Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.

**Crash Inputs**

Here is the crash file that trigger the error

cmix\_asan\_crash\_mem\_overlap.zip

**Bug Description:**

When executing cmix (new release version) with the file inputs and parameter "-n", the ASan (Memory Sanitizer ) instrumented program terminates with Nonfatal Error shown below.

    ==102390==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x619000041c63,0x619000041c67) and [0x619000041c64, 0x619000041c68) overlap
        #0 0x4ca038 in __asan_memcpy (/cmix/cmix_asan+0x4ca038)
        #1 0x656a09 in paq8::FrenchStemmer::ConvertUTF8(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2502:11
        #2 0x65569b in paq8::FrenchStemmer::Stem(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2782:5
        #3 0x558c65 in paq8::TextModel::Update(paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3258:28
        #4 0x63978b in paq8::TextModel::Predict(paq8::Mixer&, paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3160:7
        #5 0x615679 in paq8::contextModel2(paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8183:13
        #6 0x61867b in paq8::Predictor::update() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8277:11
        #7 0x6c0d24 in Predictor::Perceive(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/predictor.cpp:394:12
        #8 0x4fed5c in Encoder::Encode(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/coder/encoder.cpp:23:7
        #9 0x6ef0d0 in Compress(unsigned long long, std::basic_ifstream<char, std::char_traits<char> >*, std::basic_ofstream<char, std::char_traits<char> >*, unsigned long long*, Predictor*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:106:9
        #10 0x6f06d3 in RunCompression(bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, _IO_FILE*, unsigned long long*, unsigned long long*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:203:3
        #11 0x6f3b13 in main /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:298:10
        #12 0x7f0cc1be9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #13 0x41f819 in _start (/cmix/cmix_asan+0x41f819)
    
    0x619000041c63 is located 483 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    0x619000041c64 is located 484 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    SUMMARY: AddressSanitizer: memcpy-param-overlap (/cmix/cmix_asan+0x4ca038) in __asan_memcpy
    

**Step to reproduce**

*   download the cmix from github and build it with ASAN
*   Execute cmix with provide files and given parameters "-n".

CVE-2023-29596: [BUG]: ERROR memcpy-param-overlap · Issue #54 · byronknoll/cmix

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-26930: GitHub - huanglei3/xpdf_aborted

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the TextOutputDev.cc function.

CVE-2023-26931

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via SharedFile::readBlock at /xpdf/Stream.cc.

XPDF v4.04

pdftotext poc

Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2711): Dictionary key must be a name object Syntax Error (2715): Dictionary key must be a name object Syntax Error (2720): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (172): Dictionary key must be a name object Syntax Error (393): Illegal character <3d> in hex string Syntax Error (398): Illegal character <80> in hex string Syntax Error (399): Illegal character <67> in hex string Syntax Error (400): Illegal character <74> in hex string Syntax Error (401): Illegal character <68> in hex string Syntax Error (409): Illegal character '>' Syntax Error (887): Illegal character ')' Syntax Error (1296): Illegal character ')' Syntax Error (1781): Illegal character ')' Syntax Error (2386): Dictionary key must be a name object Syntax Error (2390): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.

(gdb) bt

#0 0x00007ffff7a989df in \_IO\_new\_file\_seekoff (fp=0x555555b81c30, offset=1446, dir=0, mode=) at fileops.c:976 #1 0x00007ffff7a967cd in \_\_fseeko (fp=0x555555b81c30, offset=offset@entry=1446, whence=whence@entry=0) at fseeko.c:40 #2 0x0000555555848c19 in gfseek (f=, offset=offset@entry=1446, whence=whence@entry=0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/gfile.cc:733 #3 0x00005555557ec8c1 in SharedFile::readBlock (this=0x555555b81fd0, buf=buf@entry=0x555555b832b8 "6 0 objnt 3 0 R\\r\\n/Resources <<\\r\\n/Font <<\\r\\n/F1 9 0 R \\r\\n>>\\r\\n/ProcSet 8 0 R\\r\\n>>\\r\\n/MediaBo\\202 \[0 0 612.0000 792.0000\]\\r\\n\\r\\n7 0 obj\\r\\n<< /Length 676 >> 00000 Name /ream\\r\\n2 J\\r\\nBT\\r\\n0\\r\\n57.3750 722.2800 Td\\r\\n( Simpl"..., pos=1446, size=256) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:739 #4 0x00005555557ecfe8 in FileStream::fillBuf (this=this@entry=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.cc:842 #5 0x0000555555813d23 in FileStream::getChar (this=0x555555b83280) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Stream.h:324 #6 0x00005555557b1153 in Object::streamGetChar (this=0x555555b833f0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:300 #7 Lexer::getChar (this=this@entry=0x555555b833e0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:93 #8 0x00005555557b13fa in Lexer::getObj (this=0x555555b833e0, obj=obj@entry=0x555555b838e8) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Lexer.cc:125 #9 0x00005555557d078d in Parser::Parser (this=0x555555b838d0, xrefA=, lexerA=, allowStreamsA=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Parser.cc:35 #10 0x000055555582c0e2 in XRef::fetch (this=0x555555b83990, num=6, gen=0, obj=0x7fffff7ff330, recursion=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1231 #11 0x00005555556754a0 in Object::arrayGet (this=0x7fffff7ff320, recursion=0, obj=0x7fffff7ff330, i=1) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:243 #12 Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:566

CVE-2023-26935: GitHub - huanglei3/xpdf_heapoverflow

libming 0.4.8 0.4.8 is vulnerable to Buffer Overflow. In getInt() in decompile.c unknown type may lead to denial of service. This is a different vulnerability than CVE-2018-9132 and CVE-2018-20427.

CVE-2022-44232: GitHub - huanglei3/libming_crashes

An issue found in XPDF v.4.04 allows an attacker to cause a denial of service via a crafted pdf file in the object.cc parameter.

poc:copy30 or copy31 ;link: https://github.com/huanglei3/xpdf\_Stack-backtracking/blob/main/copy30 $ gdb --args pdftotext copy30 pwndbg> r Syntax Error: Couldn't read xref table Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2667): Dictionary key must be a name object Syntax Error (2671): Dictionary key must be a name object Syntax Error (2676): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (203): Illegal character <2f> in hex string Syntax Error (204): Illegal character <54> in hex string Syntax Error (205): Illegal character <79> in hex string Syntax Error (206): Illegal character <70> in hex string Syntax Error (209): Illegal character <52> in hex string Syntax Error (211): Illegal character <5d> in hex string Syntax Error (216): Illegal character '>' Syntax Error (268): Dictionary key must be a name object Syntax Error (273): Dictionary key must be a name object Syntax Error (396): Dictionary key must be a name object Syntax Error (399): Dictionary key must be a name object Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error (268): Dictionary key must be a name object Syntax Error (273): Dictionary key must be a name object Program received signal SIGSEGV, Segmentation fault. 0x00005555557c014b in Object::copy (this=this@entry=0x555555b84078, obj=obj@entry=0x7fffff7ff130) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.cc:99 99 obj->cmd = copyString(cmd); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ► 99 obj->cmd = copyString(cmd); pwndbg> bt #0 0x00005555557c014b in Object::copy (this=this@entry=0x555555b84078, obj=obj@entry=0x7fffff7ff130) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.cc:99 #1 0x000055555582cbd8 in XRef::fetch (this=0x555555b83990, num=<optimized out>, gen=<optimized out>, obj=0x7fffff7ff130, recursion=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1212 #2 0x00005555556754a0 in Object::arrayGet (this=0x7fffff7ff120, recursion=0, obj=0x7fffff7ff130, i=17) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:243 #3 Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:566 #4 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #5 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #6 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #7 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #8 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #9 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #10 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #11 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #12 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #13 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #14 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #15 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #16 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #17 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #18 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #19 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #20 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #21 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #22 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #23 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #24 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b852e0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567

CVE-2023-26934: xpdf_Stack-backtracking/object_copy at main · huanglei3/xpdf_Stack-backtracking

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via gmalloc in gmem.cc

publicize CVE

\[CVE ID\]

CVE-2022-44232

\[the name of an affected Product\]

libming

\[the affected or fixed version(s)\]

libming 0.4.8

\> \[Affected Product Code Base\]

\> libming 0.4.8 - 0.4.8

\[Vulnerability Type\]

Buffer Overflow

\> \[Impact Denial of Service\]

\>> true

\> \[Attack Vectors\]

\> open a crafted swf file

\[DESCRIPTION\]

In libming 0.4.8 decompile.c, accessing zero page may lead to denial of service.

\[CVE ID\]

CVE-2023-26930

\[PRODUCT\]

XPDF

\[VERSION\]

XPDF 4.04

\> \[Affected Product Code Base\]

\>> XPDF 4.04

\[PROBLEM TYPE\]

Buffer Overflow

\> \[Impact Denial of Service\]

\>> true

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in the pdftotext.cc function.

\[CVE ID\]

CVE-2023-26931

\[ the name of an affected Product\]

XPDF

\[VERSION\]

XPDF 4.04

\[Vulnerability TYPE\]

Buffer Overflow

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via the PDFDoc malloc in TextOutputDev.cc.

\[CVE ID\]

CVE-2023-26934

\[PRODUCT\]

XPDF

\[VERSION\]

XPDF 4.04

\[Affected Product Code Base\]

XPDF 4.04

\[VulnerabilityType Other\]

Large or infinite loop

\[Impact Denial of Service\]

true

\[DESCRIPTION\]

An issue found in XPDF v.4.04 allows an attacker to cause a denial of service via a crafed pdf file in the object.cc parameter.

\[CVE ID\]

CVE-2023-26935

\[PRODUCT\]

XPDF 4.04

\[VERSION\]

4.04

\> \[Affected Product Code Base\]

\>> XPDF 4.04

\[PROBLEM TYPE\]

Buffer Overflow

\> \[Impact Denial of Service\]

\>> true

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via SharedFile::readBlock at /xpdf/Stream.cc.

\[CVE ID\]

CVE-2023-26936

\[PRODUCT\]

XPDF

\[VERSION\]

XPDF 4.04

\> \[Affected Product Code Base\]

\>> XPDF 4.04 4.04

\[VulnerabilityType Other\]

Large or infinite loop

\> \[Impact Denial of Service\]

\>> true

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via gmalloc in gmem.cc

\[CVE ID\]

CVE-2023-26937

\[PRODUCT\]

XPDF

\[VERSION\]

4.04

\> \[Affected Product Code Base\]

\>> XPDF 4.04 4.04

\> \[VulnerabilityType Other\]

\>> Large or infinite loop

\> \[Impact Denial of Service\]

\>> true

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via GString::resize located in goo/GString.cc

\[CVE ID\]

CVE-2023-26938

\[PRODUCT\]

XPDF 4.04

\[VERSION\]

XPDF 4.04

\> \[Affected Product Code Base\]

\>> XPDF 4.04

\> \[VulnerabilityType Other\]

\>> Large or infinite loop

\> \[Impact Denial of Service\]

\>> true

\[DESCRIPTION\]

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service viaSharedFile::readBlock located in goo/gfile.cc.

CVE-2023-26936: publicize CVE

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service via GString::resize located in goo/GString.cc

XPDF v4.04 poc: https://github.com/huanglei3/xpdf\_Stack-backtracking/blob/main/gstring\_poc pdftotext gstring\_poc Syntax Error: Couldn't read xref table Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... Syntax Error (2786): Dictionary key must be a name object Syntax Error (2790): Dictionary key must be a name object Syntax Error (2795): Dictionary key must be a name object Syntax Error: Dictionary key must be a name object Syntax Error: End of file inside dictionary Syntax Error (485): Illegal character <3d> in hex string Syntax Error (490): Illegal character <80> in hex string Syntax Error (491): Illegal character <67> in hex string Syntax Error (492): Illegal character <74> in hex string Syntax Error (493): Illegal character <68> in hex string Syntax Error (501): Illegal character '>' Syntax Error (49): Dictionary key must be a name object Syntax Error (54): Dictionary key must be a name object Syntax Error (60): Dictionary key must be a name object Syntax Error (65): Dictionary key must be a name object Syntax Error (70): Dictionary key must be a name object Syntax Error (80): Dictionary key must be a name object Syntax Error (203): Dictionary key must be a name object Syntax Error (243): Dictionary key must be a name object Syntax Error (401): Dictionary key must be a name object Syntax Error (410): Dictionary key must be a name object Syntax Error (411): Dictionary key must be a name object Syntax Error (422): Dictionary key must be a name object Syntax Error (485): Illegal character <3d> in hex string Syntax Error (490): Illegal character <80> in hex string Syntax Error (491): Illegal character <67> in hex string Syntax Error (492): Illegal character <74> in hex string Syntax Error (493): Illegal character <68> in hex string Syntax Error (501): Illegal character '>' Syntax Error (1028): Illegal character ')' Syntax Error (1437): Illegal character ')' Syntax Error (1643): Dictionary key must be a name object Syntax Error (1941): Illegal character ')' Syntax Error (2035): Illegal character ')' Syntax Error (2474): Illegal character '>' Syntax Error (2476): Illegal character <2f> in hex string Syntax Error (2477): Illegal character <72> in hex string Syntax Error (2480): Illegal character <54> in hex string Syntax Error (2481): Illegal character <73> in hex string Syntax Error (2482): Illegal character <69> in hex string Syntax Error (2484): Illegal character <6e> in hex string Syntax Error (2486): Illegal character <6f> in hex string Syntax Error (2488): Illegal character <69> in hex string Syntax Error (2489): Illegal character <6e> in hex string Syntax Error (2490): Illegal character <67> in hex string Syntax Error (2494): Illegal character '>' Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error (401): Dictionary key must be a name object Syntax Error (410): Dictionary key must be a name object Syntax Error (411): Dictionary key must be a name object Syntax Error (422): Dictionary key must be a name object Syntax Error (485): Illegal character <3d> in hex string Syntax Error (490): Illegal character <80> in hex string Syntax Error (491): Illegal character <67> in hex string Syntax Error (492): Illegal character <74> in hex string Syntax Error (493): Illegal character <68> in hex string Syntax Error (501): Illegal character '>' Syntax Error (1643): Dictionary key must be a name object Program received signal SIGSEGV, Segmentation fault. ► f 0 0x555555846739 GString::resize(int)+1305 f 1 0x55555583fea1 GString::GString(GString\*)+33 f 2 0x5555557c01de Object::copy(Object\*)+270 f 3 0x5555557c01de Object::copy(Object\*)+270 f 4 0x55555582cbd8 f 5 0x555555675364 Catalog::countPageTree(Object\*)+228 f 6 0x555555675364 Catalog::countPageTree(Object\*)+228 f 7 0x5555556754d3 Catalog::countPageTree(Object\*)+595 (gdb) bt #0 0x0000555555846739 in GString::resize (this=this@entry=0x555555b88a20, length1=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/GString.cc:109 #1 0x000055555583fea1 in GString::GString (this=0x555555b88a20, str=0x555555b88760) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/GString.h:80 #2 0x00005555557c01de in GString::copy (this=0x555555b88760) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/goo/GString.h:42 #3 Object::copy (this=this@entry=0x555555b84078, obj=obj@entry=0x7fffff7ff1a0) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.cc:84 #4 0x000055555582cbd8 in XRef::fetch (this=0x555555b83990, num=<optimized out>, gen=<optimized out>, obj=0x7fffff7ff1a0, recursion=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/XRef.cc:1212 #5 0x0000555555675364 in Object::dictLookup (this=<optimized out>, recursion=0, obj=0x7fffff7ff1a0, key=0x5555558a07c7 "Kids") at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Object.h:267 #6 Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:563 #7 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #8 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #9 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #10 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567 #11 0x00005555556754d3 in Catalog::countPageTree (this=0x555555b5d4a0, pagesObj=<optimized out>) at /home/fuzz/fuzzing\_xpdf/xpdf-4.04/xpdf/Catalog.cc:567

CVE-2023-26937: xpdf_Stack-backtracking/Stack_backtracking_gstring at main · huanglei3/xpdf_Stack-backtracking

Buffer Overflow vulnerability found in XPDF v.4.04 allows an attacker to cause a Denial of Service viaSharedFile::readBlock located in goo/gfile.cc.

**Sign in to GitHub**

Username or email address

Password Forgot password?

New to GitHub? Create an account.

CVE-2023-26938

Ubuntu Security Notice 6010-3 - USN-6010-1 fixed vulnerabilities and USN-6010-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Irvan Kurniawan discovered that Firefox did not properly manage fullscreen notifications using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. An attacker could potentially exploit this issue to perform spoofing attacks. Lukas Bernhard discovered that Firefox did not properly manage memory when doing Garbage Collector compaction. An attacker could potentially exploits this issue to cause a denial of service. Zx from qriousec discovered that Firefox did not properly validate the address to free a pointer provided to the memory manager. An attacker could potentially exploits this issue to cause a denial of service. Alexis aka zoracon discovered that Firefox did not properly validate the URI received by the WebExtension during a load request. An attacker could potentially exploits this to obtain sensitive information. Trung Pham discovered that Firefox did not properly validate the filename directive in the Content-Disposition header. An attacker could possibly exploit this to perform reflected file download attacks potentially tricking users to install malware. Ameen Basha M K discovered that Firefox did not properly validate downloads of files ending in .desktop. An attacker could potentially exploits this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6010-3  
April 26, 2023

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

USN-6010-2 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6010-1 fixed vulnerabilities and USN-6010-2 fixed minor regressions in  
Firefox. The update introduced several minor regressions. This update fixes  
the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2023-29537,  
 CVE-2023-29540, CVE-2023-29543, CVE-2023-29544, CVE-2023-29547,  
 CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551)

  Irvan Kurniawan discovered that Firefox did not properly manage fullscreen  
 notifications using a combination of window.open, fullscreen requests,  
 window.name assignments, and setInterval calls. An attacker could  
 potentially exploit this issue to perform spoofing attacks. (CVE-2023-29533)

  Lukas Bernhard discovered that Firefox did not properly manage memory  
 when doing Garbage Collector compaction. An attacker could potentially  
 exploits this issue to cause a denial of service. (CVE-2023-29535)

  Zx from qriousec discovered that Firefox did not properly validate the  
 address to free a pointer provided to the memory manager. An attacker could  
 potentially exploits this issue to cause a denial of service.  
 (CVE-2023-29536)

  Alexis aka zoracon discovered that Firefox did not properly validate the  
 URI received by the WebExtension during a load request. An attacker could  
 potentially exploits this to obtain sensitive information. (CVE-2023-29538)

  Trung Pham discovered that Firefox did not properly validate the filename  
 directive in the Content-Disposition header. An attacker could possibly  
 exploit this to perform reflected file download attacks potentially  
 tricking users to install malware. (CVE-2023-29539)

  Ameen Basha M K discovered that Firefox did not properly validate downloads  
 of files ending in .desktop. An attacker could potentially exploits this  
 issue to execute arbitrary code. (CVE-2023-29541)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         112.0.2+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  firefox                         112.0.2+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6010-3  
  https://ubuntu.com/security/notices/USN-6010-1  
  https://launchpad.net/bugs/2017722

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.18.04.1

Tag

#dos