Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables

CVE-2021-30353: January 2022 Security Bulletin | Qualcomm

A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:851 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000cf5a9b in memcpy ()
    #1  0x00000000008a24a7 in mpgviddmx_process (filter=0x124cbd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:851
    #2  0x00000000007480a0 in gf_filter_process_task (task=0x123a0e0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000738305 in gf_fs_run (fsess=0x1238220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5c20) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x00000000004168c3 in mp4boxMain (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000000418d6b in main (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
    #9  0x0000000000caaa06 in generic_start_main ()
    #10 0x0000000000caaff5 in __libc_start_main ()
    #11 0x0000000000403f39 in _start ()
    
    

The reason for this bug is that the program does not check the nullity of the pointer before copy memory to it.  
![image](https://user-images.githubusercontent.com/7632714/130580112-09339006-e245-4ade-8697-da5e6fab037d.png)

CVE-2021-40566: Segmentation fault casued by heap use after free using mp4box in mpgviddmx_process, reframe_mpgvid.c:851 · Issue #1887 · gpac/gpac

A Segmentation fault caused by a null pointer dereference vulnerability exists in Gpac through 1.0.1 via the gf_avc_parse_nalu function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by nod in gf\_avc\_parse\_nalu, av\_parsers.c:6112 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Program output:

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    Segmentation fault (core dumped)
    

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bd0648 in gf_avc_parse_nalu (bs=<optimized out>, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6112
    #1  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x3b, data=0x2491e67 "$1", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #2  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #3  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #4  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #5  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #6  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #7  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #8  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #9  0x0000000001f06bb6 in generic_start_main ()
    #10 0x0000000001f071a5 in __libc_start_main ()
    #11 0x000000000041c4e9 in _start ()

CVE-2021-40565: Segmentation fault caused by null pointer dereference using mp4box in gf_avc_parse_nalu, av_parsers.c:6112 · Issue #1902 · gpac/gpac

A Segmentation fault caused by null pointer dereference vulnerability eists in Gpac through 1.0.2 via the avc_parse_slice function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in avc\_parse\_slice, av\_parsers.c:5678 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bcd59d in avc_parse_slice (svc_idr_flag=GF_FALSE, si=0x7fffffff5020, avc=0x24ae050, bs=0x248df40) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:5678
    #1  gf_avc_parse_nalu (bs=0x248df40, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6087
    #2  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x4f, data=0x2491e5b "$1\200", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #3  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #4  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #5  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #6  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #7  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #8  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #9  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #10 0x0000000001f06bb6 in generic_start_main ()
    #11 0x0000000001f071a5 in __libc_start_main ()
    #12 0x000000000041c4e9 in _start ()
    

The reason for this bug is that the program does not check the nullity of the pointer.  
![image](https://user-images.githubusercontent.com/7632714/130955606-eefd9dbd-049a-48b2-ab9f-fa46197e9d99.png)

CVE-2021-40564: Segmentation fault caused by null pointer dereference using mp4box in avc_parse_slice, av_parsers.c:5678 · Issue #1898 · gpac/gpac

A Segmentation fault exists casued by null pointer dereference exists in Gpac through 1.0.1 via the naludmx_create_avc_decoder_config function in reframe_nalu.c when using mp4box, which causes a denial of service.

@@ -1680,8 +1680,10 @@ static void naludmx\_queue\_param\_set(GF\_NALUDmxCtx \*ctx, char \*data, u32 size, u3

{

GF\_List \*list = NULL, \*alt\_list = NULL;

GF\_NALUFFParam \*sl;

u32 i, count;

u32 crc = gf\_crc\_32(data, size);

u32 i, count, crc;

  

if (!size) return;

crc = gf\_crc\_32(data, size);

  

if (ctx->codecid\==GF\_CODECID\_HEVC) {

switch (ps\_type) {

CVE-2021-40563: fixed #1892 · gpac/gpac@5ce0c90

A Segmentation fault caused by a floating point exception exists in Gpac through 1.0.1 using mp4box via the naludmx_enqueue_or_dispatch function in reframe_nalu.c, which causes a denial of service.

@@ -1352,9 +1352,9 @@ void naludmx\_create\_avc\_decoder\_config(GF\_NALUDmxCtx \*ctx, u8 \*\*dsi, u32 \*dsi\_si

else

DeltaTfiDivisorIdx = (ctx->avc\_state\->sei.pic\_timing.pic\_struct+1) / 2;

}

if (!ctx->timescale) {

if (!ctx->timescale && sps->vui.time\_scale && sps->vui.num\_units\_in\_tick) {

ctx->cur\_fps.num = 2 \* sps->vui.time\_scale;

ctx->cur\_fps.den = 2 \* sps->vui.num\_units\_in\_tick \* DeltaTfiDivisorIdx;

ctx->cur\_fps.den = 2 \* sps->vui.num\_units\_in\_tick \* DeltaTfiDivisorIdx;

  

if (!ctx->fps.num && ctx->dts\==ctx->fps.den)

ctx->dts = ctx->cur\_fps.den;

CVE-2021-40562: fixed #1901 · gpac/gpac@5dd71c7

A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
\[1\]    13064 segmentation fault  ~/AlphaFuzz-Experiment/projects/baseline0711/afl-fig2dev/fuzz\_bin/fig2dev -L

**AddressSanitizer output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
ASAN:SIGSEGV
\=================================================================
\==6829\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051a094 bp 0x7fff3739baa0 sp 0x7fff3739b8f0 T0)
    #0 0x51a093 in open\_stream /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215
    #1 0x4b2aa8 in genps\_line /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/genps.c:1672
    #2 0x412a7d in gendev\_objects /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:1008
    #3 0x411481 in main /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:485
    #4 0x7f25954e683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215 open\_stream
\==6829\==ABORTING

CVE-2021-37530: Xfig / Tickets

A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\*\*\* Error in \`../../fig2dev': double free or corruption (!prev): 0x0000000000cfc030 \*\*\*
\======= Backtrace: \=========
/lib/x86\_64-linux-gnu/libc.so.6(+0x777f5)\[0x7f7fd7b6f7f5\]
/lib/x86\_64-linux-gnu/libc.so.6(+0x8038a)\[0x7f7fd7b7838a\]
/lib/x86\_64-linux-gnu/libc.so.6(cfree+0x4c)\[0x7f7fd7b7c58c\]
../../fig2dev\[0x4bbb2b\]
../../fig2dev\[0x47accd\]
../../fig2dev\[0x411b24\]
/lib/x86\_64-linux-gnu/libc.so.6(\_\_libc\_start\_main+0xf0)\[0x7f7fd7b18840\]
../../fig2dev\[0x402c09\]
\======= Memory map: \========
00400000\-004ec000 r-xp 00000000 08:11 27664590                           ../../fig2dev
006ec000-006ed000 r--p 000ec000 08:11 27664590                           ../../fig2dev
006ed000-00700000 rw-p 000ed000 08:11 27664590                           ../../fig2dev
00700000\-0071b000 rw-p 00000000 00:00 0
00cfb000-00d1c000 rw-p 00000000 00:00 0                                  \[heap\]
7f7fd0000000-7f7fd0021000 rw-p 00000000 00:00 0
7f7fd0021000-7f7fd4000000 ---p 00000000 00:00 0
7f7fd7579000-7f7fd7590000 r-xp 00000000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7590000-7f7fd778f000 ---p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd778f000-7f7fd7790000 r--p 00016000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7790000-7f7fd7791000 rw-p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7791000-7f7fd7af8000 r--p 00000000 08:02 38010883                   /usr/lib/locale/locale-archive
7f7fd7af8000-7f7fd7cb8000 r-xp 00000000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7cb8000-7f7fd7eb8000 ---p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7eb8000-7f7fd7ebc000 r--p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebc000-7f7fd7ebe000 rw-p 001c4000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebe000-7f7fd7ec2000 rw-p 00000000 00:00 0
7f7fd7ec2000-7f7fd7fca000 r-xp 00000000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd7fca000-7f7fd81c9000 ---p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81c9000-7f7fd81ca000 r--p 00107000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81ca000-7f7fd81cb000 rw-p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81cb000-7f7fd81e4000 r-xp 00000000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd81e4000-7f7fd83e3000 ---p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e3000-7f7fd83e4000 r--p 00018000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e4000-7f7fd83e5000 rw-p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e5000-7f7fd8409000 r-xp 00000000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8409000-7f7fd8608000 ---p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8608000-7f7fd8609000 r--p 00023000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8609000-7f7fd860a000 rw-p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd860a000-7f7fd8630000 r-xp 00000000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd87fb000-7f7fd8800000 rw-p 00000000 00:00 0
7f7fd882e000-7f7fd882f000 rw-p 00000000 00:00 0
7f7fd882f000-7f7fd8830000 r--p 00025000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8830000-7f7fd8831000 rw-p 00026000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8831000-7f7fd8832000 rw-p 00000000 00:00 0
7ffc8c5c7000-7ffc8c5e8000 rw-p 00000000 00:00 0                          \[stack\]
7ffc8c5ec000-7ffc8c5ee000 r--p 00000000 00:00 0                          \[vvar\]
7ffc8c5ee000-7ffc8c5f0000 r-xp 00000000 00:00 0                          \[vdso\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]
\[1\]    32228 abort      ../../fig2dev -L

**AddressSanitizer output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\=================================================================
\==28522\==ERROR: AddressSanitizer: attempting double-free on 0x610000007d40 in thread T0:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x4b2b32 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1674
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #6 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

0x610000007d40 is located 0 bytes inside of 180\-byte region \[0x610000007d40,0x610000007df4)
freed by thread T0 here:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x51a022 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:211
    #3 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #4 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #5 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #6 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

previously allocated by thread T0 here:
    #0 0x7f58f2415662 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x519f58 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:199
    #2 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: double-free ??:0 \_\_interceptor\_free
\==28522\==ABORTING

CVE-2021-37529: Xfig / Tickets

A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allows attackers to cause a Denial of Service (DoS) via a crafted MESH file.

@@ -1,5 +1,5 @@  
c libmeshb example : transform a quadrilateral mesh into a triangular one c libmeshb example: transform a quadrilateral mesh into a triangular one c using fast block transfer and pipelined post processing  
include 'libmeshb7.ins' @@ -39,14 +39,15 @@  
c Read the vertices res \= gmfgetblock(InpMsh, GmfVertices, 1\_8, NmbVer, + movver, 1, VerTab, + 0, %val(0), movver, 1, VerTab, + GmfDouble, VerTab(1,1), VerTab(1,2), + GmfDouble, VerTab(2,1), VerTab(2,2), + GmfDouble, VerTab(3,1), VerTab(3,2), + GmfInt, RefTab(1), RefTab(2))  
c Read the quads res \= gmfgetblock(InpMsh, GmfQuadrilaterals, 1\_8, NmbQad,0, res \= gmfgetblock(InpMsh, GmfQuadrilaterals, 1\_8, NmbQad, + 0, %val(0), %val(0), + GmfInt, QadTab(1,1), QadTab(1,2), + GmfInt, QadTab(2,1), QadTab(2,2), + GmfInt, QadTab(3,1), QadTab(3,2), @@ -79,7 +80,7 @@ c Write the triangles res \= gmfsetkwd(OutMsh, GmfTriangles, 2\*NmbQad, 0, 0) res \= gmfsetblock(OutMsh, GmfTriangles, 1\_8, 2\*NmbQad, + 0,%val(0),%val(0), + 0,%val(0), + qad2tri, 2, QadTab, TriTab, + GmfInt, TriTab(1,1), TriTab(1,2), + GmfInt, TriTab(2,1), TriTab(2,2),

CVE-2021-46225: Removed a potential buffer overflow crash in GmfOpenMesh and debugged… · LoicMarechal/libMeshb@8cd68c5

A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in the gf_isom_dovi_config_get function in MP4Box, which causes a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2435 when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc\_heap.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

command line

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    * Movie Info *
    	Timescale 90000 - 2 tracks
    Segmentation fault
    
    

asan info

    =================================================================
    ==1042542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000130 at pc 0x7fc6ede92514 bp 0x7ffcfced6850 sp 0x7ffcfced6840
    READ of size 8 at 0x610000000130 thread T0
        #0 0x7fc6ede92513 in gf_isom_dovi_config_get isomedia/avc_ext.c:2435
        #1 0x7fc6ee2fec1e in gf_media_get_rfc_6381_codec_name media_tools/isom_tools.c:4207
        #2 0x558b1bf03ac5 in DumpTrackInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3442
        #3 0x558b1bf18f44 in DumpMovieInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3777
        #4 0x558b1bed571d in mp4boxMain /home.../gpac/gpac-master/applications/mp4box/main.c:5991
        #5 0x7fc6ed2390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #6 0x558b1be77f1d in _start (/home.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    Address 0x610000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2435 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1042542==ABORTING
    

source code

    2428 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2429 {
    2430 	GF_TrackBox* trak;
    2431 	GF_MPEGVisualSampleEntryBox *entry;
    2432 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2433 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2434 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2435 	if (!entry || !entry->dovi_config) return NULL;
    2436 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2437 }

Tag

#dos