An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service.

**SUCHMOKUO node-worker-threads-pool denial of service Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-7vxc-q7rv-qfj8: SUCHMOKUO node-worker-threads-pool denial of service Vulnerability

An issue was discovered in `OFPBundleCtrlMsg` in `parser.py` in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

**FaucetSDN Ryu Denial of Service Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-4987-5p3p-9r27: FaucetSDN Ryu Denial of Service Vulnerability

An issue was discovered in `OFPQueueGetConfigReply` in `parser.py` in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

GHSA-5x64-925v-h4gv: FaucetSDN Ryu Denial of Service Vulnerability

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

**To Reproduce**

vim -u NONE -X -Z -e -s -S poc -c :qa!

**Debug Info**

Program received signal SIGSEGV, Segmentation fault.
\[----------------------------------registers-----------------------------------\]
RAX: 0x935c60 --\> 0x3f3
RBX: 0x1
RCX: 0x0
RDX: 0x3000 ('')
RSI: 0x62 ('b')
RDI: 0x0
RBP: 0x921600 --\> 0x3f7
RSP: 0x7fffffff81e0 --\> 0x7c ('|')
RIP: 0x412ec8 (<ex\_buffer\_all+168>:     cmp    DWORD PTR \[rcx+0x78\],0x1)
R8 : 0x0
R9 : 0x1
R10: 0x7ffff741d080 (<\_\_strncmp\_sse42+1328>:    pslldq xmm2,0xb)
R11: 0x0
R12: 0x501
R13: 0x8f1ed0 --\> 0x6c62006162 ('ba')
R14: 0x0
R15: 0x90cbd0 --\> 0x3e9
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x412ebd <ex\_buffer\_all+157>:        nop    DWORD PTR \[rax\]
   0x412ec0 <ex\_buffer\_all+160>:        mov    rcx,QWORD PTR \[rbp+0x8\]
   0x412ec4 <ex\_buffer\_all+164>:        mov    r15,QWORD PTR \[rbp+0x18\]
=\> 0x412ec8 <ex\_buffer\_all+168>:        cmp    DWORD PTR \[rcx+0x78\],0x1
   0x412ecc <ex\_buffer\_all+172>:        jg     0x412f40 <ex\_buffer\_all+288>
   0x412ece <ex\_buffer\_all+174>:        test   BYTE PTR \[rip+0x4d5cf7\],0x2        # 0x8e8bcc <cmdmod+4>
   0x412ed5 <ex\_buffer\_all+181>:        jne    0x412ef0 <ex\_buffer\_all+208>
   0x412ed7 <ex\_buffer\_all+183>:        movsxd rcx,DWORD PTR \[rbp+0xc8\]
\[------------------------------------stack-------------------------------------\]
0000| 0x7fffffff81e0 --\> 0x7c ('|')
0008| 0x7fffffff81e8 --\> 0x270f
0016| 0x7fffffff81f0 --\> 0x7f0100000000
0024| 0x7fffffff81f8 --\> 0x4d6709 (<del\_trailing\_spaces+9>:     add    rax,rbx)
0032| 0x7fffffff8200 --\> 0x8f1ed2 --\> 0xbb980000006c6200
0040| 0x7fffffff8208 --\> 0x0
0048| 0x7fffffff8210 --\> 0x501
0056| 0x7fffffff8218 --\> 0x8f1ed0 --\> 0x6c62006162 ('ba')
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
ex\_buffer\_all (eap=<optimized out\>) at buffer.c:5161
5161                if ((wp\->w\_buffer\->b\_nwindows \> 1
gdb-peda$ 

stacktrace :

#0  ex\_buffer\_all (eap=<optimized out>) at buffer.c:5161
#1  0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffff8258, flags=0x7, cstack=0x7fffffff8438, fgetline=0x409430 <getnextac>, cookie=0x7fffffff8bf0) at ex\_docmd.c:2588
#2  do\_cmdline (cmdline=<optimized out>, cmdline@entry=0x0, fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffff8bf0, flags=flags@entry=0x7) at ex\_docmd.c:1003
#3  0x00000000004089d5 in apply\_autocmds\_group (event=event@entry=EVENT\_BUFUNLOAD, fname=0x8f1e90 "/mnt/disk/out/vim\_bak/vim-fuzzer-out/\\261'\\377\\177", fname\_io=<optimized out>, force=<optimized out>,
    force@entry=0x0, group=group@entry=0xfffffffd, buf=buf@entry=0x92f650, eap=0x0) at autocmd.c:2109
#4  0x0000000000409287 in apply\_autocmds (event=EVENT\_BUFADD, event@entry=EVENT\_BUFUNLOAD, fname=0x62 <error: Cannot access memory at address 0x62>,
    fname\_io=0x3000 <error: Cannot access memory at address 0x3000>, force=force@entry=0x0, buf=0x1, buf@entry=0x92f650) at autocmd.c:1621
#5  0x000000000040ba68 in buf\_freeall (buf=0x92f650, flags=flags@entry=0x4) at buffer.c:803
#6  0x00000000004612b8 in do\_ecmd (fnum=<optimized out>, fnum@entry=0x0, ffname=<optimized out>, ffname@entry=0x8f1591 "", sfname=<optimized out>, sfname@entry=0x0, eap=<optimized out>,
    eap@entry=0x7fffffffaf50, newlnum=newlnum@entry=0x1, flags=<optimized out\>, oldwin=<optimized out\>) at ex\_cmds.c:2897
#7  0x000000000046d8ab in do\_exedit (eap=eap@entry=0x7fffffffaf50, old\_curwin=old\_curwin@entry=0x0) at ex\_docmd.c:6691
#8  0x000000000046fff7 in ex\_open (eap=0x7fffffffaf50) at ex\_docmd.c:6581
#9  0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffffaf28, flags=0x7, cstack=0x7fffffffb108, fgetline=0x5668a0 <getsourceline>, cookie=0x7fffffffb8a0) at ex\_docmd.c:2588
#10 do\_cmdline (cmdline=<optimized out>, cmdline@entry=0x903de0 "\\223?", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb8a0, flags=flags@entry=0x7) at ex\_docmd.c:1003
#11 0x0000000000566685 in do\_source (fname=<optimized out>, fname@entry=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", check\_other=<optimized out>, check\_other@entry=0x0,
    is\_vimrc=is\_vimrc@entry=0x0, ret\_sid=<optimized out\>, ret\_sid@entry=0x0) at scriptfile.c:1401
#12 0x0000000000565df9 in cmd\_source (fname=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", eap=<optimized out>) at scriptfile.c:971
#13 0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffffb998, flags=0xb, cstack=0x7fffffffbb78, fgetline=0x0, cookie=0x0) at ex\_docmd.c:2588
#14 do\_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex\_docmd.c:1003
#15 0x0000000000468e1e in do\_cmdline\_cmd (cmd=0x0) at ex\_docmd.c:592
#16 0x0000000000627a6d in exe\_commands (parmp=<optimized out>) at main.c:3056
#17 vim\_main2 () at main.c:760
#18 0x0000000000626bd2 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe4b8) at main.c:412
#19 0x00007ffff72f7840 in \_\_libc\_start\_main (main=0x6253a0 <main>, argc=0xb, argv=0x7fffffffe4b8, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe4a8)
    at ../csu/libc-start.c:291
#20 0x0000000000404269 in \_start ()

**Environment (please complete the following information):**

*   Vim version : commit 9567efa
*   OS: Ubuntu 16.04

**Additional context**

compile argument：

#!/bin/bash -eux
export CC="clang-11"
export CXX="clang-11++"
cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make

poc:  
poc.gz

Credit: 1vanChen of NSFOCUS Security Team

CVE-2021-3236: Lack of verification of wp->w_buffer causes null pointer references in ex_buffer_all() · Issue #7674 · vim/vim

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc  
_Fri Nov 6 01:11:10 EET 2020_

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
     has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
     if (has\_tile\_bits && has\_strip\_bits) {
-        av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+        int tiled\_dng = s->is\_tiled && is\_dng;
+        av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+        if (!tiled\_dng)
+            return AVERROR\_INVALIDDATA;
     }
 
     /\* now we have the data and may start decoding \*/
     if ((ret = init\_image(s, &frame)) < 0)
         return ret;
 
-    if (!s->is\_tiled) {
+    if (!s->is\_tiled || has\_strip\_bits) {
         if (s->strips == 1 && !s->stripsize) {
             av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
             s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in GetByte function in miniupnp ngiflib version 0.4, allows local attackers to cause a denial of service (DoS) via crafted .gif file (infinite loop).

I used the command line gif2tga --outbase /dev/null path\_to\_file to run gif2tga and got a timeout.  
The program didn't return or repsond.  
The system is ubuntu 16.04.6 amd-64, source commit id is: 0245fd4  
compiled by gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)

debug informations is:  
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1  
Copyright (C) 2016 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86\_64-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
http://www.gnu.org/software/gdb/bugs/.  
Find the GDB manual and other documentation resources online at:  
http://www.gnu.org/software/gdb/documentation/.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from gif2tga...done.  
(gdb) r --outbase /dev/null /home/yang/test.gif  
Starting program: /home/yang/MyProject/remote\_test/target\_src/ngiflib/gif2tga --outbase /dev/null /home/yang/test.gif  
^C  
Program received signal SIGINT, Interrupt.  
0x00007ffff7b04320 in \_\_read\_nocancel () at ../sysdeps/unix/syscall-template.S:84  
84 ../sysdeps/unix/syscall-template.S: No such file or directory.  
(gdb) step  
\_IO\_new\_file\_underflow (fp=0x605070) at fileops.c:594  
594 fileops.c: No such file or directory.  
(gdb) step  
597 in fileops.c  
(gdb)  
596 in fileops.c  
(gdb)  
597 in fileops.c  
(gdb)  
607 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
608 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
\_\_GI\_\_IO\_default\_uflow (fp=0x605070) at genops.c:414  
414 genops.c: No such file or directory.  
(gdb)  
417 in genops.c  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:866  
866 libioP.h: No such file or directory.  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:867  
867 libioP.h: No such file or directory.  
(gdb)

The poc is attached below.

  
Thank you.

CVE-2020-24221: I found a large or infinite loop in ngiflib · Issue #17 · miniupnp/ngiflib

An issue was discovered in ecma-helpers.c in jerryscript version 2.3.0, allows local attackers to cause a denial of service (DoS) (Null Pointer Dereference).

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-24187: Poc/jerryscript/NULL-dereference-ecma_get_lex_env_type at master · Aurorainfinity/Poc

Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).

./qtsvg\_svg\_qsvgrenderer\_render ./1.svg

INFO: Seed: 3360833592
./qtsvg\_svg\_qsvgrenderer\_render: Running 1 inputs 1 time(s) each.
Running: ./1.svg
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==12881==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0xfffffffe01e5cbd0 (pc 0x00000086cd75 bp 0x7fffffff7bb0 sp 0x7fffffff7a30 T12881)
==12881==The signal is caused by a READ memory access.
                                                                                                                        
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /src/qt/qtbase/src/gui/painting/qdrawhelper\_p.h:601:13 in QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)
==12881==ABORTING

I think the invalid sign extension on 0x86cd6d causes integer overflow to be the root cause of this vulnerability

\[----------------------------------registers-----------------------------------\]
RAX: 0x0
RBX: 0xffffffff
RCX: 0xffffffff
RDX: 0x1e5cea0 --> 0xffff0000ffff0000
RSI: 0xffffffff80000000
     ^^^^^^^^^^^^^^^^^^
RDI: 0x7ff
RBP: 0x7fffffff7b50 --> 0x7fffffff7be0 --> 0x7fffffff7c00 --> 0x7fffffff7c40 --> 0x7fffffff7cc0 --> 0x7fffffffbe30 (--> ...)
RSP: 0x7fffffff79d0 --> 0x7ff000007ff
RIP: 0x86cd75 (<QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+725>:       and    ecx,DWORD PTR \[rdx+rsi\*4\])
R8 : 0x0
R9 : 0x1
R10: 0x7fffffffc0a8 --> 0xbff0000000000000
R11: 0x1
R12: 0x7fffffff7ce0 --> 0x3fbeb85100000003
R13: 0x7fffffff9d78 --> 0x0
R14: 0x7fffffff9d7c --> 0x0
R15: 0x1e545c8 --> 0x1e4d310 --> 0xf6d8cb00
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x86cd64 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+708>:  or     ecx,ebx
   0x86cd66 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+710>:  mov    rdx,QWORD PTR \[r15+0xe0\]
   0x86cd6d <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+717>:  movsxd rsi,DWORD PTR \[rbp+rax\*1-0xf0\]
=> 0x86cd75 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+725>:  and    ecx,DWORD PTR \[rdx+rsi\*4\]
   0x86cd78 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+728>:  mov    DWORD PTR \[r13+rax\*1+0x0\],ecx
   0x86cd7d <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+733>:  add    rax,0x4
   0x86cd81 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+737>:  cmp    rax,0x10
   0x86cd85 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+741>:
    jne    0x86cd60 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+704>:      jne    0x86cd60 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int\*, unsigned int\*, Operator const\*, QSpanData const\*, double, double, double, double, double)+704>
\[------------------------------------stack-------------------------------------\]
0000| 0x7fffffff79d0 --> 0x7ff000007ff
0008| 0x7fffffff79d8 --> 0x7ff000007ff
0016| 0x7fffffff79e0 --> 0x7ff000007ff
0024| 0x7fffffff79e8 --> 0x7ff000007ff
0032| 0x7fffffff79f0 --> 0x3ff000003ff
0040| 0x7fffffff79f8 --> 0x3ff000003ff
0048| 0x7fffffff7a00 --> 0xffc00000ffc00000
0056| 0x7fffffff7a08 --> 0xffc00000ffc00000
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
0x000000000086cd75      601                 FETCH\_RADIAL\_LOOP(FETCH\_RADIAL\_LOOP\_CLAMP\_PAD)
gdb-peda$ x/gx 0x7fffffff7b50-0xf0
0x7fffffff7a60: 0x8000000080000000
                ^^^^^^^^^^^^^^^^^^

CVE-2021-28025: Out of bounds read in function `QRadialFetchSimd<QSimdSse2>::fetch` when input craft svg file

Buffer Overflow vulnerability in jpgfile.c in Matthias-Wandel jhead version 3.04, allows local attackers to execute arbitrary code and cause a denial of service (DoS).

**Impact**

fuzzer&poc1.zip

    fstark@fstark-virtual-machine:~/jhead-master$ ./jhead afl_collect_output_dir/fuzz1\:id\:000013\,sig\:06\,src\:000263\,time\:295896\,op\:arith8\,pos\:8\,val\:+15 
    =================================================================
    ==4212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004bd123 bp 0x7ffd6e2fdb80 sp 0x7ffd6e2fdb70
    READ of size 1 at 0x60200000eff4 thread T0
        #0 0x4bd122 in process_COM /home/fstark/jhead-master/jpgfile.c:51
        #1 0x4be667 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:240
        #2 0x4bfbad in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:125
        #3 0x4bfbad in ReadJpegFile /home/fstark/jhead-master/jpgfile.c:378
        #4 0x4b71bb in ProcessFile /home/fstark/jhead-master/jhead.c:905
        #5 0x4066dc in main /home/fstark/jhead-master/jhead.c:1756
        #6 0x7f3dc850083f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #7 0x40a1e8 in _start (/home/fstark/jhead-master/jhead+0x40a1e8)
    
    0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
    allocated by thread T0 here:
        #0 0x485392 in malloc (/home/fstark/jhead-master/jhead+0x485392)
        #1 0x4bd558 in ReadJpegSections /home/fstark/jhead-master/jpgfile.c:172
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fstark/jhead-master/jpgfile.c:51 process_COM
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==4212==ABORTING
    

**Patches**

Fixed by 4827ed3  
Matthias-Wandel@4827ed3

**References**

Matthias-Wandel#8  
Matthias-Wandel@4827ed3

CVE-2020-28840: heap-buffer-overflow on process_COM in jpgfile.c:51

Directory Traversal vulnerability in delete function in admin.api.TemplateController in ZrLog version 2.1.15, allows remote attackers to delete arbitrary files and cause a denial of service (DoS).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#dos