rtf2html v0.2.0 was discovered to contain a heap overflow in the component /rtf2html/./rtf_tools.h.

**Version**

hjsz@hjsz:~/rtf2html$ ./rtf2html -v  
rtf2html version 0.2.0

**Command**

./rtf2html

**Crash output****Crash1: heap-buffer-overflow**

\=================================================================  
\==3467450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f401 at pc 0x0000004e744e bp 0x7ffc3c277010 sp 0x7ffc3c277008  
READ of size 1 at 0x63000000f401 thread T0  
#0 0x4e744d in void skip\_group<\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > > >(\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > >&) /home/hjsz/rtf2html/./rtf\_tools.h:27:15  
#1 0x4db43c in main /home/hjsz/rtf2html/rtf2html.cpp:158:16  
#2 0x7f7e99536082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#3 0x41da0d in \_start (/home/hjsz/rtf2html/rtf2html+0x41da0d)  
0x63000000f401 is located 0 bytes to the right of 61441-byte region \[0x630000000400,0x63000000f401)  
allocated by thread T0 here:  
#0 0x4c58bd in operator new(unsigned long) (/home/hjsz/rtf2html/rtf2html+0x4c58bd)  
#1 0x7f7e999e635d in std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_mutate(unsigned long, unsigned long, char const\*, unsigned long) (/lib/x86\_64-linux-gnu/libstdc++.so.6+0x14335d)  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/rtf2html/./rtf\_tools.h:27:15 in void skip\_group<\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > > >(\_\_gnu\_cxx::\_\_normal\_iterator<char\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > >&)  
Shadow bytes around the buggy address:  
0x0c607fff9e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c607fff9e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c607fff9e80:\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c607fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==3467450==ABORTING

**Crash2 : SEGV on unknown address**

\=================================================================  
AddressSanitizer:DEADLYSIGNAL  
\==3472093==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004d2be7 bp 0x7ffcfb04e1d0 sp 0x7ffcfb04d080 T0)  
\==3472093==The signal is caused by a READ memory access.  
\==3472093==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.  
#0 0x4d2be7 in formatting\_options::operator=(formatting\_options const&) /home/hjsz/rtf2html/./fmt\_opts.h:96:19  
#1 0x4db0f9 in main /home/hjsz/rtf2html/rtf2html.cpp:572:21  
#2 0x7f2556f85082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#3 0x41da0d in \_start (/home/hjsz/rtf2html/rtf2html+0x41da0d)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/hjsz/rtf2html/./fmt\_opts.h:96:19 in formatting\_options::operator=(formatting\_options const&)  
\==3472093==ABORTING

**POC**

POC.zip

**Report of Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43148: Some crashes occur when fuzzing rtf2html. · Issue #11 · lvu/rtf2html

timg v1.4.4 was discovered to contain a memory leak via the function timg::QueryBackgroundColor() at /timg/src/term-query.cc.

**Version**

timg v1.4.4  
afl-clang  
afl-clang++

**Description**

\=================================================================  
\==15159==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:  
#0 0x485b14 in strdup (/home/hjsz/fuzz\_software/timg/build/src/timg+0x485b14)  
#1 0x51afb7 in timg::QueryBackgroundColor() /home/hjsz/fuzz\_software/timg/src/term-query.cc:177:12  
#2 0x4d8802 in main::$\_1::operator()() const /home/hjsz/fuzz\_software/timg/src/timg.cc:775:43  
#3 0x4d8802 in std::\_Function\_handler<timg::rgba\_t (), main::$\_1>::\_M\_invoke(std::\_Any\_data const&) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/std\_function.h:285:9  
#4 0x4dd3a3 in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/std\_function.h:688:14  
#5 0x4dd3a3 in timg::ThreadPool::Runner() /home/hjsz/fuzz\_software/timg/src/thread-pool.h:76:13  
#6 0x7f5c047dcde3 (/lib/x86\_64-linux-gnu/libstdc++.so.6+0xd6de3)

Direct leak of 8 byte(s) in 1 object(s) allocated from:  
#0 0x4c8edd in operator new(unsigned long) (/home/hjsz/fuzz\_software/timg/build/src/timg+0x4c8edd)  
#1 0x4f2477 in timg::BufferedWriteSequencer::BufferedWriteSequencer(int, bool, int, bool, int const volatile&) /home/hjsz/fuzz\_software/timg/src/buffered-write-sequencer.cc:42:11  
#2 0x4d26e2 in main /home/hjsz/fuzz\_software/timg/src/timg.cc:826:34  
#3 0x7f5c04399082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 16 byte(s) leaked in 2 allocation(s).

**Command**

./timg some.jpg  
./timg -g50x50 some.jpg  
When I want to fuzz the software and make it by afl,crashes occur.

**Poc**

POC.zip

Thanks for your time !

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43151: Detected memory leaks 16 byte(s) leaked in 2 allocation(s) · Issue #92 · hzeller/timg

wasm-interp v1.0.29 was discovered to contain an out-of-bounds read via the component OnReturnCallExpr->GetReturnCallDropKeepCount.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-interp-2.wasm  
poc-interp-2.wasm.zip

**Stack dump**

    /wabt/out/clang/Debug/asan/wasm-interp  --enable-all ./poc-interp-2.wasm
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1655959==ERROR: AddressSanitizer: SEGV on unknown address 0x606000018258 (pc 0x000000509b3e bp 0x7ffc2dca9870 sp 0x7ffc2dca9840 T0)
    ==1655959==The signal is caused by a READ memory access.
        #0 0x509b3e in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40
        #1 0x576a36 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::GetReturnCallDropKeepCount(wabt::interp::FuncType const&, unsigned int, unsigned int*, unsigned int*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:445:58
        #2 0x568b24 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnReturnCallExpr(unsigned int) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1145:3
        #3 0x6ea3cc in wabt::(anonymous namespace)::BinaryReader::ReadInstructions(bool, unsigned long, wabt::Opcode*) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:919:9
        #4 0x6ff84e in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:667:3
        #5 0x6c2f98 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2766:7
        #6 0x6b0861 in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2920:26
        #7 0x6ada2f in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2981:3
        #8 0x6aca08 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2998:17
        #9 0x54f132 in wabt::interp::ReadBinaryInterp(std::basic_string_view<char, std::char_traits<char>>, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::ModuleDesc*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1603:10
        #10 0x4f6aed in ReadModule(char const*, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::RefPtr<wabt::interp::Module>*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:207:3
        #11 0x4f100a in ReadAndRunModule(char const*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:234:19
        #12 0x4f0427 in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:329:25
        #13 0x4f14a1 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:335:10
        #14 0x7f6273b8f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x43e39d in _start (/wabt/out/clang/Debug/asan/wasm-interp+0x43e39d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40 in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const
    ==1655959==ABORTING

CVE-2022-43280: Out-of-bound read in OnReturnCallExpr->GetReturnCallDropKeepCount · Issue #1982 · WebAssembly/wabt

wasm-interp v1.0.29 was discovered to contain a heap overflow via the component std::vector<wabt::Type, std::allocator<wabt::Type>>::size() at /bits/stl_vector.h.

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

    /wabt/out/clang/Debug/asan/wasm-interp  --enable-all ./poc-interp-1.wasm
    =================================================================
    ==3163982==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e318 at pc 0x000000509b36 bp 0x7ffeb0802e90 sp 0x7ffeb0802e88
    READ of size 8 at 0x60600000e318 thread T0
        #0 0x509b35 in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40
        #1 0x576a36 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::GetReturnCallDropKeepCount(wabt::interp::FuncType const&, unsigned int, unsigned int*, unsigned int*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:445:58
        #2 0x56955c in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnReturnCallIndirectExpr(unsigned int, unsigned int) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1176:3
        #3 0x6ead11 in wabt::(anonymous namespace)::BinaryReader::ReadInstructions(bool, unsigned long, wabt::Opcode*) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:937:9
        #4 0x6ff84e in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:667:3
        #5 0x6c2f98 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2766:7
        #6 0x6b0861 in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2920:26
        #7 0x6ada2f in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2981:3
        #8 0x6aca08 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2998:17
        #9 0x54f132 in wabt::interp::ReadBinaryInterp(std::basic_string_view<char, std::char_traits<char>>, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::ModuleDesc*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1603:10
        #10 0x4f6aed in ReadModule(char const*, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::RefPtr<wabt::interp::Module>*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:207:3
        #11 0x4f100a in ReadAndRunModule(char const*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:234:19
        #12 0x4f0427 in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:329:25
        #13 0x4f14a1 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:335:10
        #14 0x7ff3cc7e6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x43e39d in _start (/wabt/out/clang/Debug/asan/wasm-interp+0x43e39d)
    
    Address 0x60600000e318 is a wild pointer inside of access range of size 0x000000000008.
    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40 in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const
    Shadow bytes around the buggy address:
      0x0c0c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c0c7fff9c60: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3163982==ABORTING

CVE-2022-43281: heap overflow in wasm-interp · Issue #1981 · WebAssembly/wabt

wasm-interp v1.0.29 was discovered to contain an out-of-bounds read via the component OnReturnCallIndirectExpr->GetReturnCallDropKeepCount.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc-interp-3.wasm  
poc-interp-3.wasm.zip

**Stack dump**

    /wabt/out/clang/Debug/asan/wasm-interp  --enable-all ./poc-interp-3.wasm
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1491197==ERROR: AddressSanitizer: SEGV on unknown address 0x60600008bb58 (pc 0x000000509b3e bp 0x7ffe9a810b70 sp 0x7ffe9a810b40 T0)
    ==1491197==The signal is caused by a READ memory access.
        #0 0x509b3e in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40
        #1 0x576a36 in wabt::interp::(anonymous namespace)::BinaryReaderInterp::GetReturnCallDropKeepCount(wabt::interp::FuncType const&, unsigned int, unsigned int*, unsigned int*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:445:58
        #2 0x56955c in wabt::interp::(anonymous namespace)::BinaryReaderInterp::OnReturnCallIndirectExpr(unsigned int, unsigned int) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1176:3
        #3 0x6ead11 in wabt::(anonymous namespace)::BinaryReader::ReadInstructions(bool, unsigned long, wabt::Opcode*) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:937:9
        #4 0x6ff84e in wabt::(anonymous namespace)::BinaryReader::ReadFunctionBody(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:667:3
        #5 0x6c2f98 in wabt::(anonymous namespace)::BinaryReader::ReadCodeSection(unsigned long) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2766:7
        #6 0x6b0861 in wabt::(anonymous namespace)::BinaryReader::ReadSections(wabt::(anonymous namespace)::BinaryReader::ReadSectionsOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2920:26
        #7 0x6ada2f in wabt::(anonymous namespace)::BinaryReader::ReadModule(wabt::(anonymous namespace)::BinaryReader::ReadModuleOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2981:3
        #8 0x6aca08 in wabt::ReadBinary(void const*, unsigned long, wabt::BinaryReaderDelegate*, wabt::ReadBinaryOptions const&) /wabt/out/clang/Debug/asan/../../../../src/binary-reader.cc:2998:17
        #9 0x54f132 in wabt::interp::ReadBinaryInterp(std::basic_string_view<char, std::char_traits<char>>, void const*, unsigned long, wabt::ReadBinaryOptions const&, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::ModuleDesc*) /wabt/out/clang/Debug/asan/../../../../src/interp/binary-reader-interp.cc:1603:10
        #10 0x4f6aed in ReadModule(char const*, std::vector<wabt::Error, std::allocator<wabt::Error>>*, wabt::interp::RefPtr<wabt::interp::Module>*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:207:3
        #11 0x4f100a in ReadAndRunModule(char const*) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:234:19
        #12 0x4f0427 in ProgramMain(int, char**) /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:329:25
        #13 0x4f14a1 in main /wabt/out/clang/Debug/asan/../../../../src/tools/wasm-interp.cc:335:10
        #14 0x7fa32b622082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x43e39d in _start (/wabt/out/clang/Debug/asan/wasm-interp+0x43e39d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:919:40 in std::vector<wabt::Type, std::allocator<wabt::Type>>::size() const
    ==1491197==ABORTING

CVE-2022-43282: Out-of-bound read in OnReturnCallIndirectExpr->GetReturnCallDropKeepCount · Issue #1983 · WebAssembly/wabt

wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write.

**Environment**

    OS      : Linux ubuntu 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    Commit  : 3054d61f703d609995798f872fc86b462617c294
    Version : 1.0.29
    Build   : make clang-debug-asan
    

**Proof of concept**

poc\_wasm2c-1.wasm  
poc\_wasm2c-1.wasm.zip

**Stack dump**

    gdb /wabt/out/clang/Debug/asan/wasm2c
    pwndbg> r  --enable-multi-memory ./poc_wasm2c-1.wasm
    context:
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff7a357c0 ◂— 0x7ffff7a357c0
    *RCX  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6990 ◂— 0x0
     R8   0x0
    *R9   0x7fffffff6990 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x43e420 (_start) ◂— endbr64
    *R13  0x7fffffffe070 ◂— 0x3
     R14  0x0
     R15  0x0
    *RBP  0x7fffffff88f0 —▸ 0x7fffffff8930 —▸ 0x7fffffffa650 —▸ 0x7fffffffa690 —▸ 0x7fffffffc3c0 ◂— ...
    *RSP  0x7fffffff6990 ◂— 0x0
    *RIP  0x7ffff7a7b00b (raise+203) —▸ 0x10824848b48 ◂— 0x0
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7ffff7a7b00b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7a7b013 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff7a7b01c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff7a7b044 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff7a7b049                nop    dword ptr [rax]
       0x7ffff7a7b050 <killpg>       endbr64
       0x7ffff7a7b054 <killpg+4>     test   edi, edi
       0x7ffff7a7b056 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff7a7b058 <killpg+8>     neg    edi
       0x7ffff7a7b05a <killpg+10>    jmp    kill                <kill>
    
       0x7ffff7a7b05f <killpg+15>    nop
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6990 ◂— 0x0
    01:0008│            0x7fffffff6998 ◂— '(ut)(x))unimplemented: %'
    02:0010│            0x7fffffff69a0 ◂— 'unimplemented: %'
    03:0018│            0x7fffffff69a8 ◂— 'ented: %'
    04:0020│            0x7fffffff69b0 ◂— 0x0
    ... ↓               3 skipped
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0   0x7ffff7a7b00b raise+203
       f 1   0x7ffff7a5a859 abort+299
       f 2         0x52769e
       f 3         0x5315c3
       f 4         0x52760d
       f 5         0x5315c3
       f 6         0x52760d
       f 7         0x51dd51
    ────────────────────────────────────────────────────────────────────────────────
    
    backtrace_msg:
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7a5a859 in __GI_abort () at abort.c:79
    #2  0x000000000052769e in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1969
    #3  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #4  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #5  0x00000000005315c3 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::intrusive_list<wabt::Expr> const&> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:205
    #6  0x000000000052760d in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, exprs=...) at ../../../../src/c-writer.cc:1945
    #7  0x000000000051dd51 in wabt::(anonymous namespace)::CWriter::Write<wabt::intrusive_list<wabt::Expr> const&, wabt::(anonymous namespace)::LabelDecl> (this=0x7fffffffce30, t=..., u=...) at ../../../../src/c-writer.cc:204
    #8  0x000000000051bd15 in wabt::(anonymous namespace)::CWriter::Write (this=0x7fffffffce30, func=...) at ../../../../src/c-writer.cc:1423
    #9  0x000000000051b647 in wabt::(anonymous namespace)::CWriter::Write<wabt::(anonymous namespace)::Newline, wabt::Func const&, wabt::(anonymous namespace)::Newline> (this=0x7fffffffce30, t=..., u=..., args=...) at ../../../../src/c-writer.cc:205
    #10 0x000000000051182d in wabt::(anonymous namespace)::CWriter::WriteFuncs (this=0x7fffffffce30) at ../../../../src/c-writer.cc:1393
    #11 0x0000000000500bf4 in wabt::(anonymous namespace)::CWriter::WriteCSource (this=0x7fffffffce30) at ../../../../src/c-writer.cc:2794
    #12 0x00000000004ffcd7 in wabt::(anonymous namespace)::CWriter::WriteModule (this=0x7fffffffce30, module=...) at ../../../../src/c-writer.cc:2807
    #13 0x00000000004ff48d in wabt::WriteC (c_stream=0x7fffffffdaa0, h_stream=0x7fffffffdaa0, header_name=0x7ccce0 <str> "wasm.h", module=0x7fffffffd2b0, options=...) at ../../../../src/c-writer.cc:2819
    #14 0x00000000004f11b4 in ProgramMain (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:179
    #15 0x00000000004f37f2 in main (argc=3, argv=0x7fffffffe078) at ../../../../src/tools/wasm2c.cc:190
    #16 0x00007ffff7a5c083 in __libc_start_main (main=0x4f37d0 <main(int, char**)>, argc=3, argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
    #17 0x000000000043e44e in _start ()

CVE-2022-43283: Aborted in CWriter::Write at wasm2c  · Issue #1985 · WebAssembly/wabt

Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file

Skip to content

Open Issue created Sep 26, 2022 by **Qiuhao Li@QiuhaoLi**

**Stack Overflow Write - OPUS dissector - dissect\_opus() frames**

**Summary**

In dissect\_opus() at wireshark-3.6.8/epan/dissectors/packet-opus.c:254, frame\_count is truncated below 0x3F (63) and checked if framesize \* frame\_count > 120 \* MAX\_FRAMES\_COUNT. But when stack variable frames\[MAX\_FRAMES\_COUNT\] is indexed with frame\_count later, **we didn't make sure frame\_count won't excess MAX\_FRAMES\_COUNT, leading to stack-over-flow write when the begin/size values are put into frames later.**

This flaw affects the current released stable wireshark/tshark/... on Linux/Windows/Mac/..., previous versions may also be affected. This issue hasn't been reported elsewhere.

**Steps to reproduce**

Open the attachment rtp\_opus\_stackoverflow\_poc.pcap with wireshark or tshark. For wireshark GUI it will crash. For tshark it will complain "\*\*\* stack smashing detected \*\*\*: terminated Aborted (core dumped)":

I reproduced this flaw on the current stable version (wireshark-3.6.8) and the latest release version (wireshark-4.0.0rc2). You can view the ASAN report below for more details.

**What is the current bug behavior?**

CWE-121: Stack-based Buffer Overflow (4.8).

**What is the expected correct behavior?**

Make sure frame\_count is not bigger than MAX\_FRAMES\_COUNT.

**Relevant logs and/or screenshots**

ASAN Report:

    qiuhao@VBox:~/wireshark_src/wireshark-3.6.8$ ./run/tshark -r ./rtp_opus_stackoverflow_poc.pcap 
    
        1   0.000000 10.100.147.143 → 10.100.148.44 SIP/SDP 2799 Request: INVITE sip:10.100.148.44 | 
    
    =================================================================
    
    ==83225==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7ffcd4e2 at pc 0x7fe14f611705 bp 0x7ffc7ffcd330 sp 0x7ffc7ffcd320
    
    WRITE of size 2 at 0x7ffc7ffcd4e2 thread T0
    
        #0 0x7fe14f611704 in parse_size_field /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-opus.c:117
    
        #1 0x7fe14f612764 in dissect_opus /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-opus.c:290
    
        #2 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #3 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #4 0x7fe14e3e8c05 in dissector_try_string_new /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:1751
    
        #5 0x7fe14e3e8c9a in dissector_try_string /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:1776
    
        #6 0x7fe14f875146 in process_rtp_payload /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-rtp.c:1354
    
        #7 0x7fe14f875671 in dissect_rtp_data /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-rtp.c:1498
    
        #8 0x7fe14f879c92 in dissect_rtp /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-rtp.c:2307
    
        #9 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #10 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #11 0x7fe14e3ee90e in call_dissector_only /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3270
    
        #12 0x7fe14e3b2b70 in try_conversation_call_dissector_helper /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/conversation.c:1362
    
        #13 0x7fe14e3b2d60 in try_conversation_dissector /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/conversation.c:1392
    
        #14 0x7fe14fc6d8c6 in decode_udp_ports /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-udp.c:655
    
        #15 0x7fe14fc722cf in dissect /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-udp.c:1267
    
        #16 0x7fe14fc7239f in dissect_udp /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-udp.c:1273
    
        #17 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #18 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #19 0x7fe14e3e80a1 in dissector_try_uint_new /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:1450
    
        #20 0x7fe14f07e700 in ip_try_dissect /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-ip.c:1817
    
        #21 0x7fe14f081668 in dissect_ip_v4 /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-ip.c:2306
    
        #22 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #23 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #24 0x7fe14e3e80a1 in dissector_try_uint_new /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:1450
    
        #25 0x7fe14e3e813c in dissector_try_uint /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:1474
    
        #26 0x7fe14ece5264 in dissect_ethertype /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-ethertype.c:296
    
        #27 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #28 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #29 0x7fe14e3ee90e in call_dissector_only /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3270
    
        #30 0x7fe14e3ee955 in call_dissector_with_data /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3283
    
        #31 0x7fe14f9cbc9f in dissect_payload /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-sll.c:414
    
        #32 0x7fe14f9cc142 in dissect_sll_common /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-sll.c:518
    
        #33 0x7fe14f9cc2c0 in dissect_sll_v1 /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-sll.c:547
    
        #34 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #35 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #36 0x7fe14e3ee90e in call_dissector_only /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3270
    
        #37 0x7fe14ed6003d in dissect_frame /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-frame.c:935
    
        #38 0x7fe14e3e557d in call_dissector_through_handle /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:757
    
        #39 0x7fe14e3e5b2f in call_dissector_work /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:850
    
        #40 0x7fe14e3ee90e in call_dissector_only /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3270
    
        #41 0x7fe14e3ee955 in call_dissector_with_data /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:3283
    
        #42 0x7fe14e3e3dfe in dissect_record /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/packet.c:624
    
        #43 0x7fe14e3c2448 in epan_dissect_run_with_taps /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/epan.c:629
    
        #44 0x5650067314cc in process_packet_single_pass /home/qiuhao/wireshark_src/wireshark-3.6.8/tshark.c:3863
    
        #45 0x56500672f645 in process_cap_file_single_pass /home/qiuhao/wireshark_src/wireshark-3.6.8/tshark.c:3510
    
        #46 0x565006730633 in process_cap_file /home/qiuhao/wireshark_src/wireshark-3.6.8/tshark.c:3674
    
        #47 0x56500672a574 in main /home/qiuhao/wireshark_src/wireshark-3.6.8/tshark.c:2103
    
        #48 0x7fe145f5fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
        #49 0x7fe145f5fe3f in __libc_start_main_impl ../csu/libc-start.c:392
    
        #50 0x565006723c94 in _start (/home/qiuhao/wireshark_src/wireshark-3.6.8/run/tshark+0x33c94)
    
    
    
    Address 0x7ffc7ffcd4e2 is located in stack of thread T0 at offset 258 in frame
    
        #0 0x7fe14f611a1d in dissect_opus /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-opus.c:153
    
    
    
      This frame has 4 object(s):
    
        [32, 33) 'toc' (line 161)
    
        [48, 50) 'framesize' (line 164)
    
        [64, 256) 'frames' (line 168) <== Memory access at offset 258 overflows this variable
    
        [320, 322) 'octet' (line 161)
    
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
    
          (longjmp and C++ exceptions *are* supported)
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/qiuhao/wireshark_src/wireshark-3.6.8/epan/dissectors/packet-opus.c:117 in parse_size_field
    
    Shadow bytes around the buggy address:
    
      0x10000fff1a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1a70: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
    
      0x10000fff1a80: 01 f2 02 f2 00 00 00 00 00 00 00 00 00 00 00 00
    
    =>0x10000fff1a90: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
    
      0x10000fff1aa0: f2 f2 f2 f2 02 f3 f3 f3 00 00 00 00 00 00 00 00
    
      0x10000fff1ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
      0x10000fff1ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    
    Shadow byte legend (one shadow byte represents 8 application bytes):
    
      Addressable:           00
    
      Partially addressable: 01 02 03 04 05 06 07 
    
      Heap left redzone:       fa
    
      Freed heap region:       fd
    
      Stack left redzone:      f1
    
      Stack mid redzone:       f2
    
      Stack right redzone:     f3
    
      Stack after return:      f5
    
      Stack use after scope:   f8
    
      Global redzone:          f9
    
      Global init order:       f6
    
      Poisoned by user:        f7
    
      Container overflow:      fc
    
      Array cookie:            ac
    
      Intra object redzone:    bb
    
      ASan internal:           fe
    
      Left alloca redzone:     ca
    
      Right alloca redzone:    cb
    
      Shadow gap:              cc
    
    ==83225==ABORTING
    

**Build information**

    TShark (Wireshark) 3.6.8 (Git commit d25900c51508)
    
    
    
    Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
    
    License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
    
    This is free software; see the source for copying conditions. There is NO
    
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    
    
    Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
    
    (Linux), with libnl 3, with GLib 2.72.1, with zlib 1.2.11, with Lua 5.2.4, with
    
    GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
    
    MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
    
    with Snappy, with libxml2 2.9.13, with libsmi 0.4.8.
    
    
    
    Running on Linux 5.15.0-47-generic, with 11th Gen Intel(R) Core(TM) i7-11850H @
    
    2.50GHz (with SSE4.2), with 7949 MB of physical memory, with GLib 2.72.1, with
    
    zlib 1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with
    
    GnuTLS 3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with
    
    LZ4 1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8,
    
    binary plugins supported (0 loaded).

Omit 4.0.0 and Windows/Linux/Mac GUI Version...

CVE-2022-3725: Stack Overflow Write - OPUS dissector - dissect_opus() frames (#18378) · Issues · Wireshark Foundation / wireshark · GitLab

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

CVE-2022-3095: sdk/CHANGELOG.md at master · dart-lang/sdk

A vulnerability classified as critical has been found in Axiomatic Bento4. Affected is the function AP4_BitStream::WriteBytes of the file Ap4BitStream.cpp of the component avcinfo. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212004.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

burymyname opened this issue

Oct 10, 2022

· 0 comments

**Comments**

Hello, developers of Bento4!  
I also found some **heap buffer overflow** bugs in avcinfo by using our fuzzing tools with ASAN.  
Here is details:

**Bug1**

    =================================================================
    ==48171==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000038 at pc 0x7f1ff86b4733 bp 0x7fff66ab01b0 sp 0x7fff66aaf958
    READ of size 8 at 0x602000000038 thread T0
        #0 0x7f1ff86b4732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
        #1 0x5638f29e7432 in AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) Bento4/Source/C++/Codecs/Ap4BitStream.cpp:133
        #2 0x5638f29c0c69 in PrintSliceInfo Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:84
        #3 0x5638f29c0c69 in main Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:172
        #4 0x7f1ff7ccac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x5638f29c1679 in _start (Bento4/avcinfo+0x5679)
    
    0x602000000038 is located 0 bytes to the right of 8-byte region [0x602000000030,0x602000000038)
    allocated by thread T0 here:
        #0 0x7f1ff871b608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
        #1 0x5638f29ed326 in AP4_DataBuffer::ReallocateBuffer(unsigned int) Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210
        #2 0x5638f29ed326 in AP4_DataBuffer::SetDataSize(unsigned int) Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa fd fa fa fa 00[fa]fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==48171==ABORTING
    

**Poc**

avcinfo\_poc1.zip

**Bug2**

    =================================================================
    ==48988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x561df275ee6e bp 0x7ffca5855570 sp 0x7ffca5855560
    READ of size 1 at 0x602000000011 thread T0
        #0 0x561df275ee6d in main Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:166
        #1 0x7f9a9fbd8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #2 0x561df275f679 in _start (Bento4/avcinfo+0x5679)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x7f9aa0629608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
        #1 0x561df278b326 in AP4_DataBuffer::ReallocateBuffer(unsigned int) Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210
        #2 0x561df278b326 in AP4_DataBuffer::SetDataSize(unsigned int) Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:166 in main
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==48988==ABORTING
    

**PoC**

avcinfo\_poc2.zip

**Verification Steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j
    ./avcinfo poc
    

**Environment**

*   Ubuntu 18.04
*   clang 10.01
*   Bento4 master branch 4df7274e commit and version 1.6.0-639

Thanks for your time!

1 participant

CVE-2022-3664: Some heap buffer overflow bugs exist in avcinfo · Issue #794 · axiomatic-systems/Bento4

A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Affected by this issue is the function AP4_LinearReader::Advance of the file Ap4LinearReader.cpp of the component mp42ts. The manipulation leads to use after free. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-212006 is the identifier assigned to this vulnerability.

Hello, developers of Bento4. I found a heap use after free bug in AP4\_LinearReader::Advance(bool) with ASAN.  
The following is the details.

**Details**

    =================================================================
    ==32056==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001f98 at pc 0x56093865ee11 bp 0x7ffea5a93280 sp 0x7ffea5a93270
    READ of size 8 at 0x604000001f98 thread T0
        #0 0x56093865ee10 in AP4_LinearReader::Advance(bool) Bento4/Source/C++/Core/Ap4LinearReader.cpp:434
        #1 0x560938666716 in AP4_LinearReader::ReadNextSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) Bento4/Source/C++/Core/Ap4LinearReader.cpp:530
        #2 0x5609386402ea in ReadSample Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:181
        #3 0x56093863a518 in WriteSamples Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:306
        #4 0x56093863a518 in main Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:638
        #5 0x7f8ea7badc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x56093863f9d9 in _start (Bento4/mp42ts+0x3a9d9)
    
    0x604000001f98 is located 8 bytes inside of 48-byte region [0x604000001f90,0x604000001fc0)
    freed by thread T0 here:
        #0 0x7f8ea899d9c8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19c8)
        #1 0x56093865e49f in AP4_LinearReader::SampleBuffer::~SampleBuffer() Bento4/Source/C++/Core/Ap4LinearReader.h:104
        #2 0x56093865e49f in AP4_LinearReader::Advance(bool) Bento4/Source/C++/Core/Ap4LinearReader.cpp:462
    
    previously allocated by thread T0 here:
        #0 0x7f8ea899c448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
        #1 0x56093865ddb9 in AP4_LinearReader::Advance(bool) Bento4/Source/C++/Core/Ap4LinearReader.cpp:422
    
    SUMMARY: AddressSanitizer: heap-use-after-free Bento4/Source/C++/Core/Ap4LinearReader.cpp:434 in AP4_LinearReader::Advance(bool)
    Shadow bytes around the buggy address:
      0x0c087fff83a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c087fff83b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c087fff83c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c087fff83d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c087fff83e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
    =>0x0c087fff83f0: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c087fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==32056==ABORTING
    

**PoC**

mp42ts\_poc.zip

**Verification Steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j
    ./mp42ts poc /dev/null
    

**Enviroment**

*   Ubuntu 18.04
*   clang 10.01
*   Bento4 master branch 4df7274e commit and version 1.6.0-639

Tag

#c++