Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-19909: curl: cap the maximum allowed values for retry time arguments by bagder · Pull Request #4166 · curl/curl

Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39599: CVE/CVE-2023-39599/Readme.md at main · desencrypt/CVE

webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.

CVE-2023-39141 is reserved for this vulnerability

Project link:

https://github.com/ziahamza/webui-aria2/

Vulnerability type:

Path traversal

Root cause: This line https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 accepts file name from URL input, without sanitizing it to be in the same directory.

PoC:

When \`node-server.js\` is used, an attacker can simply request files outside the serving path

\`curl --path-as-is http://localhost:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd\`

Root cause: Attacker may read any file that the www user can read.

Vulnerable versions:

Right now all versions even latest commit "109903f0e2774cf948698cd95a01f77f33d7dd2c" are vulnerable.

CVE-2023-39141: webui-aria2 CVE-2023-39141

dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y

Skip to content

**Heap-based Buffer Overflow in the makevar() function**

Hi,

I found a **heap buffer overflow write of size 1** in the makevar() function, in dpic.y on dpic 2021.04.10 (commit: d317e406)

Heap buffer overflow issue: for loop in https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5769 as given below:

    void
    makevar(char *s, int ln, double varval)
    {
      nametype *vn, *lastvar, *namptr;
      int j, tstval;
      for (j = 0; j < ln; j++) { chbuf[chbufi + j] = s[j]; }
      ...

And, as per the code, https://gitlab.com/aplevich/dpic/-/blob/master/main.c#L1777

chbuf = malloc (sizeof (chbufarray)); if (chbuf==NULL){ fatal(9); } the sizeof chbufarray of char datatype is: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.h#L78

    typedef Char chbufarray[CHBUFSIZ + 1];

and upper limit of chbuf buffers is CHBUFSIZ which is of 4095 limit so sizeof (chbufarray) becomes 4096 and while running the executable, the value of chbufi can be seen as 4089 for this test file, so it means any value which is greater than 6 will cause heap buffer overflow write in the makevar() function for loop, in this case.

    if ln (second input parameter of makevar()) is 7:
        chbuf[4089 + 6] = s[6];
        chbuf[4095] = s[6];
    
    if ln is greater than 7 like 8 or 9:
        chbuf[4089 + 7] = s[6];
        which is, chbuf[4096] = s[6]; // heap buffer overflow of write 1 byte

And, as per the code: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5735 as given below, it can be seen as many makevar() function has second input parameter greater than 7

    void
    mkOptionVars(void)
    {
        makevar("dpicopt", 7, drawmode);
        if (safemode) { i = 1; } else { i = 0; }
        makevar("optsafe", 7, i);
        makevar("optMFpic", 8, MFpic);
        makevar("optMpost", 8, MPost);
        makevar("optPDF", 6, PDF);
        makevar("optPGF", 6, PGF);
        makevar("optPict2e", 9, Pict2e);
        makevar("optPS", 5, PS);
        makevar("optPSfrag", 9, PSfrag);
        makevar("optPSTricks", 11, PSTricks);
        makevar("optSVG", 6, SVG);
        makevar("optTeX", 6, TeX);
        makevar("opttTeX", 7, tTeX);
        makevar("optxfig", 7, xfig);
        ...

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap\_bof\_write\_test

the issue can be reproduced by running:

dpic heap_bof_write_test

With ASAN report

    =================================================================
    ==582741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001100 at pc 0x000000538ae3 bp 0x7ffead55dc90 sp 0x7ffead55dc88
    WRITE of size 1 at 0x621000001100 thread T0
        #0 0x538ae2 in makevar /home/bsdboy/projects/again/dpic/dpic.y:5769:48
        #1 0x511042 in mkOptionVars /home/bsdboy/projects/again/dpic/dpic.y:5748:5
        #2 0x4de391 in yyparse /home/bsdboy/projects/again/dpic/dpic.y:495:19
        #3 0x4dbcb4 in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c65d in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c65d)
    
    0x621000001100 is located 0 bytes to the right of 4096-byte region [0x621000000100,0x621000001100)
    allocated by thread T0 here:
        #0 0x4978bd in malloc (/home/bsdboy/projects/again/dpic/dpic+0x4978bd)
        #1 0x4dbb9d in main /home/bsdboy/projects/again/dpic/main.c:1779:11
        #2 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/projects/again/dpic/dpic.y:5769:48 in makevar
    Shadow bytes around the buggy address:
      0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff8220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==582741==ABORTING

Edited May 09, 2021 by Neeraj Pal

CVE-2021-33388: Heap-based Buffer Overflow in the makevar() function (#8) · Issues · Dwight Aplevich / dpic · GitLab

dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.

Skip to content

**Heap Use After Free in the deletestringbox() function (different than #7)**

Hi,

While fuzzing dpic 2021.04.10 (commit: d317e406), I found a heap use-after-free in the cmpstring() function, in dpic.y:L5724.

I have already confirmed the previous issue: #7 (closed) and that is already patched but this seems to be similar but not the same with this input test file and in the same deletestringbox() function.

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap-uaf-read-test-deletestringbox

the issue can be reproduced by running:

dpic heap-uaf-read-test-deletestringbox

    =================================================================
    ==3692838==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000060 at pc 0x0000005094cf bp 0x7ffdf2d88ed0 sp 0x7ffdf2d88ec8
    READ of size 8 at 0x60d000000060 thread T0
        #0 0x5094ce in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5724:19
        #1 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
        #2 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #3 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #4 0x41c3dd in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c3dd)
    
    0x60d000000060 is located 32 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
    freed by thread T0 here:
        #0 0x4973d2 in free (/home/bsdboy/projects/again/dpic/dpic+0x4973d2)
        #1 0x501778 in deletetree /home/bsdboy/projects/again/dpic/dpic.y:3917:12
        #2 0x50989b in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5732:3
        #3 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
        #4 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #5 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x49763d in malloc (/home/bsdboy/projects/again/dpic/dpic+0x49763d)
        #1 0x507b27 in newprim /home/bsdboy/projects/again/dpic/dpic.y:4984:13
        #2 0x4deb1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:892:19
        #3 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/bsdboy/projects/again/dpic/dpic.y:5724:19 in deletestringbox
    Shadow bytes around the buggy address:
      0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
      0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3692838==ABORTING

CVE-2021-33390: Heap Use After Free in the deletestringbox() function (different than #7) (#10) · Issues · Dwight Aplevich / dpic · GitLab

A heap buffer overflow in r_read_le32 function in radare25.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread crash in RAnal.hexagon (tests\_64900) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **4 additions** and **1 deletion**.

5 changes: 4 additions & 1 deletion libr/anal/p/anal\_hexagon.c

Expand Up

@@ -10,8 +10,11 @@

#include "hexagon\_anal.h"

  

static int hexagon\_v6\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len, RAnalOpMask mask) {

HexInsn hi \= {0};;

HexInsn hi \= {0};

ut32 data \= 0;

if (len < 4) {

return 0;

}

data \= r\_read\_le32 (buf);

int size \= hexagon\_disasm\_instruction (data, &hi, (ut32) addr);

op\->size \= size;

Expand Down

**0 comments on commit 027cd9b**

Please sign in to comment.

CVE-2022-28072: Fix oobread crash in RAnal.hexagon (tests_64900) ##crash · radareorg/radare2@027cd9b

A heap buffer overflow in vax_opfunction in radare2 5.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread in VAX disassembler (tests\_64920) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

2 changes: 1 addition & 1 deletion libr/anal/p/anal\_vax.c

Expand Up

@@ -150,7 +150,7 @@ static int vax\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len,

case 0xfb: // calls

op\->type \= R\_ANAL\_OP\_TYPE\_CALL;

op\->size \= 7;

{

if (len \> 6) {

int oa \= 3;

ut32 delta \= buf\[oa\];

delta |= (ut32)(buf\[oa + 1\]) << 8;

Expand Down

**0 comments on commit 49b0ceb**

Please sign in to comment.

CVE-2022-28069: Fix oobread in VAX disassembler (tests_64920) ##crash · radareorg/radare2@49b0ceb

dpic 2021.01.01 has a Global buffer overflow in theyylex() function in main.c and reads out of the bound array.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Topics Snippets
    
*   Register
*   Sign in

*   Dwight Aplevich
*   dpic
*   Commits
*   d317e406

**Commit d317e406** authored Apr 10, 2021 by  **Dwight Aplevich**

Browse files

**Improved robustness to fuzzed input**

parent 68ab9432

*   Changes 33

Expand all Hide whitespace changes

Inline Side-by-side

*   Neeraj Pal @bsdb0y
    
    mentioned in issue #8 (closed)
    
    · May 09, 2021
    
    mentioned in issue #8 (closed)
    
    mentioned in issue #8
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #9 (closed)
    
    · May 09, 2021
    
    mentioned in issue #9 (closed)
    
    mentioned in issue #9
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #10 (closed)
    
    · May 09, 2021
    
    mentioned in issue #10 (closed)
    
    mentioned in issue #10
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #11 (closed)
    
    · May 09, 2021
    
    mentioned in issue #11 (closed)
    
    mentioned in issue #11
    
    Toggle commit list
    

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2021-32422: Improved robustness to fuzzed input (d317e406) · Commits · Dwight Aplevich / dpic · GitLab

A use after free in r_reg_set_value function in radare2 5.4.2 and 5.4.0.

Expand Up @@ -4766,7 +4766,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { int size \= 0, i, type \= R\_REG\_TYPE\_GPR; int bits \= (core\->anal\->bits & R\_SYS\_BITS\_64)? 64: 32; int use\_colors \= r\_config\_get\_i (core\->config, "scr.color"); RRegItem \*r; RRegItem \*r \= NULL; const char \*use\_color; const char \*name; char \*arg; Expand Down Expand Up @@ -5098,6 +5098,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { arg \= strchr (str + 1, '='); if (arg) { \*arg \= 0; ut64 n \= r\_num\_math (core\->num, arg + 1); char \*ostr \= r\_str\_trim\_dup (str + 1); char \*regname \= r\_str\_trim\_nc (ostr); r \= r\_reg\_get (core\->dbg\->reg, regname, \-1); Expand All @@ -5113,8 +5114,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { if (r) { //eprintf ("%s 0x%08"PFMT64x" -> ", str, // r\_reg\_get\_value (core->dbg->reg, r)); r\_reg\_set\_value (core\->dbg\->reg, r, r\_num\_math (core\->num, arg + 1)); r\_reg\_set\_value (core\->dbg\->reg, r, n); r\_debug\_reg\_sync (core\->dbg, R\_REG\_TYPE\_ALL, true); //eprintf ("0x%08"PFMT64x"\\n", // r\_reg\_get\_value (core->dbg->reg, r)); Expand Down

CVE-2022-28073: Fix uaf crash in aaft (tests_64927) ##crash · radareorg/radare2@59a9dfb

A use after free in r_reg_get_name_idx function in radare2 5.4.2 and 5.4.0.

Expand Up

@@ -504,11 +504,12 @@ R\_API void r\_core\_anal\_type\_match(RCore \*core, RAnalFunction \*fcn) {

char prev\_type\[256\] \= {0};

const char \*prev\_dest \= NULL;

char \*ret\_reg \= NULL;

const char \*pc \= r\_reg\_get\_name (core\->dbg\->reg, R\_REG\_NAME\_PC);

if (!pc) {

free (buf);

const char \*\_pc \= r\_reg\_get\_name (core\->dbg\->reg, R\_REG\_NAME\_PC);

if (!\_pc) {

free (buf);

return;

}

char \*pc \= strdup (\_pc);

RRegItem \*r \= r\_reg\_get (core\->dbg\->reg, pc, \-1);

if (!r) {

free (buf);

Expand Down Expand Up

@@ -778,4 +779,5 @@ R\_API void r\_core\_anal\_type\_match(RCore \*core, RAnalFunction \*fcn) {

free (buf);

r\_cons\_break\_pop();

anal\_emul\_restore (core, hc, dt, et);

free (pc);

}

Tag

#git