Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_ws_check_packet at /src/capture.c.

Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.

\==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8  
READ of size 4 at 0x60200001137a thread T1  
#0 0x49b786 in \_\_asan\_memcpy (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786)  
#1 0x4d5def in capture\_ws\_check\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9  
#2 0x4d177f in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9  
#3 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)  
#4 0x7fa068127f67 in pcap\_loop (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x11f67)  
#5 0x4cf5c9 in capture\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5  
#6 0x7fa0680f9608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8  
#7 0x7fa067ea4132 in \_\_clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

0x60200001137a is located 6 bytes to the right of 4-byte region \[0x602000011370,0x602000011374)  
allocated by thread T1 here:  
#0 0x49c3cd in \_\_interceptor\_malloc (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49c3cd)  
#1 0x4dc743 in packet\_set\_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27  
#2 0x4d4bd5 in capture\_packet\_reasm\_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9  
#3 0x4d1722 in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21  
#4 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:  
#0 0x486a8c in pthread\_create (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x486a8c)  
#1 0x4d712c in capture\_launch\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13  
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9  
#3 0x7fa067da9082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa  
\=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04\[fa\]  
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==909699==ABORTING

**Command To Reproduce the bug:**

./sngrep -N -I $crash\_seed  
The URL of crash\_seed is crash\_seed

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   ndisasm: 1.6.0

Many Thanks.

CVE-2023-36192: heap-buffer-overflow on capture.c:923:9 · Issue #438 · irontec/sngrep

Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the ambiguity_error component at /src/clp.c.

Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.

**Command To Reproduce the bug:**

./gifsicle --loopcount=-

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   gifsicle 1.93

**ASAN Report**

\=================================================================  
\==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8  
READ of size 1 at 0x60300000005a thread T0  
#0 0x4dd2b3 in ambiguity\_error /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62  
#1 0x4d17b1 in parse\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1216:9  
#2 0x4d949e in Clp\_Next /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1967:6  
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1533:15  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#5 0x41d4cd in \_start (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x41d4cd)

0x60300000005a is located 2 bytes to the right of 24-byte region \[0x603000000040,0x603000000058)  
allocated by thread T0 here:  
#0 0x499c7d in \_\_interceptor\_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x499c7d)  
#1 0x4d4a20 in finish\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1230:50  
#2 0x4d47fc in Clp\_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1332:9  
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1461:3  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62 in ambiguity\_error  
Shadow bytes around the buggy address:  
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00\[fa\]fa fa 00 00  
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa  
0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==956047==ABORTING

Many Thanks.  
cheng meng da

CVE-2023-36193: heap-buffer-overflow in ambiguity_error · Issue #191 · kohler/gifsicle

FLVMeta v1.2.1 was discovered to contain a buffer overflow via the xml_on_metadata_tag_only function at dump_xml.c.

**Memory allocation failure in xml\_on\_metadata\_tag\_only() at dump\_xml.c:271**

Memory allocation failure in the flvmeta at function xml\_on\_metadata\_tag\_only in dump\_xml.c:271.

**Environment**

Ubuntu 18.04, 64 bit  
FLVMeta 1.2.1

**Steps to reproduce**

1.  download file

    wget https://github.com/noirotm/flvmeta/archive/refs/tags/v1.2.1.tar.gz
    tar -zxvf v1.2.1.tar.gz
    

2.  compile libming with ASAN

    cd flvmeta-1.2.1
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -Wno-error" cmake -DCMAKE_C_COMPILER=wllvm -DCMAKE_CXX_COMPILER=wllvm++ -B obj-bc -G"Unix Makefiles" 
    cd obj-bc
    make
    
    cd src
    extract-bc flvmeta
    clang -fsanitize=address flvmeta.bc -o flvmeta_asan
    

3.  command for reproducing the error

Download poc:  
flvmeta\_memory-allocation-failure\_dumpxml271.zip

**ASAN report**

    root@a71b82b5d288:~/dataset/flvmeta-1.2.1/obj-bc/src# ./flvmeta_asan flvmeta_memory-allocation-failure_dumpxml271 
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==30124==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000489d7b bp 0x7fff17e62cb0 sp 0x7fff17e62440 T0)
    ==30124==The signal is caused by a READ memory access.
    ==30124==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x489d7b in __interceptor_strcmp.part.298 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444
        #1 0x4fe908 in xml_on_metadata_tag_only /root/dataset/flvmeta-1.2.1/src/dump_xml.c:271:14
        #2 0x502563 in flv_parse /root/dataset/flvmeta-1.2.1/src/flv.c:506:26
        #3 0x4fd491 in dump_metadata /root/dataset/flvmeta-1.2.1/src/dump.c:160:14
        #4 0x502855 in main /root/dataset/flvmeta-1.2.1/src/flvmeta.c:385:50
        #5 0x7f8aa5304c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41b819 in _start (/root/dataset/flvmeta-1.2.1/obj-bc/src/flvmeta_asan+0x41b819)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444 in __interceptor_strcmp.part.298
    ==30124==ABORTING

CVE-2023-36243: Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 · Issue #19 · noirotm/flvmeta

libming listswf 0.4.7 was discovered to contain a buffer overflow in the parseSWF_DEFINEFONTINFO() function at parser.c.

**Allocation size overflow in parseSWF\_DEFINEFONTINFO() at parser.c:1948**

Allocation size overflow in the listswf at function parseSWF\_DEFINEFONTINFO in parser.c:1948.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.7

**Steps to reproduce**

1.  download file

    git clone https://github.com/libming/libming.git libming-ming-0_4_7
    

2.  compile libming with ASAN

    cd libming-ming-0_4_7
    git checkout 5aa3470
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc listswf
    clang -fsanitize=address -lz -lm listswf.bc -o listswf_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-7\_listswf\_allocation-size-overflow\_parser1948.zip

**ASAN report**

    root@a71b82b5d288:~/dataset/libming-ming-0_4_7/obj-bc/bin# ./listswf_asan libming_0-4-7_listswf_allocation-size-overflow_parser1948.swf 
    header indicates a filesize of 6350 but filesize is 296
    File version: 10
    File size: 296
    Frame size: (0,0)x(0,0)
    Frame rate: 237.609375 / sec.
    Total frames: 31640
    =================================================================
    ==29667==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffed6 (0x6d8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ade60 in malloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x50fefd in parseSWF_DEFINEFONTINFO /root/dataset/libming-ming-0_4_7/util/parser.c:1948:34
        #2 0x4fefda in blockParse /root/dataset/libming-ming-0_4_7/util/blocktypes.c:145:14
        #3 0x4fceb2 in readMovie /root/dataset/libming-ming-0_4_7/util/main.c:265:11
        #4 0x4fca7d in main /root/dataset/libming-ming-0_4_7/util/main.c:350:2
        #5 0x7fa41cb57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==29667==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==29667==ABORTING

CVE-2023-36239: Allocation size overflow in parseSWF_DEFINEFONTINFO() at parser.c:1948 · Issue #273 · libming/libming

An issue in the GDKfree component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes in GDKfree after executing SQL statements through mclient.

**To Reproduce**

1.  Use mclient to connect MonetDB server;
2.  Try to execute the following SQL statements **multiple times**. Sometimes they will crash the server. (On my machine, the server crashes after repeating executing these SQLs with at most 4 times)

DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f280338000b (gsignal+0xcb)
    #1 0x7f280335f859 (abort+0x12b)
    #2 0x7f28033ca26e (__fsetlocking+0x42e)
    #3 0x7f28033d22fc (pthread_attr_setschedparam+0x54c)
    #4 0x7f28033d3f6d (pthread_attr_setschedparam+0x21bd)
    #5 0x7f280414f765 (GDKfree+0x25)
    #6 0x7f280377af7b (destroy_delta+0x7b)
    #7 0x7f280377576d (destroy_col+0x2d)
    #8 0x7f2803745345 (column_destroy+0x45)
    #9 0x7f2803761ec2 (list_destroy2+0xa2)
    #10 0x7f2803760d14 (ol_destroy+0x34)
    #11 0x7f2803745450 (table_destroy+0x90)
    #12 0x7f280375ec17 (objectversion_destroy+0x77)
    #13 0x7f280375eb4f (os_destroy+0xcf)
    #14 0x7f2803750cdc (schema_destroy+0x7c)
    #15 0x7f280375ec17 (objectversion_destroy+0x77)
    #16 0x7f280376065d (objectversion_destroy_recursive+0x3d)
    #17 0x7f2803760345 (tc_gc_objectversion+0x75)
    #18 0x7f280374a307 (store_pending_changes+0x307)
    #19 0x7f280374ea87 (sql_trans_commit+0x567)
    #20 0x7f2803759353 (sql_trans_end+0x83)
    #21 0x7f280379c10c (mvc_commit+0x4fc)
    #22 0x7f280369d564 (SQLengine_+0x284)
    #23 0x7f280369c343 (SQLengine+0x23)
    #24 0x7f2803a2b6cf (runScenario+0x4f)
    #25 0x7f2803a2c16c (MSscheduleClient+0x68c)
    #26 0x7f2803ad3c2b (doChallenge+0xfb)
    #27 0x7f2804152ba0 (THRstarter+0x100)
    #28 0x7f28041c2cc4 (thread_starter+0x34)
    #29 0x7f2803537609 (start_thread+0xd9)
    #30 0x7f280345c133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

If the crash cannot be reproduced easily, please tell me. I will try to provide the whole steps to trigger the crash as possible.

Could **not** reproduce the crash with MonetDB 5 server v11.45.17 (Sep2022-SP3).  
We will add a test case to see if any memory leaks are detected.

I write a bash script to reproduce. It use the docker image of MonetDB v11.45.17 (Sep2022-SP3). Maybe it can help to reproduce the crash.

#!/bin/bash

######################################################
#\# Build the image of MonetDB and start a container.  
######################################################
docker pull monetdb/monetdb:Sep2022-SP3
docker run -e MDB\_DB\_ADMIN\_PASS=monetdb -d -p 50000:50000 --name monetdb monetdb/monetdb:Sep2022-SP3
docker container restart monetdb

echo -e "user=monetdb\\npassword=monetdb" | docker exec -i monetdb tee /root/.monetdb

echo "Waiting the monetdb server to start..."
while ! docker exec monetdb mclient monetdb \> /dev/null 2> /dev/null
do
    echo -n "."
done

docker exec monetdb dnf install procps-ng -y

#################################################
#\# Get current PID of the mserver5 process. 
#\# as the mserver5 will be restart automatically 
#\# after crashing in the docker container,
#\# we check a crash by comparing the PIDs.
#################################################
echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
docker exec monetdb pidof mserver5
echo -ne "\\033\[0m"
oldPid=$(docker exec monetdb pidof mserver5)

#\# Loop the SQL test cases.
for (( i\=0; i<200; ++i ))
do

echo -n "."

echo "DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
" | docker exec -i monetdb mclient monetdb 2>&1 | grep --color=always "unexpected end of file\\|Challenge string is not valid, it is empty" && break

done

#############################################
#\# Check whether some errors occurred.
#############################################
if ! docker exec monetdb mclient monetdb
then
    echo "The server or client seems unavailable".
else
    echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
    docker exec monetdb pidof mserver5
    echo -ne "\\033\[0m"
    nowPid=$(docker exec monetdb pidof mserver5)
    
    if (( nowPid != oldPid ))
    then
        echo "Different PIDs. Maybe a crash occurred?"
    else
        echo "Everything seems ok... Maybe not a bug."
    fi
fi

CVE-2023-36371: MonetDB server 11.46.0 crashes in `GDKfree` · Issue #7385 · MonetDB/MonetDB

An issue in the list_append component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at list_append after executing SQL statements through mclient.

**To Reproduce**

create table t1(c1 int auto\_increment primary key NOT NULL);
create trigger i1 after insert on t1 for each row insert into t1 values(NULL);
insert into t1 values(NULL);

**Expected behavior**  
This crash is strange. From the backtrace as follows, we can know that the crash is caused by infinite recursion.

However, if we change the first statement into create table t1(c1 int);, the MonetDB will return the message Query too complex: running out of stack space when executing the third stmt. So, MonetDB handles out of stack space, but it does not work with some special table definitions?

What's more, the definition of the table contains the NOT NULL constraint, which should fail the third stmt. If we remove the create trigger statement, MonetDB will return the message INSERT INTO: NOT NULL constraint violated for column t1.c1 when executing the insert stmt. But with the create trigger stmt, it crashes instead.

Anyway, I think the expected behavior is to return the error message Query too complex: running out of stack space or INSERT INTO: NOT NULL constraint violated for column t1.c1, instead of crashing straightly.

**Backtrace**

    #0 0x7f0c3760dbda (list_append+0x1a)
    #1 0x7f0c376669c6 (rel_insert+0x196)
    #2 0x7f0c3766abb3 (rel_updates+0x1ce3)
    #3 0x7f0c376c6c11 (sequential_block+0x121)
    #4 0x7f0c376c52dc (rel_psm+0x131c)
    #5 0x7f0c37653091 (rel_semantic+0x91)
    #6 0x7f0c37652e6a (rel_parse+0x19a)
    #7 0x7f0c37563102 (sql_insert_triggers+0x232)
    #8 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #9 0x7f0c37554539 (subrel_bin+0xd69)
    #10 0x7f0c3755f218 (exp_bin+0x29e8)
    #11 0x7f0c37558567 (subrel_bin+0x4d97)
    #12 0x7f0c37563162 (sql_insert_triggers+0x292)
    #13 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #14 0x7f0c37554539 (subrel_bin+0xd69)
    #15 0x7f0c3755f218 (exp_bin+0x29e8)
    #16 0x7f0c37558567 (subrel_bin+0x4d97)
    #17 0x7f0c37563162 (sql_insert_triggers+0x292)
    ...
    #7407 0x7f0c37563162 (sql_insert_triggers+0x292)
    #7408 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #7409 0x7f0c37554539 (subrel_bin+0xd69)
    #7410 0x7f0c3755373b (output_rel_bin+0x6b)
    #7411 0x7f0c3757f9d9 (backend_dumpstmt+0x199)
    #7412 0x7f0c3754a367 (SQLparser+0x5d7)
    #7413 0x7f0c3754987b (SQLengine_+0x59b)
    #7414 0x7f0c37548343 (SQLengine+0x23)
    #7415 0x7f0c378d76cf (runScenario+0x4f)
    #7416 0x7f0c378d816c (MSscheduleClient+0x68c)
    #7417 0x7f0c3797fc2b (doChallenge+0xfb)
    #7418 0x7f0c37ffeba0 (THRstarter+0x100)
    #7419 0x7f0c3806ecc4 (thread_starter+0x34)
    #7420 0x7f0c373e3609 (start_thread+0xd9)
    #7421 0x7f0c37308133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36369: MonetDB server 11.46.0 crashes at `list_append` · Issue #7383 · MonetDB/MonetDB

An issue in the cs_bind_ubat component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server crashes at cs_bind_ubat after executing SQL statements through ODBC.

**To Reproduce**

CREATE TABLE t2 (c1 int, t1 int, c2 int);
INSERT INTO t2 VALUES(127,255,1),(127,1,2),(\-128,0,3),(\-128,2,4),(\-1,NULL,5);
INSERT INTO t2 VALUES(200,126,1),(250,\-127,2);
INSERT INTO t2 VALUES (\-128,0,1),(\-1,1,1),(\-2,2,2),(\-3,3,3),(\-4,4,4),(\-5,5,5),(\-6,6,6),(0,0,7),(1,1,8),(2,NULL,9),(3,NULL,10),(127,255,11);
DELETE FROM t2 WHERE c1 IN (\-2, 0);
START TRANSACTION;
UPDATE t2 SET c2 \= c2 + 100;
UPDATE t2 SET c2 \= c2 + 100;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f6388374871 (cs_bind_ubat+0x151)
    #1 0x7f6388373483 (bind_ubat+0x43)
    #2 0x7f638836d860 (bind_updates+0xe0)
    #3 0x7f63882854ce (mvc_bind_wrap+0x28e)
    #4 0x7f6388614c63 (runMALsequence+0x763)
    #5 0x7f63886185d4 (DFLOWworker+0x2c4)
    #6 0x7f6388d4fba0 (THRstarter+0x100)
    #7 0x7f6388dbfcc4 (thread_starter+0x34)
    #8 0x7f6388134609 (start_thread+0xd9)
    #9 0x7f6388059133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB ODBC version: 11.46.0
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

\*\*Issue labeling \*\*  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36368: MonetDB server 11.46.0 crashes at cs_bind_ubat · Issue #7379 · MonetDB/MonetDB

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
    poc: Warning, Nonstandard tile width 1, convert file.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
    _TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFAdvanceDirectory: Error fetching directory count.
    Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
    Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
    Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
    Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    =================================================================
    ==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
    READ of size 1 at 0x6330000188ec thread T0
        #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
        #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
        #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
    allocated by thread T0 here:
        #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
        #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
        #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
    Shadow bytes around the buggy address:
      0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1821995==ABORTING

**poc**

poc

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits()  at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.

**VIM Version:**

    $ ./vim --version
    VIM - Vi IMproved 8.1 (2018 May 18, compiled Oct 10 2019 22:18:57)
    Included patches: 1-2133
    Compiled by input0@zero
    Huge version without GUI.  Features included (+) or not (-):
    +acl               -farsi             -mouse_sysmouse    -tag_any_white
    +arabic            +file_in_path      +mouse_urxvt       -tcl
    +autocmd           +find_in_path      +mouse_xterm       +termguicolors
    +autochdir         +float             +multi_byte        +terminal
    -autoservername    +folding           +multi_lang        +terminfo
    -balloon_eval      -footer            -mzscheme          +termresponse
    +balloon_eval_term +fork()            +netbeans_intg     +textobjects
    -browse            +gettext           +num64             +textprop
    ++builtin_terms    -hangul_input      +packages          +timers
    +byte_offset       +iconv             +path_extra        +title
    +channel           +insert_expand     -perl              -toolbar
    +cindent           +job               +persistent_undo   +user_commands
    +clientserver      +jumplist          +postscript        +vartabs
    +clipboard         +keymap            +printer           +vertsplit
    +cmdline_compl     +lambda            +profile           +virtualedit
    +cmdline_hist      +langmap           -python            +visual
    +cmdline_info      +libcall           -python3           +visualextra
    +comments          +linebreak         +quickfix          +viminfo
    +conceal           +lispindent        +reltime           +vreplace
    +cryptv            +listcmds          +rightleft         +wildignore
    +cscope            +localmap          -ruby              +wildmenu
    +cursorbind        -lua               +scrollbind        +windows
    +cursorshape       +menu              +signs             +writebackup
    +dialog_con        +mksession         +smartindent       +X11
    +diff              +modify_fname      -sound             +xfontset
    +digraphs          +mouse             +spell             -xim
    -dnd               -mouseshape        +startuptime       -xpm
    -ebcdic            +mouse_dec         +statusline        +xsmp_interact
    +emacs_tags        -mouse_gpm         -sun_workshop      +xterm_clipboard
    +eval              -mouse_jsbterm     +syntax            -xterm_save
    +ex_extra          +mouse_netterm     +tag_binary        
    +extra_search      +mouse_sgr         -tag_old_static    
       system vimrc file: "$VIM/vimrc"
         user vimrc file: "$HOME/.vimrc"
     2nd user vimrc file: "~/.vim/vimrc"
          user exrc file: "$HOME/.exrc"
           defaults file: "$VIMRUNTIME/defaults.vim"
      fall-back for $VIM: "/usr/local/share/vim"
    Compilation: afl-clang-fast -c -I. -Iproto -DHAVE_CONFIG_H     -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
    Linking: afl-clang-fast   -L/usr/local/lib -Wl,--as-needed -o vim    -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl  -ldl           
    

**MData:**

    While fuzzing VIM with enabling different mode an use-after-free was observed. This is 
    likely  a write access violation, which means the attacker may have control over the 
    write address and value.  
    

**GDB BT:**

    (gdb) run -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    Starting program: /home/input0/nvim/vim/src/vim -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    5307	    return buf != NULL && buf->b_p_bt[0] == 't';
    (gdb) bt 
    #0  0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    #1  0x00000000008ed15d in win_enter_ext (wp=<optimized out>, undo_sync=<optimized out>, curwin_invalid=0, 
        trigger_new_autocmds=<optimized out>, trigger_enter_autocmds=<optimized out>, trigger_leave_autocmds=<optimized out>) at window.c:4658
    #2  0x00000000008e8b02 in win_split_ins (size=<optimized out>, flags=<optimized out>, new_wp=<optimized out>, dir=<optimized out>)
        at window.c:1326
    #3  0x00000000008e0f1f in win_split (size=0, flags=0) at window.c:812
    #4  0x0000000000409e23 in do_argfile (eap=0x7fffffffa890, argn=0) at arglist.c:662
    #5  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #6  do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #7  0x00000000007a0b32 in do_source (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>) at scriptfile.c:1214
    #8  0x000000000079f5b9 in cmd_source (fname=0xc4f583 "out/id:000001,sig:11,src:018487,time:45124324+017124,op:splice,rep:8", 
        eap=<optimized out>) at scriptfile.c:805
    #9  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #10 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #11 0x000000000096e6c9 in exe_commands (parmp=<optimized out>) at main.c:3133
    #12 vim_main2 () at main.c:795
    #13 0x000000000096b597 in main (argc=<optimized out>, argv=<optimized out>) at main.c:444
    (gdb) i r
    rax            0xfffffffffffffffc	-4
    rbx            0xc6dae0	13032160
    rcx            0x0	0
    rdx            0xc27900	12744960
    rsi            0x0	0
    rdi            0x7ffff6c3fca0	140737333427360
    rbp            0xc6dae8	0xc6dae8
    rsp            0x7fffffff96c8	0x7fffffff96c8
    r8             0x5f	95
    r9             0x1	1
    r10            0x7fffffff8c60	140737488325728
    r11            0x0	0
    r12            0x1	1
    r13            0x0	0
    r14            0xfffffffffffffffc	-4
    r15            0x1	1
    rip            0x41adeb	0x41adeb <bt_terminal+75>
    eflags         0x10206	[ PF IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) 
    

**ASAN BT:**

    ==14666==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000f108 at pc 0x000000db2301 bp 0x7ffcbdb68e70 sp 0x7ffcbdb68e68
    READ of size 8 at 0x62500000f108 thread T0
        #0 0xdb2300 in win_enter_ext /home/input0/vim/src/window.c:4658:25
        #1 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
        #3 0x516344 in do_argfile /home/input0/vim/src/arglist.c:662:10
        #4 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #5 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #6 0xb60432 in do_source /home/input0/vim/src/scriptfile.c:1214:5
        #7 0xb5e5bf in cmd_source /home/input0/vim/src/scriptfile.c:805:14
        #8 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #9 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #10 0xe9998f in exe_commands /home/input0/vim/src/main.c:3133:2
        #11 0xe9998f in vim_main2 /home/input0/vim/src/main.c:795
        #12 0xe94b2c in main /home/input0/vim/src/main.c:444:12
        #13 0x7f32b72bbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #14 0x41ff49 in _start (/home/input0/vim/src/vim+0x41ff49)
    
    0x62500000f108 is located 8 bytes inside of 8664-byte region [0x62500000f100,0x6250000112d8)
    freed by thread T0 here:
        #0 0x4d53e8 in __interceptor_free.localalias.0 (/home/input0/vim/src/vim+0x4d53e8)
        #1 0x8f411e in vim_free /home/input0/vim/src/misc2.c:1802:2
        #2 0x5270ea in apply_autocmds /home/input0/vim/src/autocmd.c:1607:12
        #3 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #4 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    previously allocated by thread T0 here:
        #0 0x4d55a0 in malloc (/home/input0/vim/src/vim+0x4d55a0)
        #1 0x8ef102 in lalloc /home/input0/vim/src/misc2.c:924:11
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/input0/vim/src/window.c:4658:25 in win_enter_ext
    Shadow bytes around the buggy address:
      0x0c4a7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fff9e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14666==ABORTING
    

**To Reproduce:** vim -u NONE -X -Z -e -s -S $POC -c ':qa!'

CVE-2020-20703: UAF: Access violation near NULL on destination operand · Issue #5041 · vim/vim

Ubuntu Security Notice 6178-1 - It was discovered that in SVG++ library that the demo application incorrectly managed memory resulting in a memory access violation under certain circumstances. An attacker could possibly use this issue to leak memory information or run a denial of service attack. This issue only affected Ubuntu 18.04 LTS. It was discovered that in SVG++ library that the demo application incorrectly handled null pointers under certain circumstances. An attacker could possibly use this issue to cause denial of service, leak memory information or manipulate program execution flow.

==========================================================================  
Ubuntu Security Notice USN-6178-1  
June 19, 2023

Several security issues were fixed in SVG++ library  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Details:

It was discovered that in SVG++ library that the demo application incorrectly  
managed memory resulting in a memory access violation  
under certain circumstances. An attacker could possibly use this issue  
to leak memory information or run a denial of service attack.  
This issue only affected Ubuntu 18.04 LTS. (CVE-2019-6246)

It was discovered that in SVG++ library that the demo application  
incorrectly handled null pointers under certain circumstances.  
An attacker could possibly use this issue to cause  
denial of service, leak memory information or manipulate  
program execution flow. (CVE-2021-44960)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libsvgpp-dev                    1.3.0+dfsg1-3ubuntu2.22.10.1

Ubuntu 22.04 LTS:  
   libsvgpp-dev                    1.3.0+dfsg1-3ubuntu2.22.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libsvgpp-dev                    1.2.3+dfsg1-3ubuntu1+esm1

The problem can be corrected by updating your system to the following package versions:

References:  
   https://ubuntu.com/security/notices/USN-6178-1  
   CVE-2019-6246, CVE-2021-44960

Package Information:  
   https://launchpad.net/ubuntu/+source/svgpp/1.3.0+dfsg1-3ubuntu2.22.10.1  
   https://launchpad.net/ubuntu/+source/svgpp/1.3.0+dfsg1-3ubuntu2.22.04.1

Tag

#c++