tifig v0.2.2 was discovered to contain a memory leak via operator new[](unsigned long) at /asan/asan_new_delete.cpp.

**crash sample**

id0\_memory\_leakF9.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74044==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7fbe4f6c3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s).
    
    

\### crash sample

id27\_memory\_leak\_F7.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74125==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 17301504 byte(s) in 22 object(s) allocated from:
        #0 0x4b4e50 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x501db8 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:107:31
    
    Direct leak of 1145232 byte(s) in 88 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    Direct leak of 5632 byte(s) in 22 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x501d15 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:87:30
    
    Direct leak of 1936 byte(s) in 22 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
        #2 0x5b8b48 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<RgbData>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<RgbData (*)(std::vector<unsigned char, std::allocator<unsigned char> >), std::vector<unsigned char, std::allocator<unsigned char> > > >, RgbData> >::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
        #3 0x5b86b5 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #4 0x5b86b5 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/future:561:27
        #5 0x7f14648c6906 in __pthread_once_slow /build/glibc-CVJwZb/glibc-2.27/nptl/pthread_once.c:116
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7f1460d4cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 9347778 byte(s) in 572 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    SUMMARY: AddressSanitizer: 27802092 byte(s) leaked in 727 allocation(s).

CVE-2022-36152: Issues in this repor about memory leak · Issue #72 · monostream/tifig

tifig v0.2.2 was discovered to contain a segmentation violation via std::vector<unsigned int, std::allocator<unsigned int> >::size() const at /bits/stl_vector.h.

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==74081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000006c2382 bp 0x000000000038 sp 0x7ffe63ff83a0 T0)
    ==74081==The signal is caused by a READ memory access.
    ==74081==Hint: address points to the zero page.
        #0 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h
        #1 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::vector(std::vector<unsigned int, std::allocator<unsigned int> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:19
        #2 0x6c2382 in SingleItemTypeReferenceBox::getToItemIds() const /home/bupt/Desktop/tifig/lib/heif/Srcs/common/itemreferencebox.cpp:84:12
        #3 0x5efc25 in HevcImageFileReader::readItem(MetaBox const&, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:2028:47
        #4 0x5ee016 in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:475:13
        #5 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #6 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #7 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7f3180c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h in std::vector<unsigned int, std::allocator<unsigned int> >::size() const
    ==74081==ABORTING

CVE-2022-36153: SEGV in this repo · Issue #71 · monostream/tifig

tifig v0.2.2 was discovered to contain a resource allocation issue via operator new(unsigned long) at asan_new_delete.cpp.

**carsh sample**

id41\_allocation\_too\_big.zip

**command to reproduce**

../tifig -v -p [crash sample ] /dev/null

**crash detail**

    ==74167==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffffff (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    [hevc @ 0x61a000000080] PPS id out of range: 0
    [hevc @ 0x61a000000080] Error parsing NAL unit #0.
    Error sending packet to HEVC decoder: Invalid data found when processing input
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x5b3b01 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x5b3b01 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x5b3b01 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x5b3b01 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:673:29
    
    ==74167==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99 in operator new(unsigned long)
    ==74167==ABORTING

CVE-2022-36155: Issue about resources allocate · Issue #73 · monostream/tifig

tifig v0.2.2 was discovered to contain a heap-buffer overflow via __asan_memmove at /asan/asan_interceptors_memintrinsics.cpp.

Hi, by testing this repo, i found something unusual.

**crash sample**

id0\_heap\_buffer\_overflow\_in \_\_asan\_memmove.zip

**command to reproduce**

./tifig -p -v [sample file] /dev/null

**crash detail**

    ==29736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000d4687 at pc 0x0000004b4535 bp 0x7ffc7c0154e0 sp 0x7ffc7c014c90
    READ of size 2891617427 at 0x6110000d4687 thread T0
        #0 0x4b4534 in __asan_memmove /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30
        #1 0x5b3d50 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:368:6
        #2 0x5b3d50 in unsigned char* std::__copy_move_a<false, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:385:14
        #3 0x5b3d50 in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:422:18
        #4 0x5b3d50 in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:454:15
        #5 0x5b3d50 in unsigned char* std::__uninitialized_copy<true>::__uninit_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:101:18
        #6 0x5b3d50 in unsigned char* std::uninitialized_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:131:14
        #7 0x5b3d50 in unsigned char* std::__uninitialized_copy_a<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, unsigned char>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, std::allocator<unsigned char>&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:289:14
        #8 0x5b3d50 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:682:11
        #9 0x67e24d in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1411:4
        #10 0x67e24d in __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1132:4
        #11 0x67e24d in BitStream::read8BitsArray(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned int) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:269:10
        #12 0x5f4b66 in HevcImageFileReader::getHevcItemData(std::vector<unsigned char, std::allocator<unsigned char> > const&, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1584:19
        #13 0x5ee77b in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:508:13
        #14 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #15 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #16 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #17 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #18 0x7fd207d3ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #19 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    0x6110000d4687 is located 0 bytes to the right of 199-byte region [0x6110000d45c0,0x6110000d4687)
    allocated by thread T0 here:
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x678295 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x678295 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:187:33
        #5 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:138:9
        #6 0x678295 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:9
        #7 0x678295 in BitStream::BitStream(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:28:5
        #8 0x6110000d4546  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30 in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c2280012880: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c22800128a0: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
      0x0c22800128b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c22800128c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c22800128d0:[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==29736==ABORTING

CVE-2022-36150: Heap buffer overflow  · Issue #68 · monostream/tifig

tifig v0.2.2 was discovered to contain a heap-use-after-free via temInfoEntry().

    ==53276==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000000ac0 at pc 0x0000006a7b1c bp 0x7fff8406b050 sp 0x7fff8406b048
    READ of size 8 at 0x60c000000ac0 thread T0
        #0 0x6a7b1b in ItemInfoEntry::~ItemInfoEntry() /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5
        #1 0x6a6899 in std::pair<unsigned int, ItemInfoEntry>::~pair() /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_pair.h:208:12
        #2 0x6a6899 in ItemInfoBox::addItemInfoEntry(ItemInfoEntry const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:47:5
        #3 0x6a6899 in ItemInfoBox::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:109:9
        #4 0x6d3eb1 in MetaBox::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/metabox.cpp:242:26
        #5 0x5dbc4e in HevcImageFileReader::readStream() /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1119:21
        #6 0x5cc52f in HevcImageFileReader::initialize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:65:5
        #7 0x4fe834 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:49:12
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7ff5564e3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    0x60c000000ac0 is located 0 bytes inside of 120-byte region [0x60c000000ac0,0x60c000000b38)
    freed by thread T0 here:
        #0 0x4fb410 in operator delete(void*) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:160
        #1 0x6a781a in ItemInfoEntry::~ItemInfoEntry() /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5
    
    previously allocated by thread T0 here:
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x6a6d99 in ItemInfoEntry::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:339:48
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5 in ItemInfoEntry::~ItemInfoEntry()
    Shadow bytes around the buggy address:
      0x0c187fff8100: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c187fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c187fff8120: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c187fff8130: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c187fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
    =>0x0c187fff8150: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
      0x0c187fff8160: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c187fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==53276==ABORTING

CVE-2022-36149: heap-use-after-free in ~ItemInfoEntry() · Issue #70 · monostream/tifig

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via gfxline_getbbox at /lib/gfxtools.c.

CVE-2022-35100: bug found in swftools-pdf2swf · Issue #182 · matthiaskramm/swftools

PNGDec commit 8abf6be was discovered to contain a FPE via SaveBMP at /linux/main.cpp.

hi, i found something unusual in this repo, are they new bugs ?  
To reproduce the crash please use command: ./png_demo @@ /dev/null (replace @@ to the sample's path)

**FPE****crash sample**

id0-FPE-sample1.zip

**crash info**

    AddressSanitizer:DEADLYSIGNAL
    ==22761==ERROR: AddressSanitizer: FPE on unknown address 0x0000004f4665 (pc 0x0000004f4665 bp 0x7fffaf2c27f0 sp 0x7fffaf2c19e0 T0)
        #0 0x4f4665 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:56:21
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7f42d9d84c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/PNGdec/linux/main.cpp:56:21 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    ==22761==ABORTING
    

**heap-buffer-overflow****crash sample No.1**

id1-heap-buffer-overflow-sample1.zip

**crash info of sample No.1**

    ==22802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x00000043b61c bp 0x7ffefb2a1690 sp 0x7ffefb2a0e40
    READ of size 40 at 0x602000000011 thread T0
        #0 0x43b61b in __interceptor_fwrite.part.57 /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x4f491a in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:89:13
        #2 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #3 0x7f0ed9adfc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22802==ABORTING
    

**crash sample No.2**

id2-heap-buffer-overflow-sample2.zip

**crash info of sample No.2**

    ==22853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220000017b0 at pc 0x0000004ad554 bp 0x7ffc9c610730 sp 0x7ffc9c60fee0
    WRITE of size 132 at 0x6220000017b0 thread T0
        #0 0x4ad553 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x4fc310 in DecodePNG(png_image_tag*, void*, int) /home/bupt/Desktop/PNGdec/linux/../src/png.inl:801:33
        #2 0x4fc310 in PNG::decode(void*, int) /home/bupt/Desktop/PNGdec/linux/../src/PNGdec.cpp:194:12
        #3 0x4f5207 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:129:18
        #4 0x7f6fa7b19c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x6220000017b0 is located 0 bytes to the right of 5808-byte region [0x622000000100,0x6220000017b0)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c447fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c447fff82f0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
      0x0c447fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22853==ABORTING
    

**crash sample No.3**

id8-heap-buffer-overflow-sample3.zip

**crash info of sample No.3**

    ==23090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fad078fceb2 at pc 0x0000004f4e69 bp 0x7ffe0c9898b0 sp 0x7ffe0c9898a8
    READ of size 1 at 0x7fad078fceb2 thread T0
        #0 0x4f4e68 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:84:24
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7fad0ae1dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x7fad078fceb2 is located 2 bytes to the right of 2013271728-byte region [0x7fac8f8fb800,0x7fad078fceb0)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/PNGdec/linux/main.cpp:84:24 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    Shadow bytes around the buggy address:
      0x0ff620f17980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f17990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff620f179d0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
      0x0ff620f179e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f179f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==23090==ABORTING
    

**stack-buffer-overflow****crash sample No.1**

id12-stack-buffer-overflow-sample1.zip

**crash info of sample No.1**

    ==26778==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0d703c40 at pc 0x0000004f4e82 bp 0x7ffc0d702f90 sp 0x7ffc0d702f88
    WRITE of size 1 at 0x7ffc0d703c40 thread T0
        #0 0x4f4e81 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:84:48
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7fd91072ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    Address 0x7ffc0d703c40 is located in stack of thread T0 at offset 3232 in frame
        #0 0x4f425f in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:26
    
      This frame has 2 object(s):
        [32, 1056) 'ucTemp' (line 31)
        [1184, 3232) 'ucTemp76' (line 80) <== Memory access at offset 3232 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/bupt/Desktop/PNGdec/linux/main.cpp:84:48 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    Shadow bytes around the buggy address:
      0x100001ad8730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100001ad8780: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x100001ad8790: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x100001ad87a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26778==ABORTING
    
    

**global-buffer-overflow****crash sample**

id13-global-buffer-overflow-sample1.zip

**crash info of the sample**

    ==26922==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000101b510 at pc 0x00000051493d bp 0x7ffe4b62fc20 sp 0x7ffe4b62fc18
    WRITE of size 1 at 0x00000101b510 thread T0
        #0 0x51493c in inflate_fast /home/bupt/Desktop/PNGdec/linux/../src/inffast.c:275:36
        #1 0x5180f8 in inflate /home/bupt/Desktop/PNGdec/linux/../src/inflate.c:1055:17
        #2 0x4f74e0 in DecodePNG(png_image_tag*, void*, int) /home/bupt/Desktop/PNGdec/linux/../src/png.inl:783:31
        #3 0x4f74e0 in PNG::decode(void*, int) /home/bupt/Desktop/PNGdec/linux/../src/PNGdec.cpp:194:12
        #4 0x4f5207 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:129:18
        #5 0x7f5825c48c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x00000101b510 is located 0 bytes to the right of global variable 'png' defined in 'main.cpp:10:5' (0x100f8a0) of size 48240
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/PNGdec/linux/../src/inffast.c:275:36 in inflate_fast
    Shadow bytes around the buggy address:
      0x0000801fb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fb6a0: 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26922==ABORTING
    

**memory allocation problem****crash sample No.1**

id5-memory-allocation-problem-sample1.zip

**crash info of sample No.1**

    ==22984==ERROR: AddressSanitizer: requested allocation size 0xffffffff837c16b0 (0xffffffff837c26b0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    ==22984==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==22984==ABORTING

CVE-2022-35013: BUGS FOUND · Issue #10 · bitbank2/PNGdec

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.Ransom.BlueSkyVulnerability: Arbitrary Code ExecutionDescription: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: BlueSkyType: PE32MD5: 961fa85207cdc4ef86a076bbff07a409Vuln ID: MVID-2022-0632Disclosure: 08/13/2022PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERMExploit/PoC:1) Compile the following C code as "CRYPTSP.dll" 32-bit2) Place the DLL in same directory as the vuln BlueSky ransomware3) Run malware#include "windows.h"//By malvuln - August 2022//Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409//gcc -c CRYPTSP.c -m32//gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.Ransom.BlueSky MVID-2022-0632 Code Execution

Gentoo Linux Security Advisory 202208-21 - A heap-based buffer overflow in libeml might allow attackers to execute arbitrary code. Versions less than 1.4.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libebml: Heap buffer overflow vulnerability  
     Date: August 14, 2022  
     Bugs: #772272  
       ID: 202208-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A heap-based buffer overflow in libeml might allow attackers to execute  
arbitrary code.

Background  
=========  
libebml is a C++ library to parse EBML files.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libebml           < 1.4.2                      >= 1.4.2

Description  
==========  
On 32bit builds of libebml, the length of a string is miscalculated,  
potentially leading to an exploitable heap overflow.

Impact  
=====  
An attacker able to provide arbitrary input to libebml could achieve arbitrary code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
Users of libebml on 32 bit architectures should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libebml-1.4.2"

References  
=========  
[ 1 ] CVE-2021-3405  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3405

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#c++