The GetHintFormat function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

It's a heap-buffer-overflow bug

Step to reproduce:  
1.get latest commit code (GPAC version 1.1.0-DEV-rev1170-g592ba26-master)  
2.compile with --enable-sanitizer  
3.run ./MP4BOX info poc

Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report

    ==2275020==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000638 at pc 0x7f1c17ca68a4 bp 0x7ffd52eab1d0 sp 0x7ffd52eab1c8
    READ of size 4 at 0x604000000638 thread T0
        #0 0x7f1c17ca68a3 in GetHintFormat /home/lly/pro/gpac_public/src/isomedia/hint_track.c:46:22
        #1 0x7f1c17ca68a3 in CheckHintFormat /home/lly/pro/gpac_public/src/isomedia/hint_track.c:58:6
        #2 0x7f1c17ca68a3 in gf_isom_get_payt_count /home/lly/pro/gpac_public/src/isomedia/hint_track.c:979:7
        #3 0x5b52e5 in DumpTrackInfo /home/lly/pro/gpac_public/applications/mp4box/filedump.c:3178:14
        #4 0x5e4af1 in DumpMovieInfo /home/lly/pro/gpac_public/applications/mp4box/filedump.c:3789:3
        #5 0x52ea16 in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:6023:9
        #6 0x7f1c15d710b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x429aad in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429aad)
    
    0x604000000638 is located 0 bytes to the right of 40-byte region [0x604000000610,0x604000000638)
    allocated by thread T0 here:
        #0 0x4a496d in malloc (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a496d)
        #1 0x7f1c17543a17 in nmhd_box_new /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:4651:2
        #2 0x7f1c1775de4f in gf_isom_box_new_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1673:6
        #3 0x7f1c17756209 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:239:12
        #4 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #5 0x7f1c1751e43a in minf_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:3527:6
        #6 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #7 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #8 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #9 0x7f1c17511b3d in mdia_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:3078:6
        #10 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #11 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #12 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #13 0x7f1c17582c10 in trak_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:6734:6
        #14 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #15 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #16 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #17 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #18 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #19 0x7f1c177548b9 in gf_isom_parse_root_box /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:38:8
        #20 0x7f1c177e2347 in gf_isom_parse_movie_boxes_internal /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:320:7
        #21 0x7f1c177e2347 in gf_isom_parse_movie_boxes /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:781:6
        #22 0x7f1c177f84d3 in gf_isom_open_file /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:901:19
        #23 0x53c4b8 in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:5841:12
        #24 0x7f1c15d710b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lly/pro/gpac_public/src/isomedia/hint_track.c:46:22 in GetHintFormat
    Shadow bytes around the buggy address:
      0x0c087fff8070: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 00
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
    =>0x0c087fff80c0: fa fa 00 00 00 00 00[fa]fa fa 00 00 00 00 00 00
      0x0c087fff80d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
      0x0c087fff80f0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

poc.zip

CVE-2021-40609: heap-buffer-overflow in MP4BOX at souce file src/isomedia/hint_track.c:46 · Issue #1894 · gpac/gpac

The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

It's a pointer free on unknown addrees bug caused by freeing a uninitialized pointer.

Step to reproduce:  
1.get latest commit code (GPAC version 1.1.0-DEV-rev1170-g592ba26-master)  
2.compile with --enable-sanitizer  
3.run ./MP4BOX -hint poc\_isom\_hinter -out /dev/null

Env:  
Ubunut 20.04 , clang 10.0.0

ASAN report

    ==40495==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0eebe5ccf8 (pc 0x7f0eef8765fc bp 0x7f0eebe5ccf8 sp 0x7ffecbe40880 T0)
        #0 0x7f0eef8765fb  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
        #1 0x7f0eef8ed29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
        #2 0x7f0eed579cb9 in gf_hinter_track_finalize media_tools/isom_hinter.c:956
        #3 0x42842d in HintFile /home/lly/gpac_public/applications/mp4box/main.c:3533
        #4 0x42e4e4 in mp4boxMain /home/lly/gpac_public/applications/mp4box/main.c:6329
        #5 0x7f0eead8983f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #6 0x413bc8 in _start (/home/lly/gpac_public/bin/gcc/MP4Box+0x413bc8)
    

Buggy code and reason:  
in isom\_hinter.c:950

    for (i=0; i<gf_isom_get_sample_description_count(tkHint->file, tkHint->TrackNum); i++) {
        u8 *tx3g;   <---with out init
        ...
        gf_isom_text_get_encoded_tx3g(..., &tx3g, &tx3g_len);  <--- supposed to init tx3g
        ...
        gf_free(tx3g); <--- free tx3g
       ...
    		}
    

It is supposed to init tx3g in gf\_isom\_text\_get\_encoded\_tx3g, but in gf\_isom\_text\_get\_encoded\_tx3g, it might forget that mission.

    GF_Err gf_isom_text_get_encoded_tx3g(GF_ISOFile *file, u32 track, u32 sidx, u32 sidx_offset, u8 **tx3g, u32 *tx3g_size)
    {
    	...
            //  it returns without init tx3g once a->type equals another value;
    	if ((a->type != GF_ISOM_BOX_TYPE_TX3G) && (a->type != GF_ISOM_BOX_TYPE_TEXT)) return GF_BAD_PARAM;
    
    	...
    	*tx3g = NULL;  <--- real init here
    	*tx3g_size = 0;
    	gf_bs_get_content(bs, tx3g, tx3g_size);
    	gf_bs_del(bs);
    	return GF_OK;
    }
    

poc\_isom\_hinter.zip

CVE-2021-40608: BUG : free on unknown addrees in MP4BOX at  gf_hinter_track_finalize media_tools/isom_hinter.c:956 · Issue #1883 · gpac/gpac

The schm_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

It's a heap-buffer-overflow bug caused by missing '\\0' check of the end of URI.

**Step to reproduce:**  
1.get latest commit code (MP4Box - GPAC version 1.1.0-DEV-rev1169-gbbd741e-master)  
2.compile with --enable-sanitizer  
3.run ./MP4BOX -hint poc -out /dev/null

**Env:**  
Ubunut 20.04 , clang 10.0.0

**ASAN report**

    ==789683==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000bb7 at pc 0x7f277ca50a6d bp 0x7ffd14f790b0 sp 0x7ffd14f78858
    READ of size 40 at 0x604000000bb7 thread T0
        #0 0x7f277ca50a6c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
        #1 0x7f277a6d0ece in schm_box_size isomedia/box_code_drm.c:179
        #2 0x7f277a7569f1 in gf_isom_box_size_listing isomedia/box_funcs.c:1903
        #3 0x7f277a7569f1 in gf_isom_box_size isomedia/box_funcs.c:1915
        #4 0x7f277a805c14 in WriteInterleaved isomedia/isom_store.c:1870
        #5 0x7f277a8086d3 in WriteToFile isomedia/isom_store.c:2527
        #6 0x7f277a7a73d9 in gf_isom_write isomedia/isom_read.c:600
        #7 0x7f277a7a778f in gf_isom_close isomedia/isom_read.c:624
        #8 0x562161c082db in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:6401
        #9 0x7f27799da0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x562161bd2bdd in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4abdd)
    
    0x604000000bb7 is located 0 bytes to the right of 39-byte region [0x604000000b90,0x604000000bb7)
    allocated by thread T0 here:
        #0 0x7f277caf6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f277a6d08b7 in schm_box_read isomedia/box_code_drm.c:148
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    Shadow bytes around the buggy address:
      0x0c087fff8120: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
      0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
      0x0c087fff8140: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 01
      0x0c087fff8150: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 05 fa
      0x0c087fff8160: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 02 fa
    =>0x0c087fff8170: fa fa 00 00 00 00[07]fa fa fa 00 00 00 00 00 00
      0x0c087fff8180: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    

**Buggy code and reason:**

    GF_Err schm_box_size(GF_Box *s)
    {
    	GF_SchemeTypeBox *ptr = (GF_SchemeTypeBox *) s;
    	if (!s) return GF_BAD_PARAM;
    	ptr->size += 8;
    	if (ptr->flags & 0x000001) ptr->size += 1 + (ptr->URI ? strlen(ptr->URI) : 0);   <---strlen overflow once URI does not end with '\0'
    	return GF_OK;
    }
    

poc.zip

CVE-2021-40607: BUG: heap-buffer-overflow  in MP4Box at src/isomedia/schm_box_size:179 · Issue #1879 · gpac/gpac

The gf_bs_write_data function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

It's a memcpy from unknown addrees bug.

Step to reproduce:  
1.get latest commit code (GPAC version 1.1.0-DEV-rev1170-g592ba2689-master)  
2.compile with --enable-sanitizer  
3.run ./MP4BOX -hint poc\_isom\_hinter -out /dev/null

Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report

    =================================================================
    ==194694==ERROR: AddressSanitizer: unknown-crash on address 0x03e8ef58ac20 at pc 0x0000004a3cd7 bp 0x7ffdef589370 sp 0x7ffdef588b38
    READ of size 24912 at 0x03e8ef58ac20 thread T0
        #0 0x4a3cd6 in __asan_memcpy (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a3cd6)
        #1 0x7f35556d80ef in gf_bs_write_data /home/lly/pro/gpac_public/src/utils/bitstream.c:1028:4
        #2 0x7f3555da5a1a in gf_odf_write_default /home/lly/pro/gpac_public/src/odf/odf_code.c:1320:3
        #3 0x7f3555da92ec in gf_odf_desc_write_bs /home/lly/pro/gpac_public/src/odf/odf_codec.c:325:6
        #4 0x7f3555da92ec in gf_odf_desc_write /home/lly/pro/gpac_public/src/odf/odf_codec.c:343:6
        #5 0x7f3555da9661 in gf_odf_desc_copy /home/lly/pro/gpac_public/src/odf/odf_codec.c:387:6
        #6 0x7f3555cb8760 in gf_isom_set_extraction_slc /home/lly/pro/gpac_public/src/isomedia/isom_write.c:5468:9
        #7 0x7f3555fa467b in gf_hinter_finalize /home/lly/pro/gpac_public/src/media_tools/isom_hinter.c:1245:5
        #8 0x4e8d21 in HintFile /home/lly/pro/gpac_public/applications/mp4box/main.c:3550:2
        #9 0x4f5988 in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:6329:7
        #10 0x7f355476d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x429a6d in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429a6d)
    
    Address 0x03e8ef58ac20 is located in the high shadow area.
    

Buggy code  
in bitstream.c:

    u32 gf_bs_write_data(GF_BitStream *bs, const u8 *data, u32 nbBytes)
    {
    ...
    memcpy(bs->original + bs->position - bs->bytes_out, data, nbBytes);  <---data is not inited
    ...
    }
    

poc.zip

CVE-2021-40606: Bug: Memcpy from unknown addrees in MP4BOX at src/utils/bitstream.c:1028 · Issue #1885 · gpac/gpac

In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC. This can cause a denial of service (DOS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

AntsKnows opened this issue

Aug 25, 2021

· 0 comments

**Comments**

How to reproduce:

    1.check out latest code, 5922ba762a
    2.compile with asan, 
        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address  -g")
        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address  -g")
    3.run ./mp4dump --verbosity 3 --format text  poc
    

You can see the asan information below:

    
    =================================================================
    ==633802==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000003c3e48 bp 0x7ffcbc9d4550 sp 0x7ffcbc9d4470 T0)
    ==633802==The signal is caused by a READ memory access.
    ==633802==Hint: address points to the zero page.
        #0 0x3c3e48 in AP4_DescriptorListInspector::Action(AP4_Descriptor*) const /home/lly/pro/Bento4/Source/C++/Core/Ap4Descriptor.h:124:21
        #1 0x40bdc2 in AP4_List<AP4_Descriptor>::Apply(AP4_List<AP4_Descriptor>::Item::Operator const&) const /home/lly/pro/Bento4/Source/C++/Core/Ap4List.h:353:12
        #2 0x40bdc2 in AP4_InitialObjectDescriptor::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ObjectDescriptor.cpp:327:22
        #3 0x3e0485 in AP4_IodsAtom::InspectFields(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4IodsAtom.cpp:112:29
        #4 0x37117e in AP4_Atom::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.cpp:263:5
        #5 0x39f0a2 in AP4_AtomListInspector::Action(AP4_Atom*) const /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.h:601:15
        #6 0x39d3b1 in AP4_List<AP4_Atom>::Apply(AP4_List<AP4_Atom>::Item::Operator const&) const /home/lly/pro/Bento4/Source/C++/Core/Ap4List.h:353:12
        #7 0x39d3b1 in AP4_ContainerAtom::InspectChildren(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:220:16
        #8 0x37117e in AP4_Atom::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.cpp:263:5
        #9 0x359b43 in main /home/lly/pro/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:350:15
        #10 0x7f899655d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x2a2b1d in _start (/home/lly/pro/Bento4/cmakebuild/mp4dump+0x2a2b1d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/lly/pro/Bento4/Source/C++/Core/Ap4Descriptor.h:124:21 in AP4_DescriptorListInspector::Action(AP4_Descriptor*) const
    ==633802==ABORTING
    
    

poc.zip

1 participant

CVE-2021-40943: Null pointer reference in Ap4Descriptor.h:124 · Issue #643 · axiomatic-systems/Bento4

In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC. This can cause a denial of service (DOS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...)

Step to reproduce:

    1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)
    2.compile with --enable-sanitizer
    3.make 5 dirs which every of them has a large name(length=255), this makes the file's abs-path lengh larger than 1024, we called it large.nhml
    4.run MP4Box -add {path to large.nhml} -new new.mp4
    

Env:  
Ubunut 20.04 , clang 12.0.1

My cmd line an ASAN report  
MP4Box -add ~/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/large.nhml -new new.mp4

    ==2343764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000a7a1 at pc 0x7fb8ca3e675d bp 0x7ffd40a5e9d0 sp 0x7ffd40a5e9c8
    WRITE of size 1 at 0x61a00000a7a1 thread T0
        #0 0x7fb8ca3e675c in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13
        #1 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
        #2 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2
        #3 0x7fb8ca3cc58a in gf_filter_new /home/lly/pro/gpac_public/src/filter_core/filter.c:382:7
        #4 0x7fb8ca3c3d27 in gf_fs_load_source_dest_internal /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2845:12
        #5 0x7fb8ca3c47b0 in gf_fs_load_source /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2885:9
        #6 0x7fb8c9f97e29 in gf_media_import /home/lly/pro/gpac_public/src/media_tools/media_import.c:1469:11
        #7 0x50522f in import_file /home/lly/pro/gpac_public/applications/mp4box/fileimport.c:1289:7
        #8 0x4e1a09 in do_add_cat /home/lly/pro/gpac_public/applications/mp4box/main.c:4257:10
        #9 0x4e79ca in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:5746:13
        #10 0x4ea7ca in main /home/lly/pro/gpac_public/applications/mp4box/main.c:6456:1
        #11 0x7fb8c92ba0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #12 0x429a8d in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429a8d)
    
    0x61a00000a7a1 is located 0 bytes to the right of 1313-byte region [0x61a00000a280,0x61a00000a7a1)
    allocated by thread T0 here:
        #0 0x4a4c69 in realloc (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a4c69)
        #1 0x7fb8ca3e529d in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1451:12
        #2 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
        #3 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13 in filter_parse_dyn_args
    Shadow bytes around the buggy address:
      0x0c347fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c347fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c347fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c347fff94d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c347fff94e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c347fff94f0: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
      0x0c347fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c347fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c347fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c347fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c347fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc

CVE-2021-40942: heap-buffer-overflow in MP4Box at filter_core/filter.c:1454 · Issue #1908 · gpac/gpac

In Bento4 1.6.0-638, there is an allocator is out of memory in the function AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity in Ap4Array.h:172, as demonstrated by GPAC. This can cause a denial of service (DOS).

How to reproduce:

    1.check out latest code, 5922ba762a
    2.compile with asan, 
        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address  -g")
        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address  -g")
    3.run ./mp4dump --verbosity 3 --format text  poc1
    

poc1.zip

You can see the asan information below:

    ==634578==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x8000000f0 bytes
        #0 0x34eabd in operator new(unsigned long) (/home/lly/pro/Bento4/cmakebuild/mp4dump+0x34eabd)
        #1 0x54535c in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /home/lly/pro/Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x54535c in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/lly/pro/Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x54535c in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/lly/pro/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127:15
        #4 0x5445a4 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/lly/pro/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x37cc25 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x3a062f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x39f40a in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x39f40a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x37c5ac in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x3a062f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x39f40a in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x39f40a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x37c5ac in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x38333b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #18 0x359a7e in main /home/lly/pro/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:342:25
        #19 0x7f6cf702a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

CVE-2021-40941: allocator is out of memory  in Ap4Array.h:172 · Issue #644 · axiomatic-systems/Bento4

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

    GNU Image Manipulation Program version 2.10.30
    git-describe: Unknown, shouldn't happen
    Build: org.gimp.GIMP_official rev 0 for windows
    # C compiler #
    	Using built-in specs.
    	COLLECT_GCC=W:\msys64-gtk2\mingw64\bin\gcc.exe
    	COLLECT_LTO_WRAPPER=W:/msys64-gtk2/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/11.2.0/lto-wrapper.exe
    	Target: x86_64-w64-mingw32
    	Configured with: ../gcc-11.2.0/configure --prefix=/mingw64 --with-local-prefix=/mingw64/local --build=x86_64-w64-mingw32 --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --with-native-system-header-dir=/mingw64/x86_64-w64-mingw32/include --libexecdir=/mingw64/lib --enable-bootstrap --enable-checking=release --with-arch=x86-64 --with-tune=generic --enable-languages=c,lto,c++,fortran,ada,objc,obj-c++,jit --enable-shared --enable-static --enable-libatomic --enable-threads=posix --enable-graphite --enable-fully-dynamic-string --enable-libstdcxx-filesystem-ts --enable-libstdcxx-time --disable-libstdcxx-pch --disable-libstdcxx-debug --enable-lto --enable-libgomp --disable-multilib --disable-rpath --disable-win32-registry --disable-nls --disable-werror --disable-symvers --with-libiconv --with-system-zlib --with-gmp=/mingw64 --with-mpfr=/mingw64 --with-mpc=/mingw64 --with-isl=/mingw64 --with-pkgversion='Rev5, Built by MSYS2 project' --with-bugurl=https://github.com/msys2/MINGW-packages/issues --with-gnu-as --with-gnu-ld --with-boot-ldflags='-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high -Wl,--disable-dynamicbase -static-libstdc++ -static-libgcc' 'LDFLAGS_FOR_TARGET=-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high' --enable-linker-plugin-flags='LDFLAGS=-static-libstdc++\ -static-libgcc\ -pipe\ -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high\ -Wl,--stack,12582912'
    	Thread model: posix
    	Supported LTO compression algorithms: zlib zstd
    	gcc version 11.2.0 (Rev5, Built by MSYS2 project) 
    
    # Libraries #
    using babl version 0.1.88 (compiled against version 0.1.88)
    using GEGL version 0.4.34 (compiled against version 0.4.34)
    using GLib version 2.70.2 (compiled against version 2.70.2)
    using GdkPixbuf version 2.42.6 (compiled against version 2.42.6)
    using GTK+ version 2.24.33 (compiled against version 2.24.33)
    using Pango version 1.50.2 (compiled against version 1.50.2)
    using Fontconfig version 2.13.94 (compiled against version 2.13.94)
    using Cairo version 1.17.4 (compiled against version 1.17.4)
    

    -------------------
    
    Error occurred on Friday, June 3, 2022 at 15:37:43.
    
    gimp-2.10.exe caused an Access Violation at location 00007FF692DE9E5C in module gimp-2.10.exe Writing to location 000000000000008C.
    
    AddrPC           Params
    00007FF692DE9E5C 000001C7F701D540 00007FF692DB3D5F 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB55A4 000001C7F5B001D0 0000007EBE1FEE90 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB6B74 0000007EBE1FEF52 00007FF6931F7610 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C83BCF 000001C7EBD2D290 00007FFBB6D653A6 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F340 000001C7EBDC8310 000001C7F663A430 000001C7B1B27370  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F4F9 000001C7EBDC8810 000001C7F4594560 0000000000000001  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D21BE0 000001C7EBEC7240 000001C7EBEF50B0 000001C700000003  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D14FF9 0000000000000003 00007FF692D14AF4 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E43C 0000000000000000 0000000000000020 000001C7F7156780  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E8B7 000001C7EBE70C80 000001C7EBECA230 000001C7F663A430  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692E304A4 0000000000000000 0000000000000000 000001C7F663A430  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692DDA679 000001C7EBD2D290 0000000000000000 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DDA785 000001C7F7021760 000001C7F7043F10 000001C7F65BC168  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C4AE7C 000001C7B3B79860 00007FFBB6B5BB20 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FFBB6B58D47 000001C700000000 0000007EBE1FF688 000001C7B3B26870  libglib-2.0-0.dll!g_clear_list
    00007FFBB6B5BEDE 0000000000000000 0000000000000000 000001C7EBD2D290  libglib-2.0-0.dll!g_main_context_check
    00007FFBB6B5C3FC 0000000000000000 0000000000000000 0000000000000000  libglib-2.0-0.dll!g_main_loop_run
    00007FF692A31A2B 00007FFC2C7093B0 000001C7B1B4E480 000001C7B1C00860  gimp-2.10.exe!0x7ff600001a2b
    00007FF692ECF67F 0000000000000000 000001C7B1B50E60 0000000000000000  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692A313B1 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000013b1
    00007FF692A314C6 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000014c6
    00007FFC2C7054E0 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk
    00007FFC2E80485B 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart
    
    gimp-2.10.exe	2.10.30.0
    ntdll.dll   	10.0.22000.653
    KERNEL32.DLL	10.0.22000.675
    KERNELBASE.dll	10.0.22000.675
    msvcrt.dll  	7.0.22000.1
    ole32.dll   	10.0.22000.120
    msvcp_win.dll	10.0.22000.1
    ucrtbase.dll	10.0.22000.1
    GDI32.dll   	10.0.22000.1
    win32u.dll  	10.0.22000.675
    gdi32full.dll	10.0.22000.675
    USER32.dll  	10.0.22000.282
    combase.dll 	10.0.22000.653
    RPCRT4.dll  	10.0.22000.675
    SHELL32.dll 	10.0.22000.593
    libgimpmodule-2.0-0.dll
    libgimpcolor-2.0-0.dll
    libgimpmath-2.0-0.dll
    libgimpconfig-2.0-0.dll
    libgimpthumb-2.0-0.dll
    libgimpwidgets-2.0-0.dll
    libgimpbase-2.0-0.dll
    exchndl.dll 	0.8.2.0
    PSAPI.DLL   	10.0.22000.1
    libbabl-0.1-0.dll
    libcairo-2.dll
    dbghelp.dll 	6.3.9600.17298
    libfontconfig-1.dll
    libgdk_pixbuf-2.0-0.dll	2.42.6.0
    libfreetype-6.dll	2.11.1.0
    ADVAPI32.dll	10.0.22000.653
    sechost.dll 	10.0.22000.556
    libgexiv2-2.dll
    libgio-2.0-0.dll	2.70.2.0
    libgobject-2.0-0.dll	2.70.2.0
    libglib-2.0-0.dll	2.70.2.0
    SHLWAPI.dll 	10.0.22000.1
    WS2_32.dll  	10.0.22000.1
    libharfbuzz-0.dll
    libintl-8.dll	0.19.8.0
    libjson-glib-1.0-0.dll
    liblcms2-2.dll
    libmypaint-0.dll
    libpangoft2-1.0-0.dll	1.50.2.0
    libpango-1.0-0.dll	1.50.2.0
    libpangocairo-1.0-0.dll	1.50.2.0
    zlib1.dll
    libgdk-win32-2.0-0.dll	2.24.33.0
    libgegl-0.4-0.dll
    libgegl-npd-0.4.dll
    libgtk-win32-2.0-0.dll	2.24.33.0
    IMM32.dll   	10.0.22000.1
    libgmodule-2.0-0.dll	2.70.2.0
    mscms.dll   	10.0.22000.469
    comdlg32.dll	10.0.22000.527
    VERSION.dll 	10.0.22000.1
    shcore.dll  	10.0.22000.613
    MSIMG32.dll 	10.0.22000.1
    mgwhelp.dll 	0.8.2.0
    libgcc_s_seh-1.dll
    libpixman-1-0.dll
    libexpat-1.dll
    libpng16-16.dll
    libiconv-2.dll	1.16.0.0
    gdiplus.dll 	10.0.22000.675
    libbz2-1.dll
    libbrotlidec.dll
    libstdc++-6.dll
    libffi-7.dll
    DNSAPI.dll  	10.0.22000.653
    IPHLPAPI.DLL	10.0.22000.282
    USP10.dll   	10.0.22000.1
    libexiv2.dll
    libwinpthread-1.dll	1.0.0.0
    libpcre-1.dll
    libgraphite2.dll
    libjson-c-5.dll
    libpangowin32-1.0-0.dll	1.50.2.0
    libfribidi-0.dll
    libthai-0.dll
    COMCTL32.dll	5.82.22000.1
    bcrypt.dll  	10.0.22000.1
    cfgmgr32.dll	10.0.22000.1
    WINSPOOL.DRV	10.0.22000.675
    libatk-1.0-0.dll	2.36.0.0
    libbrotlicommon.dll
    libcurl-4.dll
    CRYPT32.dll 	10.0.22000.348
    WLDAP32.dll 	10.0.22000.675
    libdatrie-1.dll
    libnghttp2-14.dll
    libidn2-0.dll
    libcrypto-1_1-x64.dll	1.1.1.12
    libpsl-5.dll
    libssh2-1.dll
    libssl-1_1-x64.dll	1.1.1.12
    libzstd.dll
    libunistring-2.dll	0.9.10.0
    NSI.dll     	10.0.22000.1
    windows.storage.dll	10.0.22000.675
    wintypes.dll	10.0.22000.527
    kernel.appcore.dll	10.0.22000.71
    bcryptPrimitives.dll	10.0.22000.376
    uxtheme.dll 	10.0.22000.120
    MSCTF.dll   	10.0.22000.527
    avx2-int8.dll
    cairo.dll
    CIE.dll
    double.dll
    fast-float.dll
    float.dll
    gegl-fixups.dll
    gggl-lies.dll
    gggl-table-lies.dll
    gggl-table.dll
    gggl.dll
    gimp-8bit.dll
    grey.dll
    half.dll
    HCY.dll
    HSL.dll
    HSV.dll
    naive-CMYK.dll
    simple.dll
    sse-half.dll
    sse2-float.dll
    sse2-int16.dll
    sse2-int8.dll
    sse4-int8.dll
    two-table.dll
    u16.dll
    u32.dll
    ycbcr.dll
    gegl-core.dll
    profapi.dll 	10.0.22000.1
    OLEAUT32.dll	10.0.22000.1
    clbcatq.dll 	2001.12.10941.16384
    propsys.dll 	7.0.22000.37
    apphelp.dll 	10.0.22000.282
    NetworkExplorer.dll	10.0.22000.51
    winhttp.dll 	10.0.22000.1
    exr-load.dll
    libIlmImf-2_5.dll
    libIex-2_5.dll
    libHalf-2_5.dll
    libIlmThread-2_5.dll
    libImath-2_5.dll
    gegl-common-gpl3.dll
    gegl-common.dll
    gif-load.dll
    jp2-load.dll
    libjasper-4.dll
    libjpeg-8.dll
    jpg-load.dll
    pdf-load.dll
    libpoppler-glib-8.dll
    libpoppler-115.dll
    nss3.dll    	3.73.1.0
    libnspr4.dll	4.31.0.0
    libplc4.dll 	4.31.0.0
    smime3.dll  	3.73.1.0
    libopenjp2-7.dll
    libtiff-5.dll
    libplds4.dll	4.31.0.0
    nssutil3.dll	3.73.1.0
    MSWSOCK.dll 	10.0.22000.1
    WINMM.dll   	10.0.22000.1
    libjbig-0.dll
    libdeflate.dll
    libLerc.dll
    liblzma-5.dll	5.2.5.0
    libwebp-7.dll
    pixbuf-load.dll
    png-load.dll
    ppm-load.dll
    raw-load.dll
    libraw-20.dll
    libgomp-1.dll
    rgbe-load.dll
    svg-load.dll
    librsvg-2-2.dll
    libcairo-gobject-2.dll
    USERENV.dll 	10.0.22000.1
    libxml2-2.dll
    text.dll
    tiff-load.dll
    webp-load.dll
    exr-save.dll
    jpg-save.dll
    npy-save.dll
    pixbuf-save.dll
    png-save.dll
    ppm-save.dll
    rgbe-save.dll
    sdl2-display.dll
    SDL2.dll    	2.0.18.0
    SETUPAPI.dll	10.0.22000.469
    tiff-save.dll
    webp-save.dll
    gegl-common-cxx.dll
    lcms-from-profile.dll
    npd.dll
    path.dll
    transformops.dll
    vector-stroke.dll
    seamless-clone-compose.dll
    gegl-generated.dll
    matting-levin.dll
    libumfpack.dll
    libamd.dll
    libsuitesparseconfig.dll
    libcholmod.dll
    libcamd.dll
    libccolamd.dll
    libmetis.dll
    libcolamd.dll
    libopenblas.dll
    libgfortran-5.dll
    libquadmath-0.dll
    seamless-clone.dll
    libgegl-sc-0.4.dll
    libwimp.dll
    libpixmap.dll
    libpixbufloader-png.dll
    libpixbufloader-svg.dll
    icm32.dll   	10.0.22000.469
    textinputframework.dll	10.0.22000.282
    CoreMessaging.dll	10.0.22000.71
    CoreUIComponents.dll	10.0.22000.132
    CRYPTBASE.DLL	10.0.22000.1
    PalmInputTSF.dll	2.7.0.1702
    ntmarta.dll 	10.0.22000.1
    AppXDeploymentClient.dll	10.0.22000.469
    urlmon.dll  	11.0.22000.653
    iertutil.dll	11.0.22000.653
    netutils.dll	10.0.22000.434
    srvcli.dll  	10.0.22000.613
    TextShaping.dll
    Windows.ApplicationModel.dll	10.0.22000.593
    mssprxy.dll 	7.0.22000.593
    mrmcorer.dll	10.0.22000.120
    windows.staterepositorycore.dll	10.0.22000.65
    windows.staterepositoryclient.dll	10.0.22000.653
    bcp47mrm.dll	10.0.22000.65
    Windows.UI.dll	10.0.22000.1
    CRYPTSP.dll 	10.0.22000.1
    rsaenh.dll  	10.0.22000.282
    shfolder.dll	10.0.22000.1
    webio.dll   	10.0.22000.1
    WINNSI.DLL  	10.0.22000.1
    SspiCli.dll 	10.0.22000.556
    rasadhlp.dll	10.0.22000.1
    fwpuclnt.dll	10.0.22000.593
    schannel.DLL	10.0.22000.675
    mskeyprotect.dll	10.0.22000.1
    NTASN1.dll  	10.0.22000.1
    ncrypt.dll  	10.0.22000.1
    ncryptsslp.dll	10.0.22000.1
    MSASN1.dll  	10.0.22000.1
    DPAPI.DLL   	10.0.22000.1
    comctl32.dll	6.10.22000.120
    WindowsCodecs.dll	10.0.22000.653
    
    Windows 10.0.22000
    DrMingw 0.8.2

CVE-2022-32990: Trigger a unhandled exception in GIMP 2.10.30 (#8230) · Issues · GNOME / GIMP

An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

****Describe the bug****

UndefinedBehaviorSanitizer: signed integer overflow in hb-ot-shape-fallback.cc

****To Reproduce****

Built harfbuzz-shape-fuzzer using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 7f7ebdc

****UBSAN Output****

    $ ./hb-shape-fuzzer id:000000,sig:06,src:014111,time:17042722,op:havoc,rep:2,trial:1
    INFO: Seed: 3794760496
    INFO: Loaded 1 modules   (85057 inline 8-bit counters): 85057 [0x1066033, 0x107ac74), 
    INFO: Loaded 1 PC tables (85057 PCs): 85057 [0x107ac78,0x11c7088), 
    hb-shape-fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000000,sig:06,src:014111,time:17042722,op:havoc,rep:2,trial:1
    harfbuzz/src/hb-ot-shape-fallback.cc:262:67: runtime error: signed integer overflow: 6 - -2147483648 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior harfbuzz/src/hb-ot-shape-fallback.cc:262:67 in 
    harfbuzz/src/hb-ot-shape-fallback.cc:279:45: runtime error: signed integer overflow: -2147483648 + -2147483648 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior harfbuzz/src/hb-ot-shape-fallback.cc:279:45 in 
    harfbuzz/src/hb-ot-shape-fallback.cc:279:67: runtime error: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior harfbuzz/src/hb-ot-shape-fallback.cc:279:67 in 
    Executed id:000000,sig:06,src:014111,time:17042722,op:havoc,rep:2,trial:1 in 4 ms
    

testcase:

harfbuzz-shape-fuzzer.zip

CVE-2022-33068: UndefinedBehaviorSanitizer: signed integer overflow · Issue #3557 · harfbuzz/harfbuzz

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free via the function decode_preR13_section at decode_r11.c.

**system info**

Ubuntu x86\_64, clang 6.0, dwg2dxf(0.12.4.4608)

**Command line**

./programs/dwg2dxf -b -m @@ -o /dev/null

**AddressSanitizer output**

\==8989==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffff7e35838 at pc 0x0000007106ca bp 0x7fffffffc8b0 sp 0x7fffffffc8a8  
READ of size 8 at 0x7ffff7e35838 thread T0  
#0 0x7106c9 in decode\_preR13\_section /testcase/libredwg/src/decode\_r11.c:339:35  
#1 0x705d0a in decode\_preR13 /testcase/libredwg/src/decode\_r11.c:830:12  
#2 0x53245a in dwg\_decode /testcase/libredwg/src/decode.c:209:23  
#3 0x50d759 in dwg\_read\_file /testcase/libredwg/src/dwg.c:254:11  
#4 0x50c454 in main /testcase/libredwg/programs/dwg2dxf.c:258:15  
#5 0x7ffff6e22c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#6 0x419ee9 in \_start (/testcase/libredwg/programs/dwg2dxf+0x419ee9)

0x7ffff7e35838 is located 56 bytes inside of 172032-byte region \[0x7ffff7e35800,0x7ffff7e5f800)  
freed by thread T0 here:  
#0 0x4d2968 in realloc /fuzzer/build/llvm\_tools/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:79  
#1 0x5a05b5 in dwg\_add\_object /testcase/libredwg/src/decode.c:4730:35

previously allocated by thread T0 here:  
#0 0x4d2750 in calloc /fuzzer/build/llvm\_tools/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:74  
#1 0x5a0465 in dwg\_add\_object /testcase/libredwg/src/decode.c:4719:35

SUMMARY: AddressSanitizer: heap-use-after-free /testcase/libredwg/src/decode\_r11.c:339:35 in decode\_preR13\_section  
Shadow bytes around the buggy address:  
0x10007efbeab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x10007efbeac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x10007efbead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x10007efbeae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x10007efbeaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x10007efbeb00: fd fd fd fd fd fd fd\[fd\]fd fd fd fd fd fd fd fd  
0x10007efbeb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  
0x10007efbeb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  
0x10007efbeb30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  
0x10007efbeb40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  
0x10007efbeb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==8989==ABORTING

**poc**

https://gitee.com/cxlzff/fuzz-poc/raw/master/libredwg/decode\_preR13\_uaf

Tag

#c++