if (right\_info && rb\_prev(&right\_info->offset\_index))
		left\_info = rb\_entry(rb\_prev(&right\_info->offset\_index),
				     struct btrfs\_free\_space, offset\_index);
	else
\[1\]		left\_info = tree\_search\_offset(ctl, offset - 1, 0, 0);

	if (right\_info && !right\_info->bitmap) {
		if (update\_stat)
			unlink\_free\_space(ctl, right\_info);
		else
			\_\_unlink\_free\_space(ctl, right\_info);
		info->bytes += right\_info->bytes;
\[2\]		kmem\_cache\_free(btrfs\_free\_space\_cachep, right\_info);
		merged = true;
	}

\[3\]	if (left\_info && !left\_info->bitmap &&
	    left\_info->offset + left\_info->bytes == offset) {
		if (update\_stat)
			unlink\_free\_space(ctl, left\_info);
		else
			\_\_unlink\_free\_space(ctl, left\_info);
		info->offset = left\_info->offset;
		info->bytes += left\_info->bytes;
		kmem\_cache\_free(btrfs\_free\_space\_cachep, left\_info);
		merged = true;
	}

	return merged;
}

in \[1\] tree_search_offset returns same ptr(right_info == left_info), and use left_info\[3\] after freeing right_info\[2\]

**KASAN logs**

    [  129.924437] ==================================================================
    [  129.924437] BUG: KASAN: use-after-free in try_merge_free_space+0xb7/0x2e0
    [  129.924437] Read of size 8 at addr ffff88806cf59168 by task poc/220
    [  129.924437]
    [  129.924437] CPU: 1 PID: 220 Comm: poc Not tainted 5.3.11 #1
    [  129.924437] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
    [  129.924437] Call Trace:
    [  129.924437]  dump_stack+0x76/0xab
    [  129.924437]  print_address_description+0x70/0x3a0
    [  129.924437]  ? try_merge_free_space+0xb7/0x2e0
    [  129.924437]  __kasan_report+0x13a/0x19b
    [  129.924437]  ? try_merge_free_space+0xb7/0x2e0
    [  129.924437]  ? try_merge_free_space+0xb7/0x2e0
    [  129.924437]  kasan_report+0xe/0x20
    [  129.924437]  try_merge_free_space+0xb7/0x2e0
    [  129.924437]  ? try_merge_free_space+0x2/0x2e0
    [  129.924437]  __btrfs_add_free_space+0x89/0x5f0
    [  129.924437]  ? rb_erase+0x1bd/0x830
    [  129.924437]  ? block_group_cache_tree_search+0x12f/0x150
    [  129.924437]  unpin_extent_range+0x537/0x930
    [  129.924437]  ? __set_extent_bit+0x850/0x850
    [  129.924437]  ? __exclude_logged_extent+0x150/0x150
    [  129.924437]  ? cache_state_if_flags.part.32+0x10/0x30
    [  129.924437]  btrfs_finish_extent_commit+0x13a/0x450
    [  129.924437]  ? pagecache_get_page+0x20b/0x330
    [  129.924437]  ? __wait_on_bit+0x150/0x150
    [  129.924437]  ? btrfs_prepare_extent_commit+0x190/0x190
    [  129.924437]  ? __find_get_block+0x40d/0x450
    [  129.924437]  ? write_all_supers+0x635/0x1590
    [  129.924437]  btrfs_commit_transaction+0xd15/0x1100
    [  129.924437]  ? btrfs_apply_pending_changes+0x80/0x80
    [  129.924437]  ? btrfs_attach_transaction_barrier+0x19/0x50
    [  129.924437]  sync_filesystem+0xd2/0x110
    [  129.924437]  __x64_sys_syncfs+0x57/0x90
    [  129.924437]  do_syscall_64+0x5e/0x190
    [  129.924437]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  129.924437] RIP: 0033:0x7f6306075469
    [  129.924437] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
    [  129.924437] RSP: 002b:00007ffd2a5aeba8 EFLAGS: 00000286 ORIG_RAX: 0000000000000132
    [  129.924437] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6306075469
    [  129.924437] RDX: ffffffffffffff98 RSI: 00007f6306075469 RDI: 0000000000000003
    [  129.924437] RBP: 00007ffd2a5b2d40 R08: 00007ffd2a5b2e28 R09: 00007ffd2a5b2e28
    [  129.924437] R10: 00007ffd2a5b2e28 R11: 0000000000000286 R12: 00005606df5a65d0
    [  129.924437] R13: 00007ffd2a5b2e20 R14: 0000000000000000 R15: 0000000000000000
    [  129.924437]
    [  129.924437] Allocated by task 220:
    [  129.924437]  save_stack+0x19/0x80
    [  129.924437]  __kasan_kmalloc+0xd5/0xf0
    [  129.924437]  kmem_cache_alloc+0xb3/0x1d0
    [  129.924437]  __btrfs_add_free_space+0x39/0x5f0
    [  129.924437]  unpin_extent_range+0x537/0x930
    [  129.924437]  btrfs_finish_extent_commit+0x13a/0x450
    [  129.924437]  btrfs_commit_transaction+0xd15/0x1100
    [  129.924437]  sync_filesystem+0xd2/0x110
    [  129.924437]  __x64_sys_syncfs+0x57/0x90
    [  129.924437]  do_syscall_64+0x5e/0x190
    [  129.924437]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  129.924437]
    [  129.924437] Freed by task 220:
    [  129.924437]  save_stack+0x19/0x80
    [  129.924437]  __kasan_slab_free+0x132/0x180
    [  129.924437]  kmem_cache_free+0x75/0x280
    [  129.924437]  try_merge_free_space+0x276/0x2e0
    [  129.924437]  __btrfs_add_free_space+0x89/0x5f0
    [  129.924437]  unpin_extent_range+0x537/0x930
    [  129.924437]  btrfs_finish_extent_commit+0x13a/0x450
    [  129.924437]  btrfs_commit_transaction+0xd15/0x1100
    [  129.924437]  sync_filesystem+0xd2/0x110
    [  129.924437]  __x64_sys_syncfs+0x57/0x90
    [  129.924437]  do_syscall_64+0x5e/0x190
    [  129.924437]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  129.924437]
    [  129.924437] The buggy address belongs to the object at ffff88806cf59138
    [  129.924437]  which belongs to the cache btrfs_free_space of size 72
    [  129.924437] The buggy address is located 48 bytes inside of
    [  129.924437]  72-byte region [ffff88806cf59138, ffff88806cf59180)
    [  129.924437] The buggy address belongs to the page:
    [  129.924437] page:ffffea0001b3d640 refcount:1 mapcount:0 mapping:ffff88806a6388c0 index:0x0
    [  129.924437] flags: 0x100000000000200(slab)
    [  129.924437] raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806a6388c0
    [  129.924437] raw: 0000000000000000 0000000080270027 00000001ffffffff 0000000000000000
    [  129.924437] page dumped because: kasan: bad access detected
    [  129.924437]
    [  129.924437] Memory state around the buggy address:
    [  129.924437]  ffff88806cf59000: 00 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00
    [  129.924437]  ffff88806cf59080: 00 00 00 00 00 00 fc fc fc fc 00 00 00 00 00 00
    [  129.924437] >ffff88806cf59100: 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb fb
    [  129.924437]                                                           ^
    [  129.924437]  ffff88806cf59180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [  129.924437]  ffff88806cf59200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [  129.924437] ==================================================================
    [  129.924437] Disabling lock debugging due to kernel taint
    [  130.400869] WARNING: CPU: 1 PID: 220 at fs/btrfs/free-space-cache.c:1480 tree_insert_offset+0x75/0xe0
    [  130.400869] Modules linked in:
    [  130.400869] CPU: 1 PID: 220 Comm: poc Tainted: G    B             5.3.11 #1
    [  130.400869] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
    [  130.400869] RIP: 0010:tree_insert_offset+0x75/0xe0
    [  130.400869] Code: ff 49 8b 1f 48 85 db 74 2a 48 8d 7b 18 e8 e3 ee cb ff 4c 39 63 18 76 bf 4c 8d 7b 10 eb d8 e8 d2 ee cb ff 48 83 7b 30 00 75 ee <0f> 0b b8 ef ff ff ff eb 3e 4c 89 f7 e8 3a ef cb ff 49 8d 7e 08 49
    [  130.400869] RSP: 0018:ffff8880649bfa60 EFLAGS: 00000246
    [  130.400869] RAX: 0000000000000000 RBX: ffff88806a249068 RCX: ffffffff8162590e
    [  130.400869] RDX: dffffc0000000000 RSI: 0000000001c09000 RDI: ffff88806a249098
    [  130.400869] RBP: ffff88806a2490d0 R08: 0000000000000000 R09: ffffed100c937f4e
    [  130.400869] R10: 0000000000000001 R11: ffffed100c937f4e R12: 0000000001c09000
    [  130.400869] R13: 0000000000000000 R14: ffff88806a249270 R15: ffff88806a2490e0
    [  130.400869] FS:  00007f630654e440(0000) GS:ffff88806d500000(0000) knlGS:0000000000000000
    [  130.400869] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  130.400869] CR2: 00007f07b731d010 CR3: 0000000067834000 CR4: 00000000000006e0
    [  130.400869] Call Trace:
    [  130.400869]  link_free_space+0x3f/0x80
    [  130.400869]  __btrfs_add_free_space+0xb8/0x5f0
    [  130.400869]  ? rb_erase+0x1bd/0x830
    [  130.400869]  unpin_extent_range+0x537/0x930
    [  130.400869]  ? __set_extent_bit+0x850/0x850
    [  130.400869]  ? __exclude_logged_extent+0x150/0x150
    [  130.400869]  ? cache_state_if_flags.part.32+0x10/0x30
    [  130.400869]  btrfs_finish_extent_commit+0x13a/0x450
    [  130.400869]  ? pagecache_get_page+0x20b/0x330
    [  130.400869]  ? __wait_on_bit+0x150/0x150
    [  130.400869]  ? btrfs_prepare_extent_commit+0x190/0x190
    [  130.400869]  ? __find_get_block+0x40d/0x450
    [  130.400869]  ? write_all_supers+0x635/0x1590
    [  130.400869]  btrfs_commit_transaction+0xd15/0x1100
    [  130.400869]  ? btrfs_apply_pending_changes+0x80/0x80
    [  130.400869]  ? btrfs_attach_transaction_barrier+0x19/0x50
    [  130.400869]  sync_filesystem+0xd2/0x110
    [  130.400869]  __x64_sys_syncfs+0x57/0x90
    [  130.400869]  do_syscall_64+0x5e/0x190
    [  130.400869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  130.400869] RIP: 0033:0x7f6306075469
    [  130.400869] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
    [  130.400869] RSP: 002b:00007ffd2a5aeba8 EFLAGS: 00000286 ORIG_RAX: 0000000000000132
    [  130.400869] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6306075469
    [  130.400869] RDX: ffffffffffffff98 RSI: 00007f6306075469 RDI: 0000000000000003
    [  130.400869] RBP: 00007ffd2a5b2d40 R08: 00007ffd2a5b2e28 R09: 00007ffd2a5b2e28
    [  130.400869] R10: 00007ffd2a5b2e28 R11: 0000000000000286 R12: 00005606df5a65d0
    [  130.400869] R13: 00007ffd2a5b2e20 R14: 0000000000000000 R15: 0000000000000000
    [  130.400869] ---[ end trace af3d70351e521739 ]---
    [  130.451152] BTRFS critical (device loop0): unable to add free space :-17
    [  130.512290] BTRFS critical (device loop0): unable to add free space :-17
    

**Conclusion**

in try_merge_free_space function, local variable right_info and left_info can be same value.

it can be lead to arbitrary-address-free or double-free vulnerability by attacker.

**Discoverer**

Team bobfuzzer

**Acknowledgments**

This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)

Thank you for the excellent fuzzer and paper below.

*   sslab-gatech/janus
*   Fuzzing File Systems via Two-Dimensional Input Space Exploration (IEEE S&P 2019)

Tag

#c++