LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

We found with our fuzzer some stack over flow errors at Sass::Inspect::operator() (inspect.cpp:977)(45f5087) when compiled with Address Sanitizer (using sassc as the driver).

    =================================================================
    ==2828==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd23974fd8 (pc 0x7f7c014511a4 bp 0x7ffd23975850 sp 0x7ffd23974fe0 T0)
        #0 0x7f7c014511a3 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a3)
        #1 0x7f7bffced43b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12143b)
        #2 0x7f7c010a3c86 in bool std::operator==<char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const*) /usr/include/c++/5/bits/basic_string.h:4939
        #3 0x7f7c010a3c86 in Sass::Inspect::operator()(Sass::Wrapped_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:977
        #4 0x7f7c0109de50 in Sass::Inspect::operator()(Sass::Compound_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:996
        #5 0x7f7c010abed7 in Sass::Compound_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2742
        #6 0x7f7c010abed7 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1023
        #7 0x7f7c010ac3f4 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
        #8 0x7f7c010ac3f4 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1061
    ...
        #447 0x7f7c010abed7 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1023
        #448 0x7f7c010ac3f4 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
        #449 0x7f7c010ac3f4 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1061
        #450 0x7f7c010ae63b in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
        #451 0x7f7c010ae63b in Sass::Inspect::operator()(Sass::Selector_List*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1098
    
    SUMMARY: AddressSanitizer: stack-overflow ??:0 __interceptor_strlen
    ==2828==ABORTING

CVE-2018-20822: AddressSanitizer: stack-overflow at Sass::Inspect::operator() (inspect.cpp:977) · Issue #2671 · sass/libsass

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function WriteXWDImage of coders/xwd.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.

There is a heap buffer overflow in function WriteXWDImage of coders/xwd.c whick can be reproduced as below.

\=================================================================
==79777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f669c371b18 at pc 0x00000087f9ea bp 0x7ffe593e7730 sp 0x7ffe593e7720
WRITE of size 1 at 0x7f669c371b18 thread T0
    #0 0x87f9e9 in WriteXWDImage coders/xwd.c:894
    #1 0x47a390 in WriteImage magick/constitute.c:2245
    #2 0x47acf8 in WriteImages magick/constitute.c:2404
    #3 0x42becd in ConvertImageCommand magick/command.c:6101
    #4 0x436a5e in MagickCommand magick/command.c:8886
    #5 0x45f205 in GMCommandSingle magick/command.c:17416
    #6 0x45f451 in GMCommand magick/command.c:17469
    #7 0x40cbc5 in main utilities/gm.c:61
    #8 0x7f6741cd382f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x40cad8 in \_start (/home/test/temp/graphicsmagick-code/utilities/gm+0x40cad8)

0x7f669c371b18 is located 0 bytes to the right of 268436248-byte region \[0x7f668c371800,0x7f669c371b18)
allocated by thread T0 here:
    #0 0x7f6744a60602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4de2d4 in MagickMalloc magick/memory.c:173
    #2 0x87f588 in WriteXWDImage coders/xwd.c:865
    #3 0x47a390 in WriteImage magick/constitute.c:2245
    #4 0x47acf8 in WriteImages magick/constitute.c:2404
    #5 0x42becd in ConvertImageCommand magick/command.c:6101
    #6 0x436a5e in MagickCommand magick/command.c:8886
    #7 0x45f205 in GMCommandSingle magick/command.c:17416
    #8 0x45f451 in GMCommand magick/command.c:17469
    #9 0x40cbc5 in main utilities/gm.c:61
    #10 0x7f6741cd382f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/xwd.c:894 WriteXWDImage
Shadow bytes around the buggy address:
  0x0fed53866310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed53866320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed53866330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed53866340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed53866350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fed53866360: 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed53866370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed53866380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed53866390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed538663a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fed538663b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==79777==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190322 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307)
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64-pc-linux-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

CVE-2019-11008: GraphicsMagick / Bugs / #599 heap_buffer_overflow_WRITE in function WriteXWDImage of coders/xwd.c

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.

CVE-2019-9903: CVE-2019-9903: Stack-based Buffer Overflows in Dict::find() - poppler 0.74.0 - Loginsoft Research

An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dereference in the function OFXApplication::startElement in the file lib/ofx_sgml.cpp, as demonstrated by ofxdump.

\## Description

\`\`\`
This is the LibOFX library. It is a parser and an API designed to allow applications to support the OFX banking standard (mostly used for bank statement download). To my knowledge, it is the first working OpenSource implementation on the client side.

\`\`\`

## Version

\[0.9.14\](https://sourceforge.net/projects/libofx/files/libofx/libofx-0.9.14.tar.gz/download)


## Others

\`\`\`
This bug is reported by fish@360TeamSeri0us, 
please send email to  teamSeri0us360@gmail.com if you have any question.
\`\`\`

## Details

\`\`\`
fish@ubuntu:~/Desktop/dumb/tools/libofx-0.9.14$ ./fast/fast/bin/ofxdump null-poniter-dereference-poc-1 
LibOFX INFO: libofx\_proc\_file(): File format not specified, autodetecting...
LibOFX INFO: libofx\_proc\_file(): Detected file format: OFX (Open Financial eXchange (OFX or QFX))
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX INFO: sanitize\_proprietary\_tags() removed: <!-: Oct. 1, 1999 -->
LibOFX INFO: sanitize\_proprietary\_tags() removed: <!-Oct. 28, 1999 -->
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX INFO: sanitize\_proprietary\_tags() removed: <! Oct. 20, 1999 -->
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX INFO: sanitize\_proprietary\_tags() removed: 
LibOFX STATUS: find\_dtd():DTD found: /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/fast/share/libofx/dtd/opensp.dcl
LibOFX STATUS: find\_dtd():DTD found: /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/fast/share/libofx/dtd/ofx160.dtd
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SIGNONMSGSRSV1
(Above message occurred on Line 1, Column 17)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate SONRS
(Above message occurred on Line 1, Column 33)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:3:1:E: non SGML character number 5

(Above message occurred on Line 3, Column 2)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:3:1:E: start tag for "SEVERITY" omitted, but its declaration does not permit this

(Above message occurred on Line 3, Column 2)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:3:13:E: document type does not allow element "SEVERITY" here

(Above message occurred on Line 3, Column 14)
LibOFX ERROR: startElement: incoming\_data should be empty! You are probably using OpenSP <= 1.3.4.  The following data was lost:   
(Above message occurred on Line 3, Column 5)
LibOFX ERROR: Tried to close a SEVERITY but a STATUS is currently open.
(Above message occurred on Line 3, Column 33)
LibOFX ERROR: End tag for non data element STATUS, incoming data should be empty but contains:     DATA HAS BEEN LOST SOMEWHERE!
(Above message occurred on Line 3, Column 33)
ofx\_proc\_status():
    Ofx entity this status is relevant to: SONRS 
    Severity: INFO
    Code: 0, name: Success
    Description: The server successfully processed the request.

LibOFX ERROR: startElement: incoming\_data should be empty! You are probably using OpenSP <= 1.3.4.  The following data was lost:    
(Above message occurred on Line 3, Column 45)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate FI
(Above message occurred on Line 6, Column 37)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:9:1:E: non SGML character number 0

(Above message occurred on Line 9, Column 2)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:9:1:E: character data is not allowed here

(Above message occurred on Line 9, Column 2)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:9:2:E: non SGML character number 127

(Above message occurred on Line 9, Column 3)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:10:10:E: end tag for "FI" omitted, but its declaration does not permit this
/tmp/libofxtmpQLPkEH:6:36: start tag was here

(Above message occurred on Line 10, Column 11)
    DATA HAS BEEN LOST SOMEWHERE!a element FI, incoming data should be empty but contains: /FI>
(Above message occurred on Line 10, Column 4)
    DATA HAS BEEN LOST SOMEWHERE!a element SONRS, incoming data should be empty but contains: /FI>
(Above message occurred on Line 10, Column 4)
    DATA HAS BEEN LOST SOMEWHERE!a element SIGNONMSGSRSV1, incoming data should be empty but contains: /FI>
(Above message occurred on Line 11, Column 6)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:11:24:E: character data is not allowed here

(Above message occurred on Line 11, Column 25)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:11:48:E: document type does not allow element "STMTTRNRS" here; missing one of "BANKMSGSRSV1", "BANKMSGSRSV2" start-tag

(Above message occurred on Line 11, Column 49)
LibOFX INFO: Created OfxDummyContainer to hold unsupported aggregate STMTTRNRS
(Above message occurred on Line 11, Column 39)
   PBANKMSGSRSV1>rtElement: incoming\_data should be empty! You are probably using OpenSP <= 1.3.4.  The following data was lost: /FI>
(Above message occurred on Line 12, Column 7)
ofx\_proc\_status():
    Ofx entity this status is relevant to: STMTTRNRS 
    Severity: INFO
    Code: 0, name: Success
    Description: The server successfully processed the request.

LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:17:9:E: character ";" not allowed in attribute specification list

(Above message occurred on Line 17, Column 10)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:18:7:E: element "CURDEG" undefined

(Above message occurred on Line 18, Column 8)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:18:19:E: end tag for element "CURDEF" which is not open

(Above message occurred on Line 18, Column 20)
LibOFX ERROR: startElement: incoming\_data should be empty! You are probably using OpenSP <= 1.3.4.  The following data was lost: USD 
(Above message occurred on Line 19, Column 3)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:20:4:E: element "A" undefined

(Above message occurred on Line 20, Column 5)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:20:9:E: character data is not allowed here

(Above message occurred on Line 20, Column 10)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:20:24:E: end tag for element "ACCTID" which is not open

(Above message occurred on Line 20, Column 25)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:21:11:E: document type does not allow element "ACCTTYPE" here

(Above message occurred on Line 21, Column 12)
  bOFX ERROR: startElement: incoming\_data should be empty! You are probably using OpenSP <= 1.3.4.  The following data was lost: >999988
(Above message occurred on Line 21, Column 3)
LibOFX ERROR: WRITEME: ACCTTYPE (CHECKING) is not supported by the  container
(Above message occurred on Line 21, Column 21)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:22:18:E: "OFX" not finished but containing element ended

(Above message occurred on Line 22, Column 19)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:22:18:E: end tag for "OFX" omitted, but its declaration does not permit this
/tmp/libofxtmpQLPkEH:20:4: start tag was here

(Above message occurred on Line 22, Column 19)
LibOFX ERROR: Tried to close a A without a open element (NULL pointer)
(Above message occurred on Line 22, Column 5)
LibOFX ERROR: OpenSP parser: otherError (misc parse error):
/tmp/libofxtmpQLPkEH:22:18:E: end tag for "BANKACCTFROM" which is not finished

(Above message occurred on Line 22, Column 19)
LibOFX ERROR: Tried to close a BANKACCTFROM without a open element (NULL pointer)
(Above message occurred on Line 22, Column 5)
ASAN:DEADLYSIGNAL
=================================================================
==130318==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f61aaac8d70 bp 0x7ffd345a34b0 sp 0x7ffd345a2630 T0)
==130318==The signal is caused by a READ memory access.
==130318==Hint: address points to the zero page.
    #0 0x7f61aaac8d6f in std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >::compare(char const\*) const (/usr/lib/x86\_64-linux-gnu/libstdc++.so.6+0x126d6f)
    #1 0x7f61aadc78fa in bool std::operator==<char, std::char\_traits<char>, std::allocator<char> >(std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > const&, char const\*) /usr/bin/../lib/gcc/x86\_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/basic\_string.h:6036:20
    #2 0x7f61aadc78fa in bool std::operator!=<char, std::char\_traits<char>, std::allocator<char> >(std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> > const&, char const\*) /usr/bin/../lib/gcc/x86\_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/basic\_string.h:6074
    #3 0x7f61aadc78fa in OFXApplication::startElement(SGMLApplication::StartElementEvent const&) /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/lib/../../lib/ofx\_sgml.cpp:129
    #4 0x7f61a96e6167 in OpenSP::GenericEventHandler::startElement(OpenSP::StartElementEvent\*) (/usr/lib/libosp.so.5+0xec167)
    #5 0x7f61a973db28 in OpenSP::Parser::pushElementCheck(OpenSP::ElementType const\*, OpenSP::StartElementEvent\*, bool) (/usr/lib/libosp.so.5+0x143b28)
    #6 0x7f61a973e80c in OpenSP::Parser::acceptStartTag(OpenSP::ElementType const\*, OpenSP::StartElementEvent\*, bool) (/usr/lib/libosp.so.5+0x14480c)
    #7 0x7f61a973ea0f in OpenSP::Parser::parseStartTag() (/usr/lib/libosp.so.5+0x144a0f)
    #8 0x7f61a973f977 in OpenSP::Parser::doContent() (/usr/lib/libosp.so.5+0x145977)
    #9 0x7f61a96f754f in OpenSP::Parser::parseAll(OpenSP::EventHandler&, int const volatile\*) (/usr/lib/libosp.so.5+0xfd54f)
    #10 0x7f61a96fa26e in OpenSP::ParserApp::parseAll(OpenSP::SgmlParser&, OpenSP::EventHandler&, int const volatile\*) (/usr/lib/libosp.so.5+0x10026e)
    #11 0x7f61a96faac3 in OpenSP::ParserEventGenerator::run(SGMLApplication&) (/usr/lib/libosp.so.5+0x100ac3)
    #12 0x7f61aadc264c in ofx\_proc\_sgml(LibofxContext\*, int, char\* const\*) /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/lib/../../lib/ofx\_sgml.cpp:385:27
    #13 0x7f61aad63385 in ofx\_proc\_file(void\*, char const\*) /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/lib/../../lib/ofx\_preproc.cpp:383:9
    #14 0x7f61aad56d60 in libofx\_proc\_file /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/lib/../../lib/file\_preproc.cpp:91:5
    #15 0x513858 in main /home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/ofxdump/../../ofxdump/ofxdump.cpp:491:5
    #16 0x7f61a99f1b96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41ccd9 in \_start (/home/fish/Desktop/dumb/tools/libofx-0.9.14/fast/fast/bin/ofxdump+0x41ccd9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86\_64-linux-gnu/libstdc++.so.6+0x126d6f) in std::\_\_cxx11::basic\_string<char, std::char\_traits<char>, std::allocator<char> >::compare(char const\*) const
==130318==ABORTING

\`\`\`

CVE-2019-9656: pocs/libofx at master · TeamSeri0us/pocs

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

I am seeing the same bug on the current master.  
Under AddressSanitizer it manifests as stack-use-after-return.  
Exact repro steps:

    #!/bin/bash
    
    [ ! -e libpng ] && git clone https://github.com/glennrp/libpng.git
    (cd libpng; CC="clang" CFLAGS="-O1 -fsanitize=address -g"  ./configure && make -j $(nproc))
    
    cat << EOF > png_uar.c
    #include <string.h>
    #include "png.h"
    
    int main() {
      unsigned char data[] = {
          0x89, 0x50, 0x4e, 0x47, 0xd,  0xa,  0x1a, 0xa,  0x0,  0x0, 0x0, 0xd,
          0x49, 0x48, 0x44, 0x52, 0x0,  0x0,  0x0,  0x0,  0x0,  0x0, 0x0, 0x0,
          0x0,  0x0,  0x0,  0x0,  0x0,  0x2e, 0x90, 0x68, 0xf,  0x0, 0x0, 0x0,
          0x0,  0x49, 0x45, 0x4e, 0x44, 0xae, 0x42, 0x60, 0x82,
      };
      png_image image;
      memset(&image, 0, sizeof(image));
      image.version = PNG_IMAGE_VERSION;
      png_image_begin_read_from_memory(&image, data, sizeof(data));
    }
    EOF
    clang -fsanitize=address png_uar.c libpng/.libs/libpng16.a -lz
    ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out
    

Full report:

    ==11009==ERROR: AddressSanitizer: stack-use-after-return on address 0x7fa4241440b0 at pc 0x000000542f89 bp 0x7ffd487a2cf0 sp 0x7ffd487a2ce8
    WRITE of size 8 at 0x7fa4241440b0 thread T0
        #0 0x542f88 in png_safe_execute /tmp/libpng/pngerror.c:954:29
        #1 0x53effe in png_image_free /tmp/libpng/png.c:4592:13
        #2 0x542e6d in png_safe_execute /tmp/libpng/pngerror.c:958:7
        #3 0x4f8c7a in main (/tmp/a.out+0x4f8c7a)
        #4 0x7fa4276b62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
        #5 0x41dbc9 in _start (/tmp/a.out+0x41dbc9)
    
    Address 0x7fa4241440b0 is located in stack of thread T0 at offset 48 in frame
        #0 0x53f03f in png_image_free_function /tmp/libpng/png.c:4523
    
      This frame has 1 object(s):
        [32, 80) 'c' (line 4526) <== Memory access at offset 48 is inside this variable
    

Discovered by extending a fuzz target on oss-fuzz

CVE-2019-7317: Use after free  · Issue #275 · glennrp/libpng

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

A heap-buffer-overflow in prelexer.hpp:69:14 in char const\* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const\* Sass::Prelexer::sequence<&(char const\* Sass::Prelexer::exactly<(char)40>(char const\*)), &(char const\* Sass::Prelexer::skip\_over\_scopes<&(char const\* Sass::Prelexer::exactly<(char)40>(char const\*)), &(char const\* Sass::Prelexer::exactly<(char)41>(char const\*))>(char const\*))>(char const\*))>(char const\*)

Compile and reproduce:  
CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4

ldd:

    $ ldd sassc
    	linux-vdso.so.1 =>  (0x00007fffc6365000)
    	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f731150d000)
    	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7311204000)
    	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f7310e82000)
    	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7310c65000)
    	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f7310a5d000)
    	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f7310847000)
    	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f731047d000)
    	/lib64/ld-linux-x86-64.so.2 (0x00007f7311711000)
    

System information:  
Linux ubuntu64 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Version: libsass-3.5.5、sassc-3.4.8

Poc: crash147.zip

Run: cat crash147 | ./sassc

ASAN:

    =================================================================
    ==3354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000006a at pc 0x0000009591ef bp 0x7ffe65ea3260 sp 0x7ffe65ea3258
    READ of size 1 at 0x60700000006a thread T0
        #0 0x9591ee in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/prelexer.hpp:69:14
        #1 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212:14
        #2 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #3 0x958d3a in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #4 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212:14
        #5 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::identifier_schema, &Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #6 0x946c2c in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::variable, &Sass::Prelexer::identifier_schema, &Sass::Prelexer::identifier, &Sass::Prelexer::quoted_string, &Sass::Prelexer::number, &Sass::Prelexer::hex, &Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #7 0x946c2c in Sass::Prelexer::ie_keyword_arg_value(char const*) /home/eack/libsass/src/prelexer.cpp:1321
        #8 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:221:20
        #9 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228
        #10 0x946dee in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228
        #11 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::optional_css_whitespace, &(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228
        #12 0x946dee in char const* Sass::Prelexer::sequence<&Sass::Prelexer::ie_keyword_arg_property, &Sass::Prelexer::optional_css_whitespace, &(char const* Sass::Prelexer::exactly<(char)61>(char const*)), &Sass::Prelexer::optional_css_whitespace, &Sass::Prelexer::ie_keyword_arg_value>(char const*) /home/eack/libsass/src/lexer.hpp:228
        #13 0x946dee in Sass::Prelexer::ie_keyword_arg(char const*) /home/eack/libsass/src/prelexer.cpp:1340
        #14 0x899ce2 in char const* Sass::Parser::peek<&Sass::Prelexer::ie_keyword_arg>(char const*) /home/eack/libsass/src/parser.hpp:136:27
        #15 0x899ce2 in Sass::Parser::parse_factor() /home/eack/libsass/src/parser.cpp:1470
        #16 0x891636 in Sass::Parser::parse_operators() /home/eack/libsass/src/parser.cpp:1416:29
        #17 0x886677 in Sass::Parser::parse_expression() /home/eack/libsass/src/parser.cpp:1375:26
        #18 0x88272c in Sass::Parser::parse_relation() /home/eack/libsass/src/parser.cpp:1320:26
        #19 0x87f37e in Sass::Parser::parse_conjunction() /home/eack/libsass/src/parser.cpp:1297:26
        #20 0x87d34e in Sass::Parser::parse_disjunction() /home/eack/libsass/src/parser.cpp:1275:27
        #21 0x83bc1b in Sass::Parser::parse_space_list() /home/eack/libsass/src/parser.cpp:1247:28
        #22 0x87ae39 in Sass::Parser::parse_comma_list(bool) /home/eack/libsass/src/parser.cpp:1216:27
        #23 0x835b3e in Sass::Parser::parse_list(bool) /home/eack/libsass/src/parser.cpp:1200:12
        #24 0x830d9b in Sass::Parser::parse_declaration() /home/eack/libsass/src/parser.cpp:1074:17
        #25 0x7fa3d2 in Sass::Parser::parse_block_node(bool) /home/eack/libsass/src/parser.cpp:309:30
        #26 0x7eee86 in Sass::Parser::parse_block_nodes(bool) /home/eack/libsass/src/parser.cpp:197:11
        #27 0x7f379f in Sass::Parser::parse_css_block(bool) /home/eack/libsass/src/parser.cpp:154:10
        #28 0x81ce00 in Sass::Parser::parse_block(bool) /home/eack/libsass/src/parser.cpp:178:12
        #29 0x81ce00 in Sass::Parser::parse_ruleset(Lookahead) /home/eack/libsass/src/parser.cpp:538
        #30 0x7f8c3b in Sass::Parser::parse_block_node(bool) /home/eack/libsass/src/parser.cpp:279:21
        #31 0x7eee86 in Sass::Parser::parse_block_nodes(bool) /home/eack/libsass/src/parser.cpp:197:11
        #32 0x7ea18f in Sass::Parser::parse() /home/eack/libsass/src/parser.cpp:123:5
        #33 0x611d5b in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /home/eack/libsass/src/context.cpp:324:24
        #34 0x62e930 in Sass::Data_Context::parse() /home/eack/libsass/src/context.cpp:636:5
        #35 0x5b9926 in Sass::sass_parse_block(Sass_Compiler*) /home/eack/libsass/src/sass_context.cpp:234:31
        #36 0x5b9926 in sass_compiler_parse /home/eack/libsass/src/sass_context.cpp:483
        #37 0x5b85c2 in sass_compile_context(Sass_Context*, Sass::Context*) /home/eack/libsass/src/sass_context.cpp:371:7
        #38 0x5b81ac in sass_compile_data_context /home/eack/libsass/src/sass_context.cpp:456:12
        #39 0x5a7069 in compile_stdin /home/eack/sassc/sassc.c:138:5
        #40 0x5a81ed in main /home/eack/sassc/sassc.c:375:18
        #41 0x7fdf02f2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
        #42 0x4aad88 in _start (/home/eack/sassc/bin/sassc+0x4aad88)
    
    0x60700000006a is located 0 bytes to the right of 74-byte region [0x607000000020,0x60700000006a)
    allocated by thread T0 here:
        #0 0x56f420 in realloc /home/eack/llvm-install/llvm-6.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
        #1 0x5a6f22 in compile_stdin /home/eack/sassc/sassc.c:112:25
        #2 0x5a81ed in main /home/eack/sassc/sassc.c:375:18
        #3 0x7fdf02f2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/eack/libsass/src/prelexer.hpp:69:14 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::hexa, &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::skip_over_scopes<&(char const* Sass::Prelexer::exactly<(char)40>(char const*)), &(char const* Sass::Prelexer::exactly<(char)41>(char const*))>(char const*))>(char const*))>(char const*)
    Shadow bytes around the buggy address:
      0x0c0e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00[02]fa fa
      0x0c0e7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3354==ABORTING

CVE-2019-6284: AddressSanitizer: heap-buffer-overflow  · Issue #2816 · sass/libsass

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

A heap-buffer-overflow in prelexer.hpp:70:14 in Sass::Prelexer::parenthese\_scope(char const\*)

Compile and reproduce:  
CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4

ldd:

    $ ldd sassc
    	linux-vdso.so.1 =>  (0x00007fffc6365000)
    	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f731150d000)
    	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7311204000)
    	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f7310e82000)
    	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7310c65000)
    	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f7310a5d000)
    	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f7310847000)
    	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f731047d000)
    	/lib64/ld-linux-x86-64.so.2 (0x00007f7311711000)
    

System information:  
Linux ubuntu64 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Version: libsass-3.5.5、sassc-3.4.8

Poc: crash27.zip

Run: cat crash27 | ./sassc

ASAN:

    =================================================================
    ==3211==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000019ac at pc 0x000000949dfd bp 0x7ffcd8af8180 sp 0x7ffcd8af8178
    READ of size 1 at 0x6030000019ac thread T0
        #0 0x949dfc in Sass::Prelexer::parenthese_scope(char const*) /home/eack/libsass/src/prelexer.hpp:69:14
        #1 0x931fd1 in char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:227:20
        #2 0x931fd1 in char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:205
        #3 0x931fd1 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #4 0x931fd1 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::identifier, &Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #5 0x931fd1 in char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::sequence<&Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*)), &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #6 0x931fd1 in char const* Sass::Prelexer::alternatives<&Sass::Prelexer::block_comment, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*)), &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:212
        #7 0x931fd1 in char const* Sass::Prelexer::non_greedy<&(char const* Sass::Prelexer::alternatives<&Sass::Prelexer::block_comment, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*)), &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::exactly<(char)123>(char const*)), &(char const* Sass::Prelexer::exactly<(char)125>(char const*)), &(char const* Sass::Prelexer::exactly<(char)59>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/lexer.hpp:265
        #8 0x8434a6 in char const* Sass::Parser::peek<&(char const* Sass::Prelexer::non_greedy<&(char const* Sass::Prelexer::alternatives<&Sass::Prelexer::block_comment, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*)), &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &(char const* Sass::Prelexer::sequence<&Sass::Prelexer::parenthese_scope, &Sass::Prelexer::interpolant, &(char const* Sass::Prelexer::optional<&Sass::Prelexer::quoted_string>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::exactly<(char)123>(char const*)), &(char const* Sass::Prelexer::exactly<(char)125>(char const*)), &(char const* Sass::Prelexer::exactly<(char)59>(char const*))>(char const*))>(char const*))>(char const*))>(char const*) /home/eack/libsass/src/parser.hpp:136:27
        #9 0x8434a6 in Sass::Parser::lookahead_for_value(char const*) /home/eack/libsass/src/parser.cpp:2862
        #10 0x7fedcc in Sass::Parser::parse_assignment() /home/eack/libsass/src/parser.cpp:503:27
        #11 0x7f5638 in Sass::Parser::parse_block_node(bool) /home/eack/libsass/src/parser.cpp:229:49
        #12 0x7eee86 in Sass::Parser::parse_block_nodes(bool) /home/eack/libsass/src/parser.cpp:197:11
        #13 0x7ea18f in Sass::Parser::parse() /home/eack/libsass/src/parser.cpp:123:5
        #14 0x611d5b in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /home/eack/libsass/src/context.cpp:324:24
        #15 0x62e930 in Sass::Data_Context::parse() /home/eack/libsass/src/context.cpp:636:5
        #16 0x5b9926 in Sass::sass_parse_block(Sass_Compiler*) /home/eack/libsass/src/sass_context.cpp:234:31
        #17 0x5b9926 in sass_compiler_parse /home/eack/libsass/src/sass_context.cpp:483
        #18 0x5b85c2 in sass_compile_context(Sass_Context*, Sass::Context*) /home/eack/libsass/src/sass_context.cpp:371:7
        #19 0x5b81ac in sass_compile_data_context /home/eack/libsass/src/sass_context.cpp:456:12
        #20 0x5a7069 in compile_stdin /home/eack/sassc/sassc.c:138:5
        #21 0x5a81ed in main /home/eack/sassc/sassc.c:375:18
        #22 0x7f6362d7882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
        #23 0x4aad88 in _start (/home/eack/sassc/bin/sassc+0x4aad88)
    
    0x6030000019ac is located 0 bytes to the right of 28-byte region [0x603000001990,0x6030000019ac)
    allocated by thread T0 here:
        #0 0x56f420 in realloc /home/eack/llvm-install/llvm-6.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107
        #1 0x5a6f22 in compile_stdin /home/eack/sassc/sassc.c:112:25
        #2 0x5a81ed in main /home/eack/sassc/sassc.c:375:18
        #3 0x7f6362d7882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/eack/libsass/src/prelexer.hpp:69:14 in Sass::Prelexer::parenthese_scope(char const*)
    Shadow bytes around the buggy address:
      0x0c067fff82e0: 07 fa fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa
      0x0c067fff82f0: 00 00 04 fa fa fa 00 00 07 fa fa fa 00 00 00 fa
      0x0c067fff8300: fa fa 00 00 06 fa fa fa 00 00 04 fa fa fa 00 00
      0x0c067fff8310: 07 fa fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa
      0x0c067fff8320: 00 00 04 fa fa fa 00 00 07 fa fa fa 00 00 00 fa
    =>0x0c067fff8330: fa fa 00 00 00[04]fa fa fd fd fd fa fa fa fd fd
      0x0c067fff8340: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8350: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x0c067fff8360: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
      0x0c067fff8370: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff8380: 00 00 00 03 fa fa 00 00 00 03 fa fa 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3211==ABORTING

CVE-2019-6283: AddressSanitizer: heap-buffer-overflow /home/eack/libsass/src/prelexer.hpp:69:14 in Sass::Prelexer::parenthese_scope(char const*) · Issue #2814 · sass/libsass

An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. A heap-based buffer overflow bug in svgpp_agg_render may lead to code execution. In the render_scanlines_aa_solid function, the blend_hline function is called repeatedly multiple times. blend_hline is equivalent to a loop containing write operations. Each call writes a piece of heap data, and multiple calls overwrite the data in the heap.

**bug1: an oob-read bug**

**description**  
A type confusion bug lead to out-of-bound read in src/demo/svgpp\_agg\_render. buffer.pixfmt() should return a reference to pixfmt\_alpha\_blend\_rgba but instead return some struct that look like a long+string. That is why it crashes when it simply get the member stride. This bug may be used in info-leak.  
**poc**  
https://drive.google.com/open?id=1J1jMmXyUyDNfDnAG2I8u7DsFirFo2eSD  
**asan**  
https://drive.google.com/open?id=1ZRbEzqun8BkGdXsRAG6tKsjd7v2gWbnV  
**details**  
The crash happened in src/demo/svgpp\_agg\_render  
https://github.com/svgpp/svgpp/blob/master/src/demo/render/svgpp\_render.cpp#L1705  
Looks like type confusion. buffer.pixfmt() should return a reference to pixfmt\_alpha\_blend\_rgba but instead return some struct that look like a long+string. That is why it crashes when it simply get the member stride  
This is a out of bound read bug.

**bug2: a heap-buffer-overflow bug**

**description**  
An heap buffer overflow bug in svgpp\_agg\_render which may lead to code excution. In the render\_scanlines\_aa\_solid function, the blend\_hline function is called repeatedly multiple times. blend\_hline is equivalent to the process of loop writing. Each call will write a piece of heap data, and multiple calls will overwrite the data in the heap.  
**poc**  
https://drive.google.com/open?id=1f4Eh4ozzTwQ3jqWAONuam0rl\_YO5io6l  
**asan**  
https://drive.google.com/open?id=1l906xNqzpjNKxNkVMHRJsBHYQRSOIuFE  
**details**  
here is a heap overflow here, the specific function call process is as follows:  
ClipBuffer::ClipBuffer(clip\_buffer.cpp) ---------------->  
render\_scanlines\_aa\_solid(agg\_renderer\_scanline.h)------Multiple calls in a loop------> blend\_hline(agg\_renderer\_base.h) ------------>  
blend\_hline(agg\_pixfmt\_gray.h)  
In the render\_scanlines\_aa\_solid function, the blend\_hline function is called repeatedly multiple times.  
blend\_hline is equivalent to the process of loop writing. Each call will write a piece of heap data, and multiple calls will overwrite the data in the heap.  

void blend\_hline(int x, int y,

  
In the render\_scanlines\_aa\_solid function, there is no explicit restriction on the 'for' loop. After calling blend\_hline multiple times, it causes a heap overflow.  
This bug is also found in agg\_pixfmt\_rgb.h, agg\_pixfmt\_rgb\_packed.h, agg\_pixfmt\_rgba.h, agg\_pixfmt\_transposer.h.**bug3: a stack overflow bug**

**description**  
in the function agg::cell\_aa::not\_equal, dx is assigned to (x2 - x1). if dx >= dx\_limit, which is (16384 << poly\_subpixel\_shift). This function will call itself recursively.  
There will be a sitaution when (x2 - x1) always bigger than dx\_limit during the recursion  
Thats how the stack-overflow happened. This bug mat lead to code execution.  
**poc**  
https://drive.google.com/open?id=1Ejzmnrk6WhUMQT6O6qfRy0dGF82kgl5X  
**asan**  
https://drive.google.com/open?id=17gPhe2-zJLSOFyx4PmpWdx1jeRYcvK2s  
**details**  
in the function agg::cell\_aa::not\_equal

     template<class Cell> 
        void rasterizer_cells_aa<Cell>::line(int x1, int y1, int x2, int y2)
        {
            enum dx_limit_e { dx_limit = 16384 << poly_subpixel_shift };
    
            int dx = x2 - x1;
    
            if(dx >= dx_limit || dx <= -dx_limit)
            {
                int cx = (x1 + x2) >> 1;
                int cy = (y1 + y2) >> 1;
                line(x1, y1, cx, cy);
                line(cx, cy, x2, y2);
            }
    
    int dy = y2 - y1;
    

dx is assigned to (x2 - x1)  
if dx >= dx\_limit, which is (16384 << poly\_subpixel\_shift). This function will call itself recursively.  
There will be a sitaution when (x2 - x1) always bigger than dx\_limit during the recursion  
Thats how the stack-overflow happened.

**bug4: a oob-read bug**

**description**  
After callng gil::get\_color function in the boost library, the return code is used as an address.  
Thus it caused an Violation Access. This may lead to an out-of-bound read.  
**poc**  
https://drive.google.com/open?id=1o1EqHQ6sjY68IRH24yokqYqgTMHSOqe6  
**asan**  
https://drive.google.com/open?id=1gYkV4ql71p6xN43aBa3JxBxLAwsprkEh  
**details**

    gil::get_color(result, gil::green_t()) 
          = gil_detail::blend_channel_fn<BlendModeTag, typename gil::color_element_type<Color, gil::green_t>::type>()(
            gil::get_color(pixa, gil::green_t()), gil::get_color(pixb, gil::green_t()),
    alpha_a, alpha_b);
    

After callng gil::get\_color function in the boost library, the return code is used as an address.  
Thus it caused an Violation Access.

CVE-2019-6247: 4 bugs found in svgpp · Issue #70 · svgpp/svgpp

An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.

CVE-2018-16866

There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.

**description**

Exiv2 is a C++ library and a command line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata.

**version**

0.27-RC2

**others****@\_@**

This bug is reported by fish@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have any questions.

**details**

1.fish@ubuntu:~/Desktop/2018-10-10/image/exiv2$ ./exiv2 -pR pngimage-heap-bof-poc-1

    STRUCTURE OF PNG FILE: pngimage-heap-bof-poc-1
     address | chunk |  length | data                           | checksum
           8 | tEXt  |      13 | ... ... ....                   | 0x44a48ac6
          33 | tEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
    =================================================================
    ==113281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000009ba at pc 0x7f4af3fd811d bp 0x7ffd47126490 sp 0x7ffd47126480
    READ of size 1 at 0x6030000009ba thread T0
        #0 0x7f4af3fd811c in tEXtToDataBuf /home/fish/Desktop/2018-10-10/image/exiv2/src/pngimage.cpp:178
        #1 0x7f4af3fd811c in Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /home/fish/Desktop/2018-10-10/image/exiv2/src/pngimage.cpp:331
        #2 0x557cf0232702 in printStructure /home/fish/Desktop/2018-10-10/image/exiv2/src/actions.cpp:2361
        #3 0x557cf026ff6c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fish/Desktop/2018-10-10/image/exiv2/src/actions.cpp:251
        #4 0x557cf01dd1dd in main /home/fish/Desktop/2018-10-10/image/exiv2/src/exiv2.cpp:169
        #5 0x7f4af2f8ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #6 0x557cf01de369 in _start (/home/fish/Desktop/2018-10-10/image/exiv2/afl/afl/bin/exiv2+0x14369)
    
    0x6030000009ba is located 0 bytes to the right of 26-byte region [0x6030000009a0,0x6030000009ba)
    allocated by thread T0 here:
        #0 0x7f4af4b1a618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
        #1 0x7f4af3fd2934 in Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /home/fish/Desktop/2018-10-10/image/exiv2/src/pngimage.cpp:320
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fish/Desktop/2018-10-10/image/exiv2/src/pngimage.cpp:178 in tEXtToDataBuf
    Shadow bytes around the buggy address:
      0x0c067fff80e0: fd fd fd fd fa fa 00 00 00 07 fa fa fd fd fd fd
      0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
      0x0c067fff8100: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
      0x0c067fff8110: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
      0x0c067fff8120: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
    =>0x0c067fff8130: fd fd fa fa 00 00 00[02]fa fa fa fa fa fa fa fa
      0x0c067fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==113281==ABORTING
    
    

2.fish@ubuntu:~/Desktop/2018-10-10/image/exiv2/data/poc$ ./exiv2 -Y 2011 -O 02 -D 29 adjust tiffimage\_int-out-of-bound-read-poc-2

    m1-26f459b3eb2a285626b849d6950db7ab.tif
    Error: Directory Image: Next pointer is out of bounds; ignored.
    Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
    Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
    Error: XMP Toolkit error 201: XML parsing failure
    Warning: Failed to decode XMP metadata.
    Error: Directory Image: Next pointer is out of bounds; ignored.
    Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
    Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
    ASAN:DEADLYSIGNAL
    =================================================================
    ==24291==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x7fe6e2891e78 bp 0x7ffed602d560 sp 0x7ffed602d440 T0)
    ==24291==The signal is caused by a READ memory access.
    ==24291==Hint: address points to the zero page.
        #0 0x7fe6e2891e77 in Exiv2::Internal::TiffParserWorker::findPrimaryGroups(std::vector<Exiv2::Internal::IfdId, std::allocator<Exiv2::Internal::IfdId> >&, Exiv2::Internal::TiffComponent*) /home/fish/Desktop/2018-10-10/image/exiv2/src/tiffimage_int.cpp:1698
        #1 0x7fe6e2895d24 in Exiv2::Internal::TiffParserWorker::encode(Exiv2::BasicIo&, unsigned char const*, unsigned int, Exiv2::ExifData const&, Exiv2::IptcData const&, Exiv2::XmpData const&, unsigned int, void (Exiv2::Internal::TiffEncoder::*(*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase*, Exiv2::Exifdatum const*), Exiv2::Internal::TiffHeaderBase*, Exiv2::Internal::OffsetWriter*) /home/fish/Desktop/2018-10-10/image/exiv2/src/tiffimage_int.cpp:1592
        #2 0x7fe6e2536540 in Exiv2::TiffParser::encode(Exiv2::BasicIo&, unsigned char const*, unsigned int, Exiv2::ByteOrder, Exiv2::ExifData const&, Exiv2::IptcData const&, Exiv2::XmpData const&) /home/fish/Desktop/2018-10-10/image/exiv2/src/tiffimage.cpp:305
        #3 0x7fe6e25458dd in Exiv2::TiffImage::writeMetadata() /home/fish/Desktop/2018-10-10/image/exiv2/src/tiffimage.cpp:248
        #4 0x563b37a5a0fa in Action::Adjust::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fish/Desktop/2018-10-10/image/exiv2/src/actions.cpp:1677
        #5 0x563b3799f1dd in main /home/fish/Desktop/2018-10-10/image/exiv2/src/exiv2.cpp:169
        #6 0x7fe6e15feb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #7 0x563b379a0369 in _start (/home/fish/Desktop/2018-10-10/image/exiv2/afl/afl/bin/exiv2+0x14369)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/fish/Desktop/2018-10-10/image/exiv2/src/tiffimage_int.cpp:1698 in Exiv2::Internal::TiffParserWorker::findPrimaryGroups(std::vector<Exiv2::Internal::IfdId, std::allocator<Exiv2::Internal::IfdId> >&, Exiv2::Internal::TiffComponent*)
    ==24291==ABORTING
    
    

3.fish@ubuntu:~/Desktop/2018-10-10/image/exiv2/data/poc$ ./exiv2 -M'set Xmp.dc.title lang="de-DE" Euros' jp2image-heap-bof-poc-3

    =================================================================
    ==128911==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000005f4 at pc 0x7ff6ac1a6733 bp 0x7ffded608850 sp 0x7ffded607ff8
    READ of size 1785737760 at 0x6030000005f4 thread T0
        #0 0x7ff6ac1a6732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
        #1 0x7ff6ab46e9d7 in Exiv2::Jp2Image::encodeJp2Header(Exiv2::DataBuf const&, Exiv2::DataBuf&) /home/fish/Desktop/2018-10-10/image/exiv2/src/jp2image.cpp:676
        #2 0x7ff6ab470e94 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /home/fish/Desktop/2018-10-10/image/exiv2/src/jp2image.cpp:787
        #3 0x7ff6ab47c4f9 in Exiv2::Jp2Image::writeMetadata() /home/fish/Desktop/2018-10-10/image/exiv2/src/jp2image.cpp:610
        #4 0x55668dd4b9d8 in Action::Modify::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fish/Desktop/2018-10-10/image/exiv2/src/actions.cpp:1428
        #5 0x55668dc961dd in main /home/fish/Desktop/2018-10-10/image/exiv2/src/exiv2.cpp:169
        #6 0x7ff6aa67db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #7 0x55668dc97369 in _start (/home/fish/Desktop/2018-10-10/image/exiv2/afl/afl/bin/exiv2+0x14369)
    
    0x6030000005f4 is located 0 bytes to the right of 20-byte region [0x6030000005e0,0x6030000005f4)
    allocated by thread T0 here:
        #0 0x7ff6ac20d618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
        #1 0x7ff6ab5c8aeb in Exiv2::DataBuf::DataBuf(long) /home/fish/Desktop/2018-10-10/image/exiv2/src/types.cpp:141
        #2 0x7ffded608be7  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
    Shadow bytes around the buggy address:
      0x0c067fff8060: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
      0x0c067fff8070: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
      0x0c067fff8080: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
      0x0c067fff8090: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
      0x0c067fff80a0: 03 fa fa fa 00 00 00 fa fa fa fd fd fd fa fa fa
    =>0x0c067fff80b0: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00[04]fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==128911==ABORTING
    
    

4.fish@ubuntu:~/Desktop/2018-10-10/image/exiv2/data/poc$ ./iptcprint abort-poc-4

    terminate called after throwing an instance of 'std::overflow_error'
      what():  Overflow in addition
    Aborted
    

5.fish@ubuntu:~/Desktop/2018-10-10/image/exiv2/data/poc$ ./exiv2 insert jp2image-infiniteloop-poc-5 ^C

      629	         int32_t       count  = sizeof (Jp2BoxHeader);
        630	         char*         p      = (char*) boxBuf.pData_;
        631	         bool          bWroteColor = false ;
        632	 
        633	         while ( count < length || !bWroteColor ) {
    		// pSubBox=0x00007fffffffb538  →  [...]  →  0x01726c6f00000000, p=0x00007fffffffb530  →  [...]  →  0x6832706a2d000000
     →  634	             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
        635	 
        636	             // copy data.  pointer could be into a memory mapped file which we will decode!
        637	             Jp2BoxHeader   subBox = *pSubBox ;
        638	             Jp2BoxHeader   newBox =  subBox;
        639	 
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
    [#0] Id 1, Name: "exiv2", stopped, reason: SINGLE STEP
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
    [#0] 0x7ffff798bb95 → Name: Exiv2::Jp2Image::encodeJp2Header(this=0x5555557bb650, boxBuf=@0x7fffffffb5d0, outBuf=@0x7fffffffb5e0)
    [#1] 0x7ffff798c474 → Name: Exiv2::Jp2Image::doWriteMetadata(this=0x5555557bb650, outIo=@0x5555557e7d10)
    [#2] 0x7ffff798b9d0 → Name: Exiv2::Jp2Image::writeMetadata(this=0x5555557bb650)
    [#3] 0x555555585650 → Name: (anonymous namespace)::metacopy(source="jp2image-infiniteloop-poc-5.exv", tgt="", targetType=0x0, preserve=0x1)
    [#4] 0x55555557f315 → Name: Action::Insert::run(this=0x5555557b3270, path="jp2image-infiniteloop-poc-5")
    [#5] 0x555555567452 → Name: main(argc=0x3, argv=0x7fffffffddc8)
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    634	            Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
    gef➤  p subBox
    $2 = {
      length = 0x0, 
      type = 0x6f6c7201
    }

Tag

#c++