Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070074==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fd06cc at pc 0x0000005555f3 bp 0x7ffcdce1ca70 sp 0x7ffcdce1ca68  
READ of size 4 at 0x000000fd06cc thread T0  
#0 0x5555f2 in SetUpPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43  
#1 0x5552d5 in SelectPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:360:2  
#2 0x57eae8 in TranslateWord2 /src/espeak-ng/src/libespeak-ng/translate.c:570:4  
#3 0x5797d6 in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:1607:6  
#4 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#5 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#6 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#7 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#8 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#9 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#10 0x7f1ab886e082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#11 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

0x000000fd06cc is located 140 bytes to the right of global variable 'phoneme\_tab\_list' defined in 'src/libespeak-ng/synthdata.c:61:18' (0xfcea20) of size 7200  
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43 in SetUpPhonemeTable

Shadow bytes around the buggy address:  
0x0000801f2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f2090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9  
\=>0x0000801f20d0: f9 f9 f9 f9 f9 f9 f9 f9 f9\[f9\]f9 f9 f9 f9 f9 f9  
0x0000801f20e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f20f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2110: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2120: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070074==ABORTING

CVE-2023-49990: global-buffer-overflow exists in the function SetUpPhonemeTable in synthdata.c · Issue #1824 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070186==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd7a6c0e80 at pc 0x00000055a66a bp 0x7ffd7a6c0b70 sp 0x7ffd7a6c0b68  
READ of size 8 at 0x7ffd7a6c0e80 thread T0  
#0 0x55a669 in CountVowelPosition /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14  
#1 0x55a669 in InterpretCondition /src/espeak-ng/src/libespeak-ng/synthdata.c:626:12  
#2 0x55a669 in InterpretPhoneme /src/espeak-ng/src/libespeak-ng/synthdata.c:832:14  
#3 0x55ab57 in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:979:2  
#4 0x5fc032 in CalcLengths /src/espeak-ng/src/libespeak-ng/setlengths.c:680:5  
#5 0x56fe4e in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1563:2  
#6 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#7 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#8 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#9 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#10 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#11 0x7fe8046c2082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#12 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

Address 0x7ffd7a6c0e80 is located in stack of thread T0 at offset 0 in frame  
#0 0x55a92f in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:964

This frame has 1 object(s):  
\[32, 192) 'plist' (line 967)  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
(longjmp and C++ exceptions _are_ supported)  
SUMMARY: AddressSanitizer: stack-buffer-underflow /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14 in CountVowelPosition

Shadow bytes around the buggy address:  
0x10002f4d0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d01a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1  
0x10002f4d01b0: f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3  
0x10002f4d01c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x10002f4d01d0:\[f1\]f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d01e0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3  
0x10002f4d01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0220: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070186==ABORTING

CVE-2023-49991: stack-buffer-underflow exists in the function CountVowelPosition in synthdata.c · Issue #1825 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070654==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffce78764a0 at pc 0x00000049796a bp 0x7ffce78758d0 sp 0x7ffce7875098  
WRITE of size 393 at 0x7ffce78764a0 thread T0  
#0 0x497969 in \_\_asan\_memcpy (/src/espeak-ng/src/espeak-ng+0x497969)  
#1 0x51c13e in RemoveEnding /src/espeak-ng/src/libespeak-ng/dictionary.c:2902:3  
#2 0x5853f2 in TranslateWord3 /src/espeak-ng/src/libespeak-ng/translateword.c:444:17  
#3 0x570911 in TranslateWord /src/espeak-ng/src/libespeak-ng/translate.c:150:14  
#4 0x57c9ca in TranslateWord2 /src/espeak-ng/src/libespeak-ng/translate.c:404:11  
#5 0x57951f in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:1594:17  
#6 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#7 0x5430bc in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:455:2  
#8 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#9 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#10 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#11 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#12 0x7f9c6597c082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#13 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

Address 0x7ffce78764a0 is located in stack of thread T0 at offset 2368 in frame  
#0 0x58082f in TranslateWord3 /src/espeak-ng/src/libespeak-ng/translateword.c:59

This frame has 25 object(s):  
\[32, 232) 'ph\_buf.i.i' (line 1191)  
\[304, 308) 'c.i' (line 1122)  
\[320, 324) 'wc.i' (line 1048)  
\[336, 416) 'word\_buf.i' (line 1053)  
\[448, 456) 'word1' (line 62)  
\[480, 488) 'dictionary\_flags' (line 68)  
\[512, 520) 'dictionary\_flags2' (line 69)  
\[544, 552) 'wordx' (line 74)  
\[576, 776) 'phonemes' (line 75)  
\[848, 1048) 'phonemes2' (line 76)  
\[1120, 1320) 'prefix\_phonemes' (line 77)  
\[1392, 1592) 'unpron\_phonemes' (line 78)  
\[1664, 1864) 'end\_phonemes' (line 79)  
\[1936, 2136) 'end\_phonemes2' (line 80)  
\[2208, 2368) 'word\_copy' (line 81)  
\[2432, 2592) 'word\_copy2' (line 82) <== Memory access at offset 2368 partially underflows this variable

\[2656, 2721) 'prefix\_chars' (line 84) <== Memory access at offset 2368 partially underflows this variable  
\[2768, 2772) 'c\_temp' (line 87)  
\[2784, 2788) 'first\_char' (line 88)  
\[2800, 2804) 'last\_char' (line 89)  
\[2816, 2912) 'wtab\_null' (line 99)  
\[2944, 2948) 'wc' (line 322)  
\[2960, 3160) 'end\_phonemes2410' (line 343)  
\[3232, 3240) 'wordpf' (line 401)  
\[3264, 3276) 'prefix\_phonemes2' (line 402)  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
(longjmp and C++ exceptions _are_ supported)  
SUMMARY: AddressSanitizer: stack-buffer-overflow (/src/espeak-ng/src/espeak-ng+0x497969) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x10001cf06c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06c50: 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00  
0x10001cf06c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06c70: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2  
0x10001cf06c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x10001cf06c90: 00 00 00 00\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00  
0x10001cf06ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06cb0: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00  
0x10001cf06cc0: 01 f2 f2 f2 f2 f2 04 f2 04 f2 04 f2 00 00 00 00  
0x10001cf06cd0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f8 f2 f8 f8  
0x10001cf06ce0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6

Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070654==ABORTING

CVE-2023-49992: stack-buffer-overflow exists in the function RemoveEnding in dictionary.c · Issue #1827 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070638==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fe1cb0 at pc 0x0000005389ce bp 0x7ffd05945410 sp 0x7ffd05945408  
WRITE of size 4 at 0x000000fe1cb0 thread T0  
#0 0x5389cd in ReadClause /src/espeak-ng/src/libespeak-ng/readclause.c:668:30  
#1 0x571b2d in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:984:15  
#2 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#3 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#4 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#5 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#6 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#7 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#8 0x7f79f766d082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#9 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

0x000000fe1cb0 is located 48 bytes to the left of global variable 'option\_linelength' defined in 'src/libespeak-ng/translate.c:99:5' (0xfe1ce0) of size 4  
0x000000fe1cb0 is located 0 bytes to the right of global variable 'option\_punctlist' defined in 'src/libespeak-ng/translate.c:96:9' (0xfe1bc0) of size 240  
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/readclause.c:668:30 in ReadClause

Shadow bytes around the buggy address:  
0x0000801f4340: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4350: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4360: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4370: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00  
0x0000801f4380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0000801f4390: 00 00 00 00 00 00\[f9\]f9 f9 f9 f9 f9 04 f9 f9 f9  
0x0000801f43a0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00  
0x0000801f43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f43c0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9  
0x0000801f43d0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00  
0x0000801f43e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070638==ABORTING

CVE-2023-49993: global-buffer-overflow exists in the function ReadClause in readclause.c · Issue #1826 · espeak-ng/espeak-ng

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

**heap-buffer-overflow in str2ulong src/media\_tools/avilib.c:137:16 in gpac/MP4Box****Description**

Heap-buffer-overflow in MP4Box.  
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16

**Version**

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

\=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
    #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16
    #1 0x7ffff694c441 in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:2004:9
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2
    #3 0x7ffff6f9d3f3 in avidmx\_process /afltest/gpac2/src/filters/dmx\_avi.c:492:14
    #4 0x7ffff6e8f502 in gf\_filter\_process\_task /afltest/gpac2/src/filter\_core/filter.c:2971:7
    #5 0x7ffff6e62ee9 in gf\_fs\_thread\_proc /afltest/gpac2/src/filter\_core/filter\_session.c:2105:3
    #6 0x7ffff6e6193d in gf\_fs\_run /afltest/gpac2/src/filter\_core/filter\_session.c:2405:3
    #7 0x7ffff67a625c in gf\_dasher\_process /afltest/gpac2/src/media\_tools/dash\_segmenter.c:1236:6
    #8 0x50dfc7 in do\_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15
    #9 0x50dfc7 in mp4box\_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7
    #10 0x7ffff58cb082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42adad in \_start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region \[0x621000019100,0x62100001a330)
allocated by thread T0 here:
    #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)
    #1 0x7ffff6942aae in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1944:35
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media\_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
  0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c427fffb460: 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1173259\==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

_Thanks_ _for_ _your_ _time_!

**PoC**

poc6gpac: poc6gpac.zip

****Impact****

This vulnerability is capable of causing crashes, or possible code execution.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46932: heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box · Issue #2669 · gpac/gpac

Ubuntu Security Notice 6542-1 - Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6542-1December 07, 2023tinyxml vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:TinyXML could be made to crash if it opened a specially craftedfile.Software Description:- tinyxml: A simple, small, minimal, C++ XML parserDetails:Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially craftedinput file, a remote attacker could possibly use this issue to cause adenial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   libtinyxml-dev                  2.6.2-4+deb10u1build0.20.04.1   libtinyxml2.6.2v5               2.6.2-4+deb10u1build0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   libtinyxml-dev                  2.6.2-4ubuntu0.18.04.1~esm1   libtinyxml2.6.2v5               2.6.2-4ubuntu0.18.04.1~esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   libtinyxml-dev                  2.6.2-3ubuntu0.1~esm1   libtinyxml2.6.2v5               2.6.2-3ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6542-1   CVE-2021-42260Package Information:   https://launchpad.net/ubuntu/+source/tinyxml/2.6.2-4+deb10u1build0.20.04.1

Ubuntu Security Notice USN-6542-1

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.

**Description**

heap-use-after-free/SEGV/heap-buffer-overflow libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci

**Version**

    commit: 64ece913266609789f5dc70fe7de9eb759badd7f
    
    heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

> I just show the uaf case, you can use my poc to reproduce the others.

    ==88148==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000910 at pc 0x7f7a88d9ab47 bp 0x7ffef17996e0 sp 0x7ffef17996d0
    READ of size 2 at 0x60e000000910 thread T0
        #0 0x7f7a88d9ab46 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) libheif/libheif/uncompressed_image.cc:537
        #1 0x7f7a88c96f95 in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const libheif/libheif/file.cc:609
        #2 0x7f7a88c58d54 in HeifContext::Image::get_luma_bits_per_pixel() const libheif/libheif/context.cc:1225
        #3 0x7f7a88c1abf7 in heif_image_handle_get_luma_bits_per_pixel libheif/libheif/heif.cc:846
        #4 0x55fa40c34835 in main libheif/examples/heif_convert.cc:475
        #5 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #6 0x55fa40c2fadd in _start (libheif/build/examples/heif-convert+0xbadd)
    
    0x60e000000910 is located 16 bytes inside of 160-byte region [0x60e000000900,0x60e0000009a0)
    freed by thread T0 here:
        #0 0x7f7a88f6c0d0 in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.4+0xe20d0)
        #1 0x7f7a88c038d9 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/ext/new_allocator.h:125
        #2 0x7f7a88bfef61 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:462
        #3 0x7f7a88bf4553 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/7/bits/allocated_ptr.h:73
        #4 0x7f7a88c1019d in std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/7/bits/shared_ptr_base.h:543
        #5 0x7f7a88b94163 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:170
        #6 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #7 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #8 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #9 0x7f7a88be9854 in void std::_Destroy<std::shared_ptr<Box> >(std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:98
        #10 0x7f7a88be4eb8 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:108
        #11 0x7f7a88bdafef in void std::_Destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:137
        #12 0x7f7a88bce3b8 in void std::_Destroy<std::shared_ptr<Box>*, std::shared_ptr<Box> >(std::shared_ptr<Box>*, std::shared_ptr<Box>*, std::allocator<std::shared_ptr<Box> >&) /usr/include/c++/7/bits/stl_construct.h:206
        #13 0x7f7a88bc3acf in std::vector<std::shared_ptr<Box>, std::allocator<std::shared_ptr<Box> > >::~vector() /usr/include/c++/7/bits/stl_vector.h:434
        #14 0x7f7a88bc02f8 in Box::~Box() (libheif/build/libheif/libheif.so.1+0xa22f8)
        #15 0x7f7a88bc053e in FullBox::~FullBox() (libheif/build/libheif/libheif.so.1+0xa253e)
        #16 0x7f7a88c09a8c in Box_meta::~Box_meta() (libheif/build/libheif/libheif.so.1+0xeba8c)
        #17 0x7f7a88c12579 in void __gnu_cxx::new_allocator<Box_meta>::destroy<Box_meta>(Box_meta*) /usr/include/c++/7/ext/new_allocator.h:140
        #18 0x7f7a88c111de in void std::allocator_traits<std::allocator<Box_meta> >::destroy<Box_meta>(std::allocator<Box_meta>&, Box_meta*) /usr/include/c++/7/bits/alloc_traits.h:487
        #19 0x7f7a88c10310 in std::_Sp_counted_ptr_inplace<Box_meta, std::allocator<Box_meta>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/7/bits/shared_ptr_base.h:535
        #20 0x7f7a88b940ec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:154
        #21 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #22 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #23 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #24 0x7f7a88b9d8b5 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:436
        #25 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #26 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #27 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #28 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #29 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
    
    previously allocated by thread T0 here:
        #0 0x7f7a88f6b258 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.4+0xe1258)
        #1 0x7f7a88c038a8 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x7f7a88bfeeb4 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x7f7a88bf44b9 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/7/bits/allocated_ptr.h:104
        #4 0x7f7a88bea393 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<Box_hdlr, std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, Box_hdlr*, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:635
        #5 0x7f7a88be5955 in std::__shared_ptr<Box_hdlr, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:1295
        #6 0x7f7a88bdc441 in std::shared_ptr<Box_hdlr>::shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:344
        #7 0x7f7a88bcf8a2 in std::shared_ptr<Box_hdlr> std::allocate_shared<Box_hdlr, std::allocator<Box_hdlr>>(std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:691
        #8 0x7f7a88bc4768 in std::shared_ptr<Box_hdlr> std::make_shared<Box_hdlr>() /usr/include/c++/7/bits/shared_ptr.h:707
        #9 0x7f7a88b9bcf3 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:448
        #10 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #11 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #12 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #13 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #14 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #15 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #16 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #17 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #18 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #19 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #20 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #21 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #22 0x7f7a88c9217e in HeifFile::parse_heif_file(BitstreamRange&) libheif/libheif/file.cc:254
        #23 0x7f7a88c8ffc6 in HeifFile::read(std::shared_ptr<StreamReader> const&) libheif/libheif/file.cc:107
        #24 0x7f7a88c8f8c6 in HeifFile::read_from_file(char const*) libheif/libheif/file.cc:88
        #25 0x7f7a88c4b3d7 in HeifContext::read_from_file(char const*) libheif/libheif/context.cc:429
        #26 0x7f7a88c163ff in heif_context_read_from_file libheif/libheif/heif.cc:451
        #27 0x55fa40c33e68 in main libheif/examples/heif_convert.cc:410
        #28 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    SUMMARY: AddressSanitizer: heap-use-after-free libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
    Shadow bytes around the buggy address:
      0x0c1c7fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8110: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
    =>0x0c1c7fff8120: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c1c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      0x0c1c7fff8150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8170: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==88148==ABORTING
    

**POC**

*   poc-heap-overflow
*   poc-heap-uaf
*   poc-segv

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49464: heap-use-after-free/SEGV/heap-buffer-overflow in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci · Issue #1044 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.

**Description**

SEGV libheif/libheif/exif.cc:88 in find_exif_tag

**Version**

     heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    =================================================================
    ==216883==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0b184d2bc (pc 0x55f4628c3ca8 bp 0x00004e7b34c8 sp 0x7ffe414d49b0 T0)
    ==216883==The signal is caused by a READ memory access.
        #0 0x55f4628c3ca8 in find_exif_tag eva/put/libheif/libheif/exif.cc:88
        #1 0x55f4628c536b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) eva/put/libheif/libheif/exif.cc:124
        #2 0x55f4628c536b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) eva/put/libheif/libheif/exif.cc:140
        #3 0x55f4628cac75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) eva/put/libheif/examples/encoder_png.cc:126
        #4 0x55f4628b4c99 in main eva/put/libheif/examples/heif_convert.cc:509
        #5 0x7fb342a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7fb342a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #7 0x55f4628bd254 in _start (eva/put/libheif/build/examples/heif-convert+0x15254)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV eva/put/libheif/libheif/exif.cc:88 in find_exif_tag
    ==216883==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49463: SEGV libheif/libheif/exif.cc:88 in find_exif_tag · Issue #1042 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.

**Description**

AddressSanitizer: SEGV in decode_uncompressed_image

**Version**

    commit: 64ece913266609789f5dc70fe7de9eb759badd7f
    
    heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    ==89344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f955d086aeb bp 0x7ffdd923ebb0 sp 0x7ffdd923e318 T0)
    ==89344==The signal is caused by a READ memory access.
    ==89344==Hint: address points to the zero page.
        #0 0x7f955d086aea in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbaea)
        #1 0x7f955d85f4de  (/lib/x86_64-linux-gnu/libasan.so.4+0x7a4de)
        #2 0x7f955d6f8495 in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:758
        #3 0x7f955d5b7304 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
        #4 0x7f955d5b42a8 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
        #5 0x7f955d5771f4 in heif_decode_image libheif/libheif/heif.cc:1044
        #6 0x55e9351aca11 in main libheif/examples/heif_convert.cc:484
        #7 0x7f955cfef082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #8 0x55e9351a7add in _start (libheif/build/examples/heif-convert+0xbadd)
    

**POC**

*   poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49460: AddressSanitizer: SEGV in `decode_uncompressed_image` · Issue #1046 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.

**Description**

SEGV libheif/libheif/exif.cc:55 in read16

**Version**

     heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    ==1926429==ERROR: AddressSanitizer: SEGV on unknown address 0x60b080000729 (pc 0x55abe2b1012c bp 0x000000000000 sp 0x7ffe0b2df5a0 T0)
    ==1926429==The signal is caused by a READ memory access.
        #0 0x55abe2b1012c in read16 /eva/put/libheif/libheif/exif.cc:55
        #1 0x55abe2b1012c in find_exif_tag /eva/put/libheif/libheif/exif.cc:103
        #2 0x55abe2b1136b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) /eva/put/libheif/libheif/exif.cc:124
        #3 0x55abe2b1136b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) /eva/put/libheif/libheif/exif.cc:140
        #4 0x55abe2b16c75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /eva/put/libheif/examples/encoder_png.cc:126
        #5 0x55abe2b00c99 in main /eva/put/libheif/examples/heif_convert.cc:509
        #6 0x7fb15dc29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #7 0x7fb15dc29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #8 0x55abe2b09254 in _start (/eva/asan-bin/NestFuzz/libheif/heif-convert+0x15254)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /eva/put/libheif/libheif/exif.cc:55 in read16
    ==1926429==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

Tag

#c++