In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distributed in TeXLive and other collections, sprintf is mishandled.

Expand Up @@ -76,7 +76,7 @@ Science Park 105, 1098 XG Amsterdam, The Netherlands} \\\\ \\texttt{t68 at nikhef dot nl} \\\\ \\vspace{1.0cm} (15 February 2018) (2 September 2019) \\end{center} \\vspace{5mm}  
Expand Down Expand Up @@ -397,22 +397,18 @@ \\subsection{Installation from standard \\TeX{} distribution} At the moment that this document was updated (January 2018), axodraw2 was part of both the main \\TeX{} distributions, TeXLive and MiKTeX. The easiest way to install axodraw2 is therefore from the package manager of your \\TeX{} distribution. (There is one complication concerning the \\program{axohelp} program --- see below.) manager of your \\TeX{} distribution.  
You can also obtain axodraw2 from CTAN at \\url{http://ctan.org/pkg/axodraw2}, and install it manually, following the instructions in Sec.\\ \\ref{sec:manual.install} below.  
\\paragraph{\\program{axohelp} in TeXLive} In TeXLive 2017, a binary executable for the \\program{axohelp} was not provided, even though the rest of the axodraw2 package was provided. Thus you could use axodraw2 with the \\program{latex} but not with \\program{pdflatex} unless you compiled and installed the program \\program{axohelp} yourself following the instructions below. This is planned to be changed in TeXLive 2018, when \\program{axohelp} should be provided as part of the distribution when the package axodraw2 is installed from the package manager. In TeXLive 2018 and later, a binary executable for the \\program{axohelp} is provided, as part of the \\program{axodraw2} package. So \\program{axohelp} is available provided that the \\program{axodraw2} package is installed..  
  
\\paragraph{\\program{axohelp} in MiKTeX} The axodraw2 package including an executable \\program{axohelp.exe} was Expand Down Expand Up @@ -454,44 +450,49 @@ \\subsubsection{Style file \\texorpdfstring{\\protect\\file{axodraw2.sty}}{axodraw2. supplemented by running the relevant commands with the \\program{sudo} program.  
But note that if you later install the axodraw2 package from the package manager of you \\TeX{} distribution, it's a good idea to delete the files you installed manually. Otherwise when you use axodraw2 in a document, then the wrong version of \\file{axodraw2.sty} may get used. This is a particularly important issue after possible future updates to axodraw2 get installed by the package manager. If you later install the axodraw2 package from the package manager of your \\TeX{} distribution, it's a good idea to delete the files you installed manually. Otherwise when you use axodraw2 in a document, then the wrong version of \\file{axodraw2.sty} may get used. This is a particularly important issue after possible future updates to axodraw2 get installed by the package manager.  
%\-- \\subsubsection{Helper program \\program{axohelp}} \\label{sec:axohelp}  
If you wish to use axodraw2 with \\program{pdflatex}, \\program{lualatex}, or \\program{xelatex}., then you need to install the \\program{axohelp} program.  
On a Unix-like system (e.g., linux or OS-X), you first need to compile the program by a C compiler. An appropriate shell command to do this is If you wish to use axodraw2 with \\program{pdflatex}, \\program{lualatex}, or \\program{xelatex}, then you need to install the \\program{axohelp} program. \\emph{(It is useful to reiterate here that the standard distributions of \\TeX{} currently supply the \\program{axohelp} program. So the steps described here are only necessary if for some reason you wish to do a manual installation. One possible reason is to use a recent update of \\program{axohelp}, since TeXLive normally only supplies updated versions of binary executable files with the initial release of one of TeXLive's yearly versions.)}  
To install \\program{axohelp} manually, you will first need to compile the program by a C compiler. Under a Unix-like operating system (linux or macOS) an appropriate shell command is \\begin{verbatim} cc -o axohelp -O3 axohelp.c -lm \\end{verbatim} (Note that this is a C compiler, \\emph{not} a C++ compiler.) Most linux systems have the program \\program{cc} already installed. This also applies to OS-X at versions below 10.7. But on OS-X version 10.7 and higher, you macOS(OS-X) at versions below 10.7. But on macOS version 10.7 and higher, you will need to install a compiler, which can be done by installing XCode and the associated command-line utilities. If you have the GNU compilers installed, you might need to use the command \\program{gcc} instead of \\program{cc}.  
For Microsoft Windows, if you do not have a C compiler available, you can use the Windows binary \\file{axohelp.exe} we have provided. It was compiled on Windows 10, and should work with at least that version of Windows. For Microsoft Windows, you will need to have installed a C compiler, and use it to compile \\file{axohelp.c}.  
In any case once you have the executable (named \\program{axohelp} on unix-like systems, or \\program{axohelp.exe} on a Microsoft system), put it in a directory where it will be found when you run programs from the command line. Once you have the executable (named \\program{axohelp} on Unix-like systems, or \\program{axohelp.exe} on a Microsoft system), put it in a directory where it will be found when you run programs from the command line.  
  
%\-- Expand Down

CVE-2019-18604: axohelp 1.3 · TeX-Live/texlive-source@9216833

Over the course of my internship at the Microsoft Security Response Center (MSRC), I worked on the safe systems programming languages (SSPL) team to promote safer languages for systems programming where runtime overhead is important, as outlined in this blog. My job was to port a security critical network processing agent into Rust to eliminate the memory safety bugs that had plagued it.

Over the course of my internship at the Microsoft Security Response Center (MSRC), I worked on the safe systems programming languages (SSPL) team to promote safer languages for systems programming where runtime overhead is important, as outlined in this blog. My job was to port a security critical network processing agent into Rust to eliminate the memory safety bugs that had plagued it. I had never used Rust prior to this project, so here are my experiences learning the language while working on the port. I hope this is helpful to anyone else who’s learning the language.

**First lesson: Rust isn’t as hard as I expected First lesson: Rust isn’t as hard as I expected**

Rust has been touted as a difficult language to learn, but I didn’t find it that difficult, and certainly easier than C++. That may sound surprising, but we need to talk about comparing languages. It is easier to write a compiled program in C++ than Rust, but it is also easier for this program to be incorrect and unsafe. When comparing the difficulty of languages, we need to consider them in context of what code can be feasibly written as both a beginner and an experienced user of the language.

Learning Rust was great. It took me less than a month to be confident with the language (of course you are never done learning a language, but this was where I was confident to write anything required in Rust). I learned through the many great resources and my strict teacher, the compiler. The compiler’s error messages are justly famous for how useful they are. Through the error messages, Rust enforces safe programming concepts by telling you exactly why the code isn’t correct, while providing possible suggestions on how to fix it. There is also a great community offering of tools and resources to learn and use Rust. I used the Rust book and Rust by example (which I contributed back to), but there are many great unofficial resources out there such as Rust for systems programmers or learning Rust with entirely too many linked lists. The tooling is also very useful, with Clippy for linting, Rustfmt for formatting, and crates.io with many packages for most problems that you may face.

Note: For my project I used a packet parsing crate to which I contributed with code to parse an extra packet type.

**Rust helped me grasp concepts I should have known when writing C++ Rust helped me grasp concepts I should have known when writing C++**

I’ve programmed C++ for some time, starting out in the Arduino ecosystem, moving on to learn C and C++ formally at university. While at university I also worked on several C & C++ projects. Lots of the code that I wrote during this time was not good. However, I didn’t realise just _how_ bad it may have been until I started learning Rust.

I found that I hadn’t really grasped some key concepts. For example, lifetimes, often cited as the most difficult concept to learn when writing Rust, is something I should have formally known in C++. I _understood_ objects having a period where they are valid to be accessed, but I had not formalised this in my mind. I could (and did) write code that could have used these objects outside of those lifetimes and had no idea that I was doing things wrong. Of course, if the code seg-faults then I’d see that something is wrong, but if it is only down one uncommon code path I am far less likely to notice it. Rust, in contrast, is always explicit at compile time when you are using a resource in an incorrect way.

It wasn’t just lifetimes that Rust taught me, but other concepts like ownership and Resource Acquisition Is Initialisation (RAII). Again, these weren’t concepts that I thought about when I was writing C++. Even knowing these concepts now, C++ expects me to manage their usage myself, which leads code to be far more error-prone.

**Rust code is wonderful to write and read Rust code is wonderful to write and read**

When learning the language, I fell in love with so many programming concepts in Rust. I want to look at two idioms in Rust to see why I think Rust is so nice to write and read.

To look at idiomatic Rust code let’s take an equivalent C++ program, directly convert it into Rust, and then see how Rust concepts can improve its readability. Here’s an example manufactured C++ snippet:

Which in unidiomatic, directly copied Rust is:

Using these if-else statements does not look clean, and certainly would not be the way to do it in Rust. Rust provides the match statement, a more powerful switch statement that provides pattern matching:

You can see the safety measures that Rust enforces, helping to prevent mistakes in the code. However, this still isn’t how it would be done in idiomatic Rust. Earlier I said that this was a match statement, well that isn’t entirely true. Match is really an expression that can return values. This allows us to rewrite it as this:

This is far more concise and allows us to see all the logic in one place. RAII is also easier to enforce (if _n_ was a type we were creating on the heap for example). As a further example of using match as an expression, this code can be optionally rewritten to not need the _n_:

It also isn’t just match that is an expression, this extends to most items in Rust, such as ifs and loops.

These are only two of the many programming concepts that make Rust wonderful to use. There are many more that I love such as traits (particularly From/Into and the ability to derive them), enums that hold data, the Result type and error handling through the ‘?’ operator, the newtype idiom, and more. Hopefully, seeing these examples here will interest people enough to explore the other features that the language offers.

**In summary In summary**

Learning Rust has been a great experience for my Rust port, and I hope that through this blog post you can see why. The community resources make learning the language an enjoyable experience. Also, thanks to its strict compiler, correctness and better programming techniques can be better enforced, while the syntax of the language allows for clearer code.

_Alexander Clarke, Software Engineer Intern, MSRC_

An intern's experience with Rust

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

$nostromo: ChangeLog,v 1.241 2022/12/15 19:18:41 hacki Exp $ 2.1 === - Fix a vulnerability reported by Riccardo Krauter @ SoterITSecurity: If nostromo runs non-chrooted, and with the 'homedirs' configuration option enabled (disabled by default), an attacker can exploit a vulnerability to access files or execute programs (as CGI) outside of the server root directory. For that a specific request URL needs to be crafted by the attacker. 2.0 === - Fix compiling on NetBSD by suppressing the -Wall compiler option. Otherwise compiling breaks due to snprintf() truncate warnings. - Fix sizeof(http\_url) to sizeof(http\_urls) for the http\_urls buffer. Had no impact since both buffers anyway have the same size. - Replace SSL\_CTX\_use\_certificate\_file() with SSL\_CTX\_use\_certificate\_chain\_file(), so that the full certificate chain can be verified. - Update to libmy-2.1, which makes libbsd obsolete, and fixes compiling on FreeBSD. 1.9.9 ===== - Stupid me, forgot to bump the version in the last release! 1.9.8 ===== - Fix a potential segfault which can happen during nhttpd startup when reading a malformed comment line in the nhttpd.conf file. This was was caused by a buffer overflow in the libmy-1.8 fparse() function. Therefore upgraded to libmy-1.9 which contains a fix for fparse(). The issue was reported by Christoffer Jerkeby. 1.9.7 ===== - Fix for CVE-2019-16278 discovered by sp0re. Issue: Due to the missing accounting of the '\\r' character in the libmy-1.7 strcutl() function, an attacker can bypass the directory traversal check in the http\_verify() function in a non-chrooted nhttpd server and thus remote execute unauthorized code. Solution: Fix the strcutl() function in libmy-1.8 as described in the libmy ChangeLog: - strcutl(): take account of the '\\r' character when it appears within a string instead of ignoring it. Improved logic and performance diff by Adrian Steinmann Therefore the injected '\\r' characters will now generate an invalid path resulting in a HTTP 404 response. - Fix for CVE-2019-16279 discovered by sp0re. Issue: The missing header count functionality in the http\_header\_comp() function allowed an attacker to transmit more headers than accepted by nhttpd resulting in a buffer overflow in the header array leading to DoS. Solution: Add the missing header count functionality to the http\_header\_comp() function. Transmission of too many headers will now result in a HTTP 413 response as initially intended. - Close the connection after an HTTP 413 response as we are allowed according to RFC 2626 HTTP/1.1 10.4.14. 1.9.6 ===== - Restore original errno value after handling SIGCHLD. Otherwise this could lead to a break out of the main select(2) loop and therefore of unexpected termination of nostromo. Spotted by Adam Wozniak, nice catch! - Change the crypt(3) API, which is used for basic authentication, to accept all supported algorithms not just DES. - Check crypt(3) for returning NULL to prevent the nhttpd process to core dump in this case. - Add server cache for basic authentication credentials to speed up performance. This will save us filesystem access to htpasswd and additional password encryption cpu cycles for crypt(3). - Add MD5, Blowfish-a, and Blowfish-b algorithm to the crypt(1) tool. - Replace rand(3) with arc4random(3) in the crypt(1) tool for OpenBSD, NetBSD, and FreeBSD. - Fix broken BSD authentication method for basic authentication. - Fix several bites to make nostromo compile cleanly on the tested platforms again which are OpenBSD, NetBSD, FreeBSD, and Linux. - Rewrote printenv CGI from perl to shell script. - Add support for SIGHUP configuration reload. - Make a child process use the default signals instead inheriting the parent process signal handler. This fixes some odd issues. - Update copyright year to 2004 - 2016 and add nostromo CVS Id to all files. 1.9.5 ===== - Handle "Location:" field correctly when passed by a CGI. Bug reported by Axel Gonzalez. 1.9.4 ===== - Update copyright year to 2004 - 2011. - Make nostromo compile again by default; Remove -Werror in src/nhttpd makefiles and #include to src/nhttpd/main.c. - Fix a bug where when nostromo doesn't run in chroot mode somebody can access files beyond our htdocs environment by using specific encoded characters in the request URI (security issue). Issue found and reported by RedTeam Pentesting GmbH. - Fix a bug where in certain conditions garbage is written into the access\_log user agent field. - Do proper handling of max. file descriptors and allow to bump the select(2) max. file descriptors limit (FD\_SETSIZE) via the CON define in config.h by dynamically allocating the fd\_sets. 1.9.3 ===== - Fix two err(3) calls which are lacking an \`%s' modifier (security issue). Patch from Simon Kuhnle. - Fix wrong select() / send\_file() looping (resulting in high process load occasionally), by fixing bogus EAGAIN error handling in sys\_write\_a(). - Fix missing \`\`.Ed'' in nhttpd.8 man page. 1.9.2 ===== - Fix a bug where a 403 response is returned instead of a 404 response. Patch from Szabolcs Nagy. - Style diff which fixes spacing from Daniel Ouellet. - Add optional \`\`homedirs\_public'' configuration parameter to restrict access within the home directories. Suggested by Simon Kuhnle. - Add mandatory \`\`serverlisten'' configuration parameter to allow specific interface binding. - Replaced libmy with latest version libmy-1.7. 1.9.1 ===== - Replace off\_t with intmax\_t integer type since problems have been reported with compiling on some 64bit Linux systems. Therefore we remove the GNU compiler option '-D\_FILE\_OFFSET\_BITS=64'. Initial diff received from Kurt Roeckx. - For unused, string based configuration options, use '\\0' instead strlcpy() '0' into the array. It's less disturbing and more straight. Diff received from Szabolcs Nagy. - Don't leave some alias specific buffers uninitialized, because it can happen that we access those later. Bug reported by Szabolcs Nagy. - According to RFC 3875 set the SERVER\_NAME environment variable dynamicly dependend on the "Host:" request header field instead setting it staticly to the configured servername. Bug reported by Szabolcs Nagy. - Fix a bug where a CGI "Status:" request for 403 or 404 caused a corrupt response header. Bug reported by Szabolcs Nagy. - The header field "Host:" is mandatory for HTTP/1.1 client requests. If it doesn't exist return 400 Bad Request instead of further processing the request. Bug reported by Szabolcs Nagy. - Drop MacOSX support. Too many tweaks with recent MacOSX versions for compiling. - Update copyright year to 2004 - 2009. - Fix sys\_log() by replacing syslog() with vsyslog() so the string arguments get passed. While here move from LOG\_DEBUG to LOG\_INFO. - Replaced libmy with latest version libmy-1.6. 1.9 === - Replace server log parameter entries in the man page by syslog(3). 1.8.9 ===== - send all server log messages to syslog(3) instead to our own log file The configuration parameter "logserver" is obsolete therefore and has been removed from nhttpd.conf. Suggested by Matthias-Christian Ott - Make "logpid" and "logaccess" configuration parameters optional, which allows it to disable pid and access log creation. Suggested by Matthias-Christian Ott. - Remove the whole BSD authentication code on non-OpenBSD systems. Diff received from Matthias-Christian Ott. 1.8.8 ===== - Fix a bug where a requested file with size 0 caused us to send an HTTP repsonse in a loop. Bug reported by Kai Hendry. - Fix a bug where a directory request without trailing "/" to a virtual host URL returned a wrong 301-Location field value. Bug reported by Kai Hendry. - Change mime types parsing to the default syntax; extensions are separated by spaces instead by commas. Our default mime types file (conf/mimes) has been changed to the new syntax therefore. - Also check if HTTPS requests do match to our default URL before searching for virtual hosts. 1.8.7 ===== - Fix security issue for none chroot environments reported by Ben Hutchings: Disallow any direct access to upper level directories (..). On occurrence of a "/../" string in the request URI we return 400 Bad Request now. This prevents access to files beyond of the serverroot directory. - Fix a bug reported by Szabolcs Nagy: If a CGI option ends with a "/" don't apply the docindex to it. - If the PID file can't be created also report about the full filename in the error log. Requested by Kai Hendry. 1.8.6 ===== - Handle POST requests with content length 0 correctly, diff received from Georg Wendenburg. 1.8.5 ===== - Added support for SSLv3. - Replaced a strlcpy() with memcpy() because at this point binary data could be involved. Pointed out by Georg Wendenburg. - Added CONTENT\_TYPE CGI env, diff received from Georg Wendenburg. - Quiet down error messages in the server log file by moving some common error messages to the debug mode output. 1.8.4 ===== - If a select(2) error in the main loop is not EINTR, we shutdown the server. EFAULT, EBADF, and EINVAL are not acceptable. - When a connection gets closed FD\_CLR() the write set also in either case. this fix should finally let get us rid from the select(2) EBADF error, and overwrites the EBADF workaround fix from version 1.8.3. 1.8.3 ===== - Fix a Linux tweak with off\_t by adding -D\_FILE\_OFFSET\_BITS=64 to the compiler options. - If a select(2) error in the main loop is not EINTR, close the connection. this avoids endless looping e.g. when EBADF occurs. - Typo corrections for nhttpd.conf-dist and nhttpd.8 from Will Maier. 1.8.2 ===== - Fix wrong version numbers. 1.8.1 ===== - Fixed gcc3 tweak with variable array definition which caused compiliation error on gcc2 platforms. - Replaced libmy with latest version libmy-1.5. 1.8 === - Added homedirs support. - Added basic authentication via BSD authentication. - Moved variable type for filesizes from int to off\_t to enable proper transfers of very large files. - Directory listing files are sorted alphabetical now. - Make our HTML output HTML 4.01 transitional. - Fixed man page typos. 1.7.9 ===== - The rewritten http\_header\_comp() function implemented in version 1.7.7 could lead to a buffer overflow in some circumstances because the arrived header sequence was not checked for its minimum size. On my machines this effect ended up in a immediately process termination. Nasty bug fixed now. While we are at this function we also get rid of strlen() because we already have the current header size saved in our connection structure; safer and faster. - Fixed man page typos. 1.7.8 ===== - CGIs are no longer determined by a CGI alias. nhttpd checks now if a file has the world executable flag set, and if yes the file is handled as a CGI. this allows you to place CGIs anywhere in your document root, and also to use CGIs as index. the cgiroot and cgiindex config options are obsolete therefore and where removed from the configfile. cgi-bin has moved to htdocs/cgi-bin - Use stat(2) S\_IROTH instead of access(2) to check for file permissions, as we have that information already. - Added HTTP\_ACCEPT\_ENCODING CGI env - Simplified debug logging. - Fixed broken permissions checking on directories. - Fixed another binary data handling issue in CGI main loop. - Improved error handling for select(2) in CGI main loop. - On a fatal error at CGI execution send a 500 before exit(3). - Extended man page. 1.7.7 ===== - http\_header\_comp() which checks if a complete header sequence arrived got unreliable because of our new asynchronous connection handling since version 1.7.6. The function is fixed now and as a side effect much more simplified using less resources. 1.7.6 ===== - Rewrote nostromo to handle connections fully asynchronous over one single select(2) now. This change also fixes the problem that slow connections walked into a connection timeout. - The socket send buffer size is now kept to the operating system value by default. It can be changed optional in config.h by the SBS define. - Added debug mode option. - Added IF\_MODIFIED\_SINCE CGI env, diff received from Daniel Hartmeier. - Fixed unterminated childs leftover when parent is killed. - Fixed broken pipeline connection handling. - Fixed http\_chunk() to handle also binary data now. - Fixed double printing of server port in the signature. - Fixed double creation of Location header field for CGIs. - Fixed wrong Location string for 301 responses over SSL non-default port. - Fixed access log variable which could be used uninitialized. - Fixed broken custom responses. on large custom response files, the transfer was aborted. - Disabled chunking for HTTP/1.0 clients. - Disabled case sensitivy for HTTP protocol. - Reorderd configuration file. - Removed a unnecessary getpid(2) when daemonizing. - Replaced signal handlers SIGTERM code with a volatile sig\_atomic\_t flag. - Extended man page. - Improved style / KNF. 1.7.5 ===== - Set SO\_SNDBUF size on accepted client socket, not on the listener socket, because not every tcp/ip implementation supports inheritance. - Set sockets to O\_NONBLOCK to prevent any possible blocks. 1.7.4 ===== - Fixed POST content size limitation of 8KB. POST content can now be unlimited and is handled in the forked CGI process itself. - Removed all setenv(3) and unsetenv(3) functions and set CGI environment vars with execve(2) instead. This has increased the CGI serving performance about the factor 8. - The DOCUMENT\_ROOT CGI environment variable was set wrong in some cases. Bug fixed now. - In some cases the GMT offset was wrong calculated in the access log. Bug fixed now 1.7.3 ===== - Optimized performance and memory usage by source code optimization. - If a CGI post body included binary data the processing was aborted because we could not handle the binary part. Bug fixed now. - If a CGI post body was terminated with '\\r\\n' and some browsers count that to its content length (and some do not, what a mess!) the post was ignored. Bug fixed now - If the defined setuid user was not found, output a custom error instead the getpwnam(3) errno which almost says nothing. - Removed -ansi compile option to follow OpenBSD. - Fixed -pedantic compile option source code quirks. - Replaced libmy with latest version libmy-1.4. - Changed logo URL. - Applied typo diff for man page received from Marc Balmer@. 1.7.2 ===== - Added custom 401, 403, and 404 responses, requested by Marc Winiger. - Added nph CGI support. - Close all file descriptors which do not belong to the child after fork(2). - Replaced recv(2) with read(2) as we do not use flags. - Replaced send(2) with write(2) as we do not use flags. - Check more system calls for EINTR. - If a CGI post body was terminated with '\\r\\n', we did not parsed that and the post was ignored. Bug fixed now. - In some cases we had wrong data transmission because write(2) was not checked for short writes. Bug fixed now. - Fixed SSL memory leak. 1.7.1 ===== - Implemented HEAD method. - If on basic authentication the realm option in a htaccess file could not be parsed, we just kept the last value in the realm variable instead of overwriting it with "unknown realm". Bug fixed now. 1.7 === - Added 206 Partial Content. Forced by Delta. - Added example lines to configuration file how to change default port 80. - Excluded sin6\_len for Linux. - Imported new nostromo logo. - It is possible now to run IPv6 only. - Deny to run nhttpd as root. - Improved SSL handshake. - Main select(2) checks now writefds to cleanly serve partial file sends - Fixed typos and reviewed source code for BSD style. - If 301 Moved Permanently was called with https, we switched back to http because we did not check for the https flag. Bug fixed now. 1.6 === - Added IPv6 support. - Added pid file creation. - Set listener sockets to SO\_REUSEADDR. - Moved a bunch of static environment variables to dynamic ones, because of SSL and IPv6 introduction. - CGI https environment variable was set wrong because asking the wrong ssl flag variable. Bug fixed now. - If running in chroot mode, virtual hosts and aliases where not found because we accessed the full path to the config file. Bug fixed now. - If returning 500 on file send errors, open files where not closed. Bug fixed now. 1.5.1 ===== - chroot mode caused process hang if /dev/null where not found in the chroot environment. Bug fixed now. 1.5 === - Added SSL support. - Added 403 Forbidden, what means that files are checked for read permissions now instead returning 500 Internal Server Error if no access. - Added TODO file. - Corrected and extended man page. - If the content type was unknown the previous content type was sent, which is wrong. Now the html content type will be send per default on unknown content types. - select(2) for header and body read where using the same readset as the master select(2) which is wrong. Using now own readset. 1.4 === - Corrected the man page. - One of three access\_log functions was still logging with two lines per hit. Bug fixed now. 1.3 === - Makefiles have been ported to compile also on NetBSD, FreeBSD, Linux and MacOSX. - Reduced access\_log to one line per hit instead of two. - Filenames including spaces in directory listing wasn't found, because the href entry had no quotes. Bug fixed now. 1.2 === - If a CGI was called which didn't exist, the last called CGI was executed because the responsible variable, which holds the full executable path, wasn't overwritten. bug fixed now. - Replaced libmy with latest version libmy-1.3 (fixes important security issues). - Replaced last strcpy(3) with strlcpy(3). 1.1 === - Increased socket send buffer to avoid send(2) blocking when buffer is full. - In server log removed unnecessary log messages, made the existing ones more specific and added new log messages. - Removed pre-compiler debug informations because they made the source code hard to read and where not really usable in action. 1.0 === - Fixed memory leak. 0.9 === - A wrong if-condition caused the nhttpd parent process to exit(0) if a CGI was called which didn't exist. Bug fixed now. 0.8 === - Nostromo has been rewritten from a fork(2) server to a select(2) server. with this new method no more child forking for file requests is necessary and the server performance increases therefore. - Increased performance by optimizing source code. - Replaced libmy with latest version libmy-1.2 (faster). - Added pre-compiler debug option to config.h. 0.7 === - Sometimes a child process still hung because not all recv(2) was checked for connection timeout. placed select(2) in front of all recv(2) to check timeout. - Fixed wrong version numbering at several places. - Added install script (Install). 0.6 === - Sometimes a child process hung because of blocking recv(2). bug fixed now. - Replaced libmy with latest version libmy-1.1. - Added timestamps to server log file. - Added version option. 0.5 === - nhttpd didn't chroot(2) because chroot(2) where placed before all configuration files could be read. bug fixed now. 0.4 === - libmy had missing #include in flog.c, nsend.c, strlower.c some architectures (e.g. sparc64) complained and stopped at compiling. bug fixed now. 0.3 === - nhttpd didn't handle http control characters (\\r\\n\\r\\n) in POSTs body entity, and blocked at recv(2). bug fixed now. 0.2 === - Changed default configfile path to /var/nostromo/conf/nhttpd.conf. - chdir/chroot will directly done after reading the configfile successfully. - SIGPIPE, SIGHUP, SIGQUIT, SIGALRM will be silently ignored now and don't generate a server log anymore. 0.1 === - Initial version.

CVE-2019-16278

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

We found vulnerability in exiv2 binary and exiv2 is complied with clang enabling ASAN.

    Machine : Ubuntu 16.04.3 LTS
    gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
    Commit : 401e658
    exiv2 : 0.27.99.0
    Command : exiv2 -pv $POC
    

    fuzzer@fuzzer:~/victim/exiv2/build/bin$ ./exiv2 -pv POC
    =================================================================
    ==16699==ERROR: AddressSanitizer: unknown-crash on address 0x7f9a857b7143 at pc 0x7f9a84dcc1db bp 0x7ffcb8c7b650 sp 0x7ffcb8c7b648
    READ of size 1 at 0x7f9a857b7143 thread T0
        #0 0x7f9a84dcc1da in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/types.cpp:289:28
        #1 0x7f9a84ebd4c4 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:285:22
        #2 0x7f9a84ebd84e in Exiv2::Internal::CiffComponent::read(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:231:9
        #3 0x7f9a84ebd84e in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:305
        #4 0x7f9a84c5c29d in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/fuzzer/victim/exiv2/src/crwimage.cpp:150:9
        #5 0x7f9a84c5afa0 in Exiv2::CrwImage::readMetadata() /home/fuzzer/victim/exiv2/src/crwimage.cpp:107:9
        #6 0x589421 in Action::Print::printList() /home/fuzzer/victim/exiv2/src/actions.cpp:483:9
        #7 0x57c1df in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fuzzer/victim/exiv2/src/actions.cpp:218:26
        #8 0x4f4c5f in main /home/fuzzer/victim/exiv2/src/exiv2.cpp:77:23
        #9 0x7f9a836be82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
        #10 0x41ff38 in _start (/home/fuzzer/victim/exiv2/build/bin/exiv2+0x41ff38)
    
    AddressSanitizer can not describe address in more detail (wild memory access suspected).
    SUMMARY: AddressSanitizer: unknown-crash /home/fuzzer/victim/exiv2/src/types.cpp:289:28 in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
    Shadow bytes around the buggy address:
      0x0ff3d0aeedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeedf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeee00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    =>0x0ff3d0aeee20: fe fe fe fe fe fe fe fe[fe]fe fe fe fe fe fe fe
      0x0ff3d0aeee30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==16699==ABORTING
    fuzzer@fuzzer:~/victim/exiv2/build/bin$

CVE-2019-17402: Overflow in exiv2 · Issue #1019 · Exiv2/exiv2

I interned with Microsoft as a Software Engineering Intern in the MSRC UK team in Cheltenham this past summer. I worked in the Safe Systems Programming Language (SSPL) group, which explores safe programming languages as a proactive measure against memory-safety related vulnerabilities.
This blog post describes the project that I have been working on under the mentorship of the SSPL team.

I interned with Microsoft as a Software Engineering Intern in the MSRC UK team in Cheltenham this past summer. I worked in the Safe Systems Programming Language (SSPL) group, which explores safe programming languages as a proactive measure against memory-safety related vulnerabilities.

This blog post describes the project that I have been working on under the mentorship of the SSPL team. Hopefully, this provides additional insight into the work Microsoft interns do!

**Project Overview Project Overview**

My goal was to build an open-sourced Rust librarythat will allow developers to both consume and produce in-process Component Object Model (COM) components in an idiomatic manner.

Note: There are existing Rust crates that provide COM support, including winapi-rs, Intercom, XPCOM, com-impl, com-impl-rs and com-rs. Having these crates as references allowed us to make well-informed design decisions that laid the foundation for this library.

For the uninitiated, COM is a language-agnostic, object-oriented standard for creating binaries. Thanks to COM having an extremely well-defined Application Binary Interface (ABI), binaries that support this standard can interoperate with each other, regardless of the language they are written in.

A COM component exposes its data through a set of interfaces. For each interface, a Virtual Method Table (vtable) is defined, similar to a C++ object’s layout for virtual functions. These vtables contain function pointers to the actual function implementations. The COM component then stores pointers to these vtables, also known as vpointers. The picture below illustrates this.

By enforcing the layout of function pointers in vtables, COM allows any language to map internal data types to that of a COM object’s vtable. This provides any language with the information they need to dereference the correct function pointer and thus call the corresponding exposed function on a COM object.

Note: There are other fundamental mechanisms behind COM (such as DLL entry points, COM object instantiation, etc.) that I won’t be covering here. For more details, I highly recommend COM reference on MSDN as well as Essential COM by Don Box.

**Why enable Rust support for COM? Why enable Rust support for COM?**

As part of an attempt to eliminate a class of vulnerabilities, Microsoft is investigating the adoption of safer systems programming languages. As we discussed in an earlier blog, one such language is Rust. One of the challenges of Rust adoption is interoperability with C++ and existing Microsoft tooling. COM is a standard used widely in Microsoft and supporting it is a necessary step towards interoperability with existing components.

Outside of Microsoft, the aim of this library is also to allow COM developers to leverage the Rust compiler’s memory safety guarantees to create more secure COM components. We examine this impact and associated challenges in greater detail later, when we talk about writing safe wrappers for COM interactions.

**Implementation/project design Implementation/project design**

In this section, we will explain how our library will work in practice.

Note: Along the way, there will be snippets of behind-the-scenes design decisions, which we hope will help those joining the project.

One of the primary goals of this project was to create an idiomatic library for Rust developers to consume and produce COM components. Much of writing COM interactions involve boilerplate code, which describes and generates the different vtable layouts. To make it idiomatic to use, we tried to abstract away the COM details as much as possible. Thankfully, Rust has an expressive macros system which allows us to achieve this abstraction!

To consume a COM component, you must first describe the interface (here, IAnimal) in Rust.

To interact with a COM object that exposes the IAnimal interface, take two actions. First, instantiate the COM object, which returns you an interface pointer (a pointer to a vpointer). You do this through a Runtime struct, which controls the lifetime of the COM Library using CoInitializeEx/CoUninitialize.

Second, call methods through the interface pointer.

Macro usage for the consumption side was relatively straightforward to implement, as COM abstracts the implementation details of COM components for consumers.

On the production side of things, we spent most of the time trying to make the design both extensible and idiomatic. This wasn’t easy. COM provides many implementation possibilities when creating a component, which we must be able to cover with our library. At first, we tried to completely abstract away the presence of the generated vtables that will make an object COM-compatible. We did this by wrapping the user-defined object in a struct we can term as ComBox. This ComBox holds the vpointers, which are then passed to consumers to interact with.

This worked well for basic COM. However, this solution was created under the assumption that users will never need to access their vpointers. This assumption proved to be wrong. There are many features that COM permits when creating a COM component. One of these features that enable code reuse is Aggregation, which allows you to expose another COM object’s interfaces as if it were your own. To enable aggregation at any point, users will need to explicitly provide the aggregated object with your own vpointer. Since this violates our original assumption, this affected our design decisions.

We now know we need to hide the COM details, yet also provide experienced COM developers access to these details. Assume you want to create a COM component called CatDog which inherits from COM interfaces ICat and IDog. To do that, you would have to write something like this:

Developers will define their user fields in the struct. The #\[co\_class\] macro then expands the struct to contain the COM fields (vpointers, ref\_counts, etc.) A caveat here is that the user must implement a constructor “new”, within which it must initialise the COM fields through a macro-generated “allocate” function. The main difference here is that methods are defined on the wrapped struct containing the vpointers. This grants the user access to these fields since they are now within the same scope!

**How safe is it, really? How safe is it, really?**

We’ve discussed how to use our library and some design decisions that we made. What’s the real impact of using Rust?

Even though Rust provide memory safety guarantees, all bets are off when using the unsafe superset of the language. In this particular case, COM promotes interoperability between languages and these interactions will require frequent use of the unsafe superset of Rust. Here’s why.

The usual practice for Rust developers is to create safe wrappers around these interactions. These safe wrappers verify the raw pointers and convert them to safe types. A nullable pointer would be checked and converted to an Option, so developers must explicitly handle the null case, etc. Unfortunately, we couldn’t replicate this solution for our library. These wrappers are not foolproof. We can force users to handle null pointers explicitly, but what about dangling references? There is no way of verifying that the pointers passed to us don’t point to garbage or invalid memory. How can any of these wrappers be marked safe in Rust standards?

A key difference between the above scenario and our library, is that they are wrapping around a specific **Library/API**. We are attempting to wrap around a **Standard/Protocol**. In their case, they can refer to documentation, inspect codebase, etc, before generating a safe wrapper specific to that library. This would be a valid case for marking the wrappers as safe as they have checked the unsafe code they are wrapping, making sure they return valid pointers. Since we are making a wrapper for a standard, not a specific library or API, we cannot guarantee that every single COM component will be implemented properly. Since we know nothing about the code we are wrapping, we can’t automatically mark these generated wrappers as safe. What we _can_ do is provide users with an option to mark interactions as safe, once they have done their due diligence.

@matthewhenry, Unsplash

If we can’t assume that wrappers are safe, where does that leave us in terms of impact? Using Rust will make it much easier for developers to write secure COM components compared to their C/C++ system languages counterparts. First, unsafe code is mostly written surrounding Foreign Function Interface (FFI) interactions. Developers can still write safe Rust code for logic flows independent from these FFI interactions. This is especially important when writing a new COM component. For example, multi-threaded data structures are often used for performant code. Logic flows behind these data structures are susceptible to data races. Due to compiler optimisations, these data races may in turn lead to memory-safety vulnerabilities that are hard to track down. Rust’s ownership model persists across threads, which eliminates the possibility of data races.

Note: This is just one example, but the point remains: there are many such logic flows that we can write safe Rust for, which will yield safer code.

Second, Rust forces developers to take a conscientious and proactive approach towards handling memory safety. For example, developers must mark the above mentioned FFI interactions as unsafe, using the unsafe keyword in Rust. This signals the library users to investigate these FFI interactions and do due diligence on the COM objects they are interacting with. Having this signaling mechanism baked directly into the compiler is harder to miss than detailing these in code comments or documentation. As maintainers of the library, we are also forced to be diligent about memory safety. We need to be able to accurately assess code as safe or unsafe when exposing them, to conform to the safety standards of Rust.

Lastly, it would be a shame if I worked in MSRC UK and didn’t include the perspective of the security engineers I have worked with! Having these explicit unsafe blocks drastically reduces the surface area that security engineers must comb through to identify memory safety vulnerabilities, as memory-safety vulnerabilities can only originate from unsafe code.

As you can see, Rust developers have many tools at their disposal to write secure code, as well as to ensure safe usage of their code. Having these tools directly in the compiler instead of having to pick up external complex tooling helps increase productivity and security across the board.

**What next? What next?**

We explored the motivations behind this project. We have seen how it currently works, as well as examined the impact that it will have. What next?

This project is now open-sourced and available on GitHub! Whether you are interested in contributing or just curious about the project, we welcome you to check it out. We want to get as much feedback from the community as possible, since this is a library designed with user experience in mind. There are also many features of COM that we were not able to cover yet with this library. These include out-of-process interactions amongst other things. We can look at these once we have established a stable foundation based on the community’s feedback.

**A final word A final word**

This project challenged me from the first day till the last. Having to both pick up Rust and learn about COM pushed me far outside my comfort zone. However, the struggle has been met by an even greater extent of gratification from having seen the project through and learning so much.

Through this internship at Microsoft, I got to work with and look through the lenses of some of the brightest minds I have seen. Thank you to the MSRC UK team for your hospitality and for empowering me as a team member. To my team members Ryan and Sebastian, thank you for being such a pleasure to work with on this project and for bailing me out of many obstacles. Finally, thank you to my mentor Sebastian for taking a leap of faith when entrusting me with this project, and for your patient guidance throughout.

_Hadrian Wei Heng Lim, Software Engineer Intern, MSRC_

Designing a COM library for Rust

An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn't handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

**Summary**

An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn’t handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

**Tested Versions**

Foxit Software Foxit PDF Reader 9.4.1.16828.

**Product URLs**

https://www.foxitsoftware.com/products/pdf-reader/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-703: Improper Check or Handling of Exceptional Conditions

**Details**

Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses V8 JavaScript engine.

A PDF document can execute JavaScript at different events. One of these examples occurs when the user opens a PDF document and it runs first. Another is on page open or close which can run when user navigates to the page. A page open event is triggered for the first page when the document is opened and rendered.

A bug exists in V8 version 7.5.45 and previous that results in a large amount of memory to be allocated, which quickly uses up all available memory. This would usually result in an out-of-memory state being detected and the process would be terminated. In this instance, this is not the case as the large allocation is the result of the following bug:

    Array.prototype.length = 0xffffffff;
    Array.prototype.includes(0); 
    

Setting the array length to INT32\_MAX value changes the array’s apparent size, and even though the array is empty, due to a bug, includes() takes a very slow path that visits every, undefined, element of the array while allocating exuberant amount of memory in the process. If we take a look at the properties of this array before and after changing its length we can see the following:

    $./d8 --allow-natives-syntax
    d8> Array.prototype.length
    0
    d8> %DebugPrint(Array.prototype)
    DebugPrint: 0x1f0050210ff1: [JSArray] in OldSpace
     - map: 0x1f00c1382de9 <Map(HOLEY_ELEMENTS)> [FastProperties]
     - prototype: 0x1f0050201f71 <Object map = 0x1f00c1380229>
     - elements: 0x1f00d0300c21 <FixedArray[0]> [HOLEY_ELEMENTS]
     - length: 0
    0x1f00c1382de9: [Map]
     - type: JS_ARRAY_TYPE
     - instance size: 32
     - inobject properties: 0
     - elements kind: HOLEY_ELEMENTS                    [1]
     - unused property fields: 2
     - enum length: invalid
     - stable_map
     - prototype_map
     - prototype info: 0x1f0050211011 <PrototypeInfo>
     - prototype_validity cell: 0x1f00a2380609 <Cell value= 1>
     - instance descriptors (own) #35: 0x1f0050211049 <DescriptorArray[35]>
     - layout descriptor: 0x0
     - prototype: 0x1f0050201f71 <Object map = 0x1f00c1380229>
     - constructor: 0x1f0050201fa9 <JSFunction Object (sfi = 0x1f00a2389931)>
     - dependent code: 0x1f00d03002c1 <Other heap object (WEAK_FIXED_ARRAY_TYPE)>
     - construction counter: 0
    

At \[1\], we can see type of the array is HOLEY_ELEMENTS and after growing the array:

    d8> Array.prototype.length = 0xffffffff;
    4294967295
    d8> %DebugPrint(Array.prototype)
    DebugPrint: 0x1f0050210ff1: [JSArray] in OldSpace
     - map: 0x1f00c138a8b9 <Map(DICTIONARY_ELEMENTS)> [FastProperties]
     - prototype: 0x1f0050201f71 <Object map = 0x1f00c1380229>
     - elements: 0x1f00b178ff39 <NumberDictionary[16]> [DICTIONARY_ELEMENTS]
     - length: 0x1f00b1790329 <HeapNumber 4.29497e+09>
    0x1f00c138a8b9: [Map]
     - type: JS_ARRAY_TYPE
     - instance size: 32
     - inobject properties: 0
     - elements kind: DICTIONARY_ELEMENTS                       [2]
     - unused property fields: 2
     - enum length: invalid
     - stable_map
     - prototype_map
     - prototype info: 0x1f0050211011 <PrototypeInfo>
     - prototype_validity cell: 0x1f00a2380609 <Cell value= 1>
     - instance descriptors (own) #35: 0x1f00b178ffc9 <DescriptorArray[35]>
     - layout descriptor: 0x0
     - prototype: 0x1f0050201f71 <Object map = 0x1f00c1380229>
     - constructor: 0x1f0050201fa9 <JSFunction Object (sfi = 0x1f00a2389931)>
     - dependent code: 0x1f00d03002c1 <Other heap object (WEAK_FIXED_ARRAY_TYPE)>
     - construction counter: 0
    

At \[2\], we see that the array is now of type DICTIONARY_ELEMENTS. After navigating through the implementation of Array.prototype.includes in V8’s CSA we can see that HOLEY_ELEMENTS and DICTIONARY_ELEMENTS are handled differently, and code ends up calling a runtime implementation of includes() for DICTIONARY_ELEMENTS:

    BIND(&call_runtime);
    {
    Node* start_from =
        args.GetOptionalArgumentValue(kFromIndexArg, UndefinedConstant());
    Runtime::FunctionId function = variant == kIncludes
                                       ? Runtime::kArrayIncludes_Slow
                                       : Runtime::kArrayIndexOf;
    args.PopAndReturn(
        CallRuntime(function, context, array, search_element, start_from));
    }
    

In the runtime implementation of kArrayIncludes_Slow we eventually end up at the following check:

    if (!object->map()->IsSpecialReceiverMap() && len < kMaxUInt32 &&             [3]
        JSObject::PrototypeHasNoElements(isolate, JSObject::cast(*object))) {
      Handle<JSObject> obj = Handle<JSObject>::cast(object);
      ElementsAccessor* elements = obj->GetElementsAccessor();
      Maybe<bool> result = elements->IncludesValue(isolate, obj, search_element,
                                                   static_cast<uint32_t>(index),
                                                   static_cast<uint32_t>(len));
      MAYBE_RETURN(result, ReadOnlyRoots(isolate).exception());
      return *isolate->factory()->ToBoolean(result.FromJust());
    }
    
    // Otherwise, perform slow lookups for special receiver types
    for (; index < len; ++index) {                                                [4]
    

At \[3\], we can see that length of the array is compared against kMaxUInt32 and the code in the if statement is executed if len is strictly less than kMaxUInt32. Since array length is set to kMaxUInt32, execution continues at \[4\] and ends up in the slowest possible path. The correct check at \[3\] should be that len should be less than or equal to kMaxUInt32, as is the case in indexOf runtime function implementation.

This quickly results in huge amounts of memory being executed and should result in process termination. In Foxit, however, the out-of-memory condition raises an exception which is caught and “handled,” and processing of the PDF can continue:

    0:000> sxe e06d7363
    0:000> g
    ...
    (754.1588): C++ EH exception - code e06d7363 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for FoxitReader.exe - 
    eax=053de308 ebx=053de3b8 ecx=00000003 edx=00000000 esi=039d3ebc edi=03e0be30
    eip=764c18a2 esp=053de308 ebp=053de364 iopl=0         nv up ei pl nz ac po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200212
    KERNELBASE!RaiseException+0x62:
    764c18a2 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:053de35c=583d2f59
    0:000> .exr -1
    ExceptionAddress: 764c18a2 (KERNELBASE!RaiseException+0x00000062)
       ExceptionCode: e06d7363 (C++ EH exception)
      ExceptionFlags: 00000001
    NumberParameters: 3
       Parameter[0]: 19930520
       Parameter[1]: 053de3b8
       Parameter[2]: 03e0be30                                           [5]
    unable to find C-Runtime symbols, even with unqualified search
    0:000> dd 03e0be30
    03e0be30  00000000 00000000 00000000 03e0be40
    03e0be40  00000005 03e0be58 03e0be74 03ba583c
    03e0be50  03ba5858 03e53224 00000001 03f93408
    03e0be60  00000000 ffffffff 00000000 00000004
    03e0be70  00000000 00000001 03fc258c 00000000
    03e0be80  ffffffff 00000000 00000004 00000000
    03e0be90  00000000 00000000 00000000 03e0bea0
    03e0bea0  00000005 03e0beb8 03e0be74 03ba583c
    0:000> dd 03e0be40 
    03e0be40  00000005 03e0be58 03e0be74 03ba583c
    03e0be50  03ba5858 03e53224 00000001 03f93408
    03e0be60  00000000 ffffffff 00000000 00000004
    03e0be70  00000000 00000001 03fc258c 00000000
    03e0be80  ffffffff 00000000 00000004 00000000
    03e0be90  00000000 00000000 00000000 03e0bea0
    03e0bea0  00000005 03e0beb8 03e0be74 03ba583c
    03e0beb0  03ba5858 03e53224 00000001 03f926f4
    0:000> dd 03e0be58 
    03e0be58  00000001 03f93408 00000000 ffffffff
    03e0be68  00000000 00000004 00000000 00000001
    03e0be78  03fc258c 00000000 ffffffff 00000000
    03e0be88  00000004 00000000 00000000 00000000
    03e0be98  00000000 03e0bea0 00000005 03e0beb8
    03e0bea8  03e0be74 03ba583c 03ba5858 03e53224
    03e0beb8  00000001 03f926f4 00000000 ffffffff
    03e0bec8  00000000 00000004 00000000 00000000
    0:000> da 03f93408+8
    03f93410  ".PAVCMemoryException@@"
    

Since this is a C++ exception, if we follow the second parameter of the exception at \[5\] through a couple of dereferences, in the end we get that the thrown exception is of type CMemoryException, which is an out-of-memory exception. Continuing the process halts the Javascript execution, but continues to render the PDF.

Now, if our PDF contains a page open action with JavaScript code, JavaScript execution will resume with the engine in an undefined state, which quickly results in memory corruption and the following crash:

    0:000> g
    (754.1588): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=053deda8 ecx=00000000 edx=0d213ed0 esi=05300000 edi=0d1e62a0
    eip=01d4dbf6 esp=053dec44 ebp=053dec54 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
    FoxitReader!CFXJSE_Arguments::GetValue+0xb3436:
    01d4dbf6 8b4618          mov     eax,dword ptr [esi+18h] ds:002b:05300018=????????
    0:000> k 6
     # ChildEBP RetAddr  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 053dec54 01d4dd96 FoxitReader!CFXJSE_Arguments::GetValue+0xb3436
    01 053dec6c 01d4d800 FoxitReader!CFXJSE_Arguments::GetValue+0xb35d6
    02 053dec84 01d4de99 FoxitReader!CFXJSE_Arguments::GetValue+0xb3040
    03 053dec98 01d4cd1f FoxitReader!CFXJSE_Arguments::GetValue+0xb36d9
    04 053decb8 01db8ce1 FoxitReader!CFXJSE_Arguments::GetValue+0xb255f
    05 053def54 01db81bc FoxitReader!CFXJSE_Arguments::GetValue+0x11e521
    

In this example, the crash is due to an access violation while trying to read an arbitrary memory address, but with precise control it could be further abused and could ultimately lead to arbitrary code execution.

Opening the supplied PoC PDF in Foxit Reader with PageHeap turned on leads to a quicker crash, but the same can be observed without PageHeap.

**Timeline**

2019-04-02 - Vendor Disclosure  
2019-05-01 - 30 day follow up; Vendor advised issues under review  
2019-06-11 - Vendor advised need to upgrade to Google V8 due to it crashing in Google V8  
2019-06-12 - Talos informed 90 day mark 2019-07-02  
2019-06-13 - Vendor requested disclosure timeline extension>br> 2019-07-30 - 120 day follow up; Talos granted disclosure extension to 2019-08-30  
2019-08-08 - Vendor requested extension to 2019-09-30; Talos agreed  
2019-09-25 - Vendor patched and provided test version to Talos  
2019-09-30 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2019-5031: TALOS-2019-0793 || Cisco Talos Intelligence Group

Azure IoT Edge is an open source, cross platform software project from the Azure IoT team at Microsoft that seeks to solve the problem of managing distribution of compute to the edge of your on-premise network from the cloud. This post explains some of the rationale behind our choice of Rust as the implementation programming language for the Security Daemon component in the product.

Azure IoT Edge is an open source, cross platform software project from the Azure IoT team at Microsoft that seeks to solve the problem of managing distribution of compute to the _edge_ of your on-premise network from the cloud. This post explains some of the rationale behind our choice of Rust as the implementation programming language for the _Security Daemon_ component in the product.

The Security Daemon bootstraps the Azure IoT Edge runtime. It acts as a communication broker between the Azure IoT Edge runtime and many host services such as the container runtime and hardware-based cryptography devices Hardware Security Modules (HSM) and Trusted Platform Modules (TPM).

**Picking a tech stack for the Security Daemon Picking a tech stack for the Security Daemon**

When we started work on the Security Daemon (internally referred to as the _edgelet_) we identified the following broad design goals:

*   The edgelet needs to be a native component that does not require a runtime such as the .NET CLR to execute.
*   Since the edgelet will serve as the channel for accessing the HSM/TPM hardware on the device, it needs to be secure.
*   The edgelet will communicate with HSM/TPM hardware via a C Application Binary Interface (ABI), so loading shared objects/DLLs and calling C functions should be straightforward.

These design goals meant that we would have to pick a programming language such as C or C++ or Rust that compiled to native code. Not wanting to incur the runtime overhead of a garbage collector meant that Go wasn’t a desirable option. The security-related requirements of the daemon meant that we wanted to avoid having to deal with memory and concurrency bugs. As it turned out, Rust perfectly fit the bill for us given these constraints. This earlier post on this blog captures many of the benefits that we came up with when determining Rust was the programming language of choice.

**What worked well What worked well**

Before we shipped Azure IoT Edge for general availability, we engaged an external security vendor to perform penetration testing on the software. The fact that they discovered zero security issues with the Rust part of the codebase was to us a vindication of our choice of Rust. Right from the start we decided that we would have the compiler treat all warnings as errors including lints checked for by clippy. Our continuous integration system would reject pull requests that did not pass a rustfmt run which made sure that we had consistent code formatting throughout the codebase.

The Rust compiler update process and the cargo tooling has worked well for Azure IoT Edge. Upgrading to a new compiler version is almost always a painless exercise.

**Rust adoption Rust adoption**

The next step was to ramp up on the language. Compared with other popular programming languages, Rust has a rather steep learning curve and we were apprehensive about the impact this ramp up would have on project timelines. Our team already had developers well versed in C, C++, C# and Java. Luckily for us, we also had a couple of developers who were very passionate about Rust! We came up with hands-on Rust workshops where we walked the team through the parts of the language that in our experience have been somewhat hard to gain an intuition for. This time investment proved to be quite useful. We discovered that learning the language in the end proved to not be as much of a problem as we had imagined.

In a matter of 4-6 weeks, we found that nearly every single member in the team had made non-trivial contributions to the Rust part of the codebase.

**Challenges Challenges**

While our experience with shipping some of the first production Rust code by Microsoft has been delightful overall, we had a few challenges:

*   The Rust ecosystem is still relatively new compared with some of the other more established languages. This meant that we’d often have to build pieces of infrastructure that we would otherwise probably not have had to.
*   Parsing compiler error messages would occasionally prove to be difficult especially when dealing with code that made heavy use of combinators from Tokio Futures or std::iter::Iterator.
*   Teams that are used to stellar tooling support for editing and debugging C# and Java code found the Rust editing/debugging experience somewhat subpar. The VS Code Rust RLS extension was notoriously unstable in practice.
*   Reasoning about complex types that invariably get built when building complex Tokio Future combinator chains was sometimes tricky.

**What’s next What’s next**

At this point it would be fair to state that Azure IoT is completely on-board with the Rust programming language. Usage of Rust has only expanded even more since we shipped Azure IoT Edge. Multiple cloud service projects that are currently being actively worked upon are being written in Rust. The trifecta of memory safety, data race safety and performance that Rust offers has been a great fit for Azure IoT. We hope to have more to say about this in the future!

_Raj Vengalil, Principal SWE Manager, IoT Platform_

Building the Azure IoT Edge Security Daemon in Rust

Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.

libfuzz fuzz hunspell-1.7.0 source code find a crash by libfuzzer , the crash was caused by a invalid READ memory access.

    ==70237==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffe (pc 0x000000548e7c bp 0x7ffc24a458e0 sp 0x7ffc24a458b0 T0)
    ==70237==The signal is caused by a READ memory access.
        #0 0x548e7b in std::vector<w_char, std::allocator<w_char> >::operator[](unsigned long) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:795:41
        #1 0x548e7b in SuggestMgr::leftcommonsubstring(std::vector<w_char, std::allocator<w_char> > const&, std::vector<w_char, std::allocator<w_char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./suggestmgr.cxx:2043
        #2 0x5448be in SuggestMgr::ngsuggest(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, char const*, std::vector<HashMgr*, std::allocator<HashMgr*> > const&, int) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./suggestmgr.cxx:1194:26
        #3 0x5353f1 in HunspellImpl::suggest_internal(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, unsigned long&, int&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:1194:16
        #4 0x5339ee in HunspellImpl::suggest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:899:35
        #5 0x53bf10 in Hunspell::suggest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/src/hunspell/./hunspell.cxx:2042:18
        #6 0x52b80b in LLVMFuzzerTestOneInput /home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/fuzzer1.cxx:82:19
        #7 0x42fe2a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x42fe2a)
        #8 0x41ffae in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x41ffae)
        #9 0x4258a1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x4258a1)
        #10 0x44e372 in main (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x44e372)
        #11 0x7fe57050582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
        #12 0x41e8a8 in _start (/home/butterfly/Desktop/hunspell-1.7.0/hunspell-1.7.0/tests/crash_test+0x41e8a8)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:795:41 in std::vector<w_char, std::allocator<w_char> >::operator[](unsigned long) const
    ==70237==ABORTING

CVE-2019-16707: GitHub - butterflyhack/hunspell-crash: find a crash by libfuzzer

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd:  
$ ./configure --extra-cflags="-fsanitize=address,undefined -g" --extra-ldflags="-fsanitize=address,undefined -ldl -g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc14-heapoverflow

ASAN info:

    ==71438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000591 at pc 0x7ffa85321aff bp 0x7ffc13f5e4b0 sp 0x7ffc13f5e4a0
    READ of size 1 at 0x603000000591 thread T0
        #0 0x7ffa85321afe in audio_sample_entry_AddBox /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934
        #1 0x7ffa853f002c in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1327
        #2 0x7ffa8533c83b in audio_sample_entry_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3999
        #3 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #4 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #5 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #6 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #7 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #8 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #9 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #10 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #11 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #12 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #13 0x7ffa8533a0fc in minf_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
        #14 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #15 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #16 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #17 0x7ffa853367f3 in mdia_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
        #18 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #19 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #20 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #21 0x7ffa85354187 in trak_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
        #22 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #23 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #24 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #25 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #26 0x7ffa853f1363 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #27 0x7ffa853f1363 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #28 0x7ffa853f20c5 in gf_isom_parse_root_box /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
        #29 0x7ffa8541e398 in gf_isom_parse_movie_boxes /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
        #30 0x7ffa854237a4 in gf_isom_open_file /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
        #31 0x55e7b46eb046 in mp4boxMain /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
        #32 0x7ffa822c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #33 0x55e7b46ca199 in _start (/home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/build_asan/bin/gcc/MP4Box+0xac199)
    
    0x603000000591 is located 0 bytes to the right of 17-byte region [0x603000000580,0x603000000591)
    allocated by thread T0 here:
        #0 0x7ffa887fcb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
        #1 0x7ffa85329a80 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:742
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934 in audio_sample_entry_AddBox
    Shadow bytes around the buggy address:
      0x0c067fff8060: fa fa 00 00 02 fa fa fa 00 00 05 fa fa fa 00 00
      0x0c067fff8070: 04 fa fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa
      0x0c067fff8080: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 01
      0x0c067fff8090: fa fa 00 00 05 fa fa fa 00 00 04 fa fa fa 00 00
      0x0c067fff80a0: 02 fa fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
    =>0x0c067fff80b0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==71438==ABORTING
    

GDB info:

    malloc_consolidate(): invalid chunk size
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff7350801 in __GI_abort () at abort.c:79
    #2  0x00007ffff7399897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff74c6b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff73a090a in malloc_printerr (str=str@entry=0x7ffff74c83f0 "malloc_consolidate(): invalid chunk size") at malloc.c:5350
    #4  0x00007ffff73a0bae in malloc_consolidate (av=av@entry=0x7ffff76fbc40 <main_arena>) at malloc.c:4441
    #5  0x00007ffff73a47d8 in _int_malloc (av=av@entry=0x7ffff76fbc40 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3703
    #6  0x00007ffff73a70fc in __GI___libc_malloc (bytes=4096) at malloc.c:3057
    #7  0x00007ffff738e18c in __GI__IO_file_doallocate (fp=0x5555557a6260) at filedoalloc.c:101
    #8  0x00007ffff739e379 in __GI__IO_doallocbuf (fp=fp@entry=0x5555557a6260) at genops.c:365
    #9  0x00007ffff739ad23 in _IO_new_file_seekoff (fp=0x5555557a6260, offset=0, dir=2, mode=<optimized out>) at fileops.c:960
    #10 0x00007ffff7398dd9 in fseeko (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2) at fseeko.c:36
    #11 0x00007ffff77527c9 in gf_fseek (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/os_file.c:756
    #12 0x00007ffff7753323 in gf_bs_from_file (f=0x5555557a6260, mode=mode@entry=0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/bitstream.c:179
    #13 0x00007ffff7894173 in gf_isom_fdm_new (sPath=<optimized out>, mode=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:453
    #14 0x00007ffff7894400 in gf_isom_datamap_new (location=<optimized out>, location@entry=0x7fffffffe197 "../../poc14-heapoverflow", parentPath=parentPath@entry=0x0, 
        mode=mode@entry=1 '\001', outDataMap=outDataMap@entry=0x5555557a68b0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:185
    #15 0x00007ffff789cf66 in gf_isom_open_progressive (fileName=<optimized out>, start_range=0, end_range=0, the_file=0x5555557a5738 <file>, BytesMissing=0x7fffffff9390)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_read.c:367
    #16 0x000055555556f48b in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4542
    #17 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #18 0x0000555555561e6a in _start ()

Tag

#c++