Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.

**Describe the vulnerability**

The vulnerability is an integer overflow in gst_matroska_demux_add_wvpk_header which leads to a heap overwrite.

The allocation of newbuf can overflow so if blocksize is very large.

          newbuf =
              gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
              NULL);

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L3980

Later in the function, memory is copied from our data to outdata (which is mapped from newbuf, and blocksize is used (which is very large)

    memcpy (outdata, data, blocksize);

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L4002

An interesting note is that this would be impossible to trigger because of the size check on blocks in gst_matroska_demux_check_read_size, which restricts ebml blocks to size MAX_BLOCK_SIZE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L5332

However, you can get around this by using zlib to decompress a block that is < MAX_BLOCK_SIZE into something much larger.

**Expected Behavior**

Not segfault.

**Observed Behavior**

Segfault.

**Setup**

*   **Operating System:** Ubuntu 20.04.4
*   **Device:** Computer
*   **GStreamer Version:** 1.16.2

**Steps to reproduce the bug**

1.  Download
2.  Run gst-play-1.0 ./wvpk-crash.mkvwvpk-crash.mkv (note it takes awhile, roughly 20 seconds on my machine to crash).

**How reproducible is the bug?**

Always.

**Impact**

Heap overwrite. An attacker can survive the overwrite by careful massaging of the heap, and corrupt heap objects and heap metadata (I have done this part). This can lead to arbitrary code execution (although I have _not_ done this part).

**Additional Information**

I'd like to request a CVE for this vulnerability.

Thank you, happy to help.

CVE-2022-1920: matroska: heap overwrite in gst_matroska_demux_add_wvpk_header (#1226) · Issues · GStreamer / gstreamer · GitLab

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

**Describe the vulnerability**

heap-based buffer overflow in avidemux element, specifically in the functions gst_avi_demux_invert/swap_line.

The root cause vulnerability is that these values come from the .avi file:

      h = stream->strf.vids->height;
      w = stream->strf.vids->width;
      bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
      stride = GST_ROUND_UP_4 (w * (bpp / 8));

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5004

And the size of the buffer is mallocd based on that:

      tmp = g_malloc (stride);

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5015

There is a size check, however the vulnerability is that by choosing stride and h correctly then stride * h will overflow and wrap around, bypassing the size check

      if (map.size < (stride * h)) {
        GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
        gst_buffer_unmap (buf, &map);
        return buf;
      }

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5009

Thus causing a heap overwrite here:

      for (y = 0; y < h / 2; y++) {
        swap_line (map.data + stride * y, map.data + stride * (h - 1 - y), tmp,
            stride);
      }

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5017

**Expected Behavior**

Not segfault.

**Observed Behavior**

segfault.

**Setup**

*   **Operating System:** Ubuntu 20.04.4 LTS
*   **Device:** Computer
*   **GStreamer Version:** tested on 1.16.2, but vulnerability present on main

**Steps to reproduce the bug**

1.  Download the attached file: crash-gst.avi
    
2.  Use gat-play-1.0 to run the file:
    

    gst-play-1.0 ./crash-gst.avi

**How reproducible is the bug?**

Always

**Impact**

Likely code execution through heap manipulation, although I only have this crashing POC.

**Additional Information**

I'd like to request a CVE as part of this process.

Thank you!

CVE-2022-1921: avidemux: heap buffer overwrite in gst_avi_demux_invert/swap_line (#1224) · Issues · GStreamer / gstreamer · GitLab

Ubuntu Security Notice 5524-1 - It was discovered that HarfBuzz incorrectly handled certain glyph sizes. A remote attacker could use this issue to cause HarfBuzz to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5524-1  
July 19, 2022

harfbuzz vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

HarfBuzz could be made to crash if it opened specially crafted data.

Software Description:  
- harfbuzz: OpenType text shaping engine

Details:

It was discovered that HarfBuzz incorrectly handled certain glyph sizes. A  
remote attacker could use this issue to cause HarfBuzz to crash, resulting  
in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libharfbuzz0b                   2.7.4-1ubuntu3.1

Ubuntu 20.04 LTS:  
  libharfbuzz0b                   2.6.4-1ubuntu4.2

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5524-1  
  CVE-2022-33068

Package Information:  
  https://launchpad.net/ubuntu/+source/harfbuzz/2.7.4-1ubuntu3.1  
  https://launchpad.net/ubuntu/+source/harfbuzz/2.6.4-1ubuntu4.2

Ubuntu Security Notice USN-5524-1

Ubuntu Security Notice 5523-1 - It was discovered that LibTIFF was not properly performing checks to guarantee that allocated memory space existed, which could lead to a NULL pointer dereference via a specially crafted file. An attacker could possibly use this issue to cause a denial of service. It was discovered that LibTIFF was not properly performing checks to avoid division calculations where the denominator value was zero, which could lead to an undefined behavior situation via a specially crafted file. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5523-1July 19, 2022tiff vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in LibTIFF.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF was not properly performing checks toguarantee that allocated memory space existed, which could lead to aNULL pointer dereference via a specially crafted file. An attackercould possibly use this issue to cause a denial of service.(CVE-2022-0907, CVE-2022-0908)It was discovered that LibTIFF was not properly performing checks toavoid division calculations where the denominator value was zero,which could lead to an undefined behavior situation via a speciallycrafted file. An attacker could possibly use this issue to cause adenial of service. (CVE-2022-0909)It was discovered that LibTIFF was not properly performing boundschecks, which could lead to an out-of-bounds read via a speciallycrafted file. An attacker could possibly use this issue to cause adenial of service or to expose sensitive information. (CVE-2022-0924)It was discovered that LibTIFF was not properly performing thecalculation of data that would eventually be used as a reference forbounds checking operations, which could lead to an out-of-boundsread via a specially crafted file. An attacker could possibly usethis issue to cause a denial of service or to expose sensitiveinformation. (CVE-2020-19131)It was discovered that LibTIFF was not properly terminating afunction execution when processing incorrect data, which could leadto an out-of-bounds read via a specially crafted file. An attackercould possibly use this issue to cause a denial of service or toexpose sensitive information. (CVE-2020-19144)It was discovered that LibTIFF was not properly performing checkswhen setting the value for data later used as reference during memoryaccess, which could lead to an out-of-bounds read via a speciallycrafted file. An attacker could possibly use this issue to cause adenial of service or to expose sensitive information.(CVE-2022-22844)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-opengl                  4.0.6-1ubuntu0.8+esm2   libtiff-tools                   4.0.6-1ubuntu0.8+esm2   libtiff5                        4.0.6-1ubuntu0.8+esm2   libtiffxx5                      4.0.6-1ubuntu0.8+esm2Ubuntu 14.04 ESM:   libtiff-opengl                  4.0.3-7ubuntu0.11+esm2   libtiff-tools                   4.0.3-7ubuntu0.11+esm2   libtiff5                        4.0.3-7ubuntu0.11+esm2   libtiffxx5                      4.0.3-7ubuntu0.11+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5523-1   CVE-2020-19131, CVE-2020-19144, CVE-2022-0907, CVE-2022-0908,   CVE-2022-0909, CVE-2022-0924, CVE-2022-22844

Ubuntu Security Notice USN-5523-1

Ubuntu Security Notice 5520-2 - USN-5520-1 fixed a vulnerability in HTTP-Daemon. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

=========================================================================  
Ubuntu Security Notice USN-5520-2  
July 18, 2022

libhttp-daemon-perl vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

HTTP-Daemon could allow HTTP Request Smuggling attacks.

Software Description:  
- libhttp-daemon-perl: simple http server class

Details:

USN-5520-1 fixed a vulnerability in HTTP-Daemon. This update provides  
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

 It was discovered that HTTP-Daemon incorrectly handled certain crafted  
 requests. A remote attacker could possibly use this issue to perform an  
 HTTP Request Smuggling attack.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  libhttp-daemon-perl             6.01-1ubuntu0.16.04~esm1

Ubuntu 14.04 ESM:  
  libhttp-daemon-perl             6.01-1ubuntu0.14.04~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5520-2  
  https://ubuntu.com/security/notices/USN-5520-1  
  CVE-2022-31081

Ubuntu Security Notice USN-5520-2

Ubuntu Security Notice 5522-1 - Several security issues were discovered in WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    =========================================================================Ubuntu Security Notice USN-5522-1July 18, 2022webkit2gtk vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, aremote attacker could exploit a variety of issues related to web browsersecurity, including cross-site scripting attacks, denial of service attacks,and arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.22.04.1  libjavascriptcoregtk-4.1-0      2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.4-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5522-1  CVE-2022-22677, CVE-2022-26710Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5522-1

HTMLDoc v1.9.15 was discovered to contain a heap overflow via (write_header) /htmldoc/htmldoc/html.cxx:273.

Hello, While fuzzing htmldoc , I found a heap-buffer-overflow in write\_header

Reporter:  
dramthy from Topsec Alpha Lab

test platform:  
htmldoc Version ：current  
OS :Ubuntu 20.04.1 LTS aarch64  
kernel: 5.4.0-53-generic  
compiler: cc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

reproduced:

(htmldoc with asan build option)  
./htmldoc-with-asan ./poc.html  
poc.zip

    =================================================================
    ==2609491==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff8cd0ca11 at pc 0xffff92422fd0 bp 0xffffef6e9d50 sp 0xffffef6e9e00
    READ of size 2 at 0xffff8cd0ca11 thread T0
        #0 0xffff92422fcc  (/lib/aarch64-linux-gnu/libasan.so.5+0x8efcc)
        #1 0xffff92423f8c in __interceptor_vfprintf (/lib/aarch64-linux-gnu/libasan.so.5+0x8ff8c)
        #2 0xffff924241a8 in __interceptor___fprintf_chk (/lib/aarch64-linux-gnu/libasan.so.5+0x901a8)
        #3 0xaaaae0238f30 in fprintf /usr/include/aarch64-linux-gnu/bits/stdio2.h:100
        #4 0xaaaae0238f30 in write_header /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:273
        #5 0xaaaae023aa88 in html_export /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:141
        #6 0xaaaae021f52c in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1291
        #7 0xffff91c4c08c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #8 0xaaaae021f984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan+0x4b984)
    
    0xffff8cd0ca11 is located 0 bytes to the right of 1-byte region [0xffff8cd0ca10,0xffff8cd0ca11)
    allocated by thread T0 here:
        #0 0xffff92481a30 in __interceptor_malloc (/lib/aarch64-linux-gnu/libasan.so.5+0xeda30)
        #1 0xaaaae02892c4 in htmlGetText /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmllib.cxx:2125
        #2 0xaaaae0238024 in get_title /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:883
        #3 0xaaaae0238024 in get_title /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:883
        #4 0xaaaae0238024 in get_title /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:883
        #5 0xaaaae0238024 in get_title /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:883
        #6 0xaaaae023a940 in html_export /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:115
        #7 0xaaaae021f52c in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1291
        #8 0xffff91c4c08c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #9 0xaaaae021f984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan+0x4b984)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/aarch64-linux-gnu/libasan.so.5+0x8efcc) 
    

Maybe fix:  
in htmlGetText(), the s2 is not init, if tlen ==0, malloc (1+0) and s2\[tlen\]='\\0'.

        if (tdata != NULL)
        {
          // Add the text to this string...
          tlen = strlen((char *)tdata);
    
          if (s)
            s2 = (uchar *)realloc(s, 1 + slen + tlen);
          else{
                      s2 = (uchar *)malloc(1 + tlen); // error, s2 is not init
                      s2[tlen] = '\0';
            }
    
    
          if (!s2)
            break;
    
          s = s2;
    
          memcpy((char *)s + slen, (char *)tdata, tlen);

CVE-2022-34033: AddressSanitizer: heap-buffer-overflow on (write_header) /htmldoc/htmldoc/html.cxx:273 · Issue #425 · michaelrsweet/htmldoc

HTMLDoc v1.9.12 and below was discovered to contain a heap overflow via e_node htmldoc/htmldoc/html.cxx:588.

Hello, I found a heap-buffer-overflow in write\_node

Reporter:  
dramthy from Topsec Alpha Lab

test platform:  
htmldoc Version ：current  
OS :Ubuntu 20.04.1 LTS aarch64  
kernel: 5.4.0-53-generic  
compiler: gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

reproduced:

(htmldoc with asan build option)  
./htmldoc-with-asan ./poc.html  
poc.zip

    =================================================================
    ==25373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff8680cacf at pc 0xaaaadb308c50 bp 0xffffe65857c0 sp 0xffffe65857e0
    READ of size 1 at 0xffff8680cacf thread T0
        #0 0xaaaadb308c4c in write_node /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588
        #1 0xaaaadb3095d8 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:543
        #2 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #3 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #4 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #5 0xaaaadb309630 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:546
        #6 0xaaaadb30a014 in write_all /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:538
        #7 0xaaaadb30a014 in html_export /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:167
        #8 0xaaaadb2ee52c in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1291
        #9 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #10 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    0xffff8680cacf is located 1 bytes to the left of 1-byte region [0xffff8680cad0,0xffff8680cad1)
    allocated by thread T0 here:
        #0 0xffff8befa66c in __interceptor_strdup (/lib/aarch64-linux-gnu/libasan.so.5+0x8966c)
        #1 0xaaaadb35e684 in htmlReadFile /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmllib.cxx:796
        #2 0xaaaadb30a55c in read_file /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:2492
        #3 0xaaaadb2ee1a0 in main /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/htmldoc.cxx:1177
        #4 0xffff8b72908c in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x2408c)
        #5 0xaaaadb2ee984  (/home/vm1/workspace/Projects/afl-projects/001.htmldoc/bin-with-asan-fix-malloc2calloc+0x4b984)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vm1/workspace/Projects/afl-projects/001.htmldoc/htmldoc/htmldoc/html.cxx:588 in write_node
    Shadow bytes around the buggy address:
      0x200ff0d01900: fa fa 00 06 fa fa 00 05 fa fa 00 06 fa fa 00 06
      0x200ff0d01910: fa fa 00 04 fa fa 00 05 fa fa 00 05 fa fa 00 06
      0x200ff0d01920: fa fa 00 04 fa fa 00 04 fa fa 00 05 fa fa 00 07
      0x200ff0d01930: fa fa 05 fa fa fa 00 00 fa fa 07 fa fa fa 06 fa
      0x200ff0d01940: fa fa 00 00 fa fa 04 fa fa fa 00 01 fa fa 05 fa
    =>0x200ff0d01950: fa fa 02 fa fa fa 02 fa fa[fa]01 fa fa fa 02 fa
      0x200ff0d01960: fa fa 00 05 fa fa 06 fa fa fa 03 fa fa fa 03 fa
      0x200ff0d01970: fa fa 04 fa fa fa 00 02 fa fa 00 02 fa fa 00 02
      0x200ff0d01980: fa fa 00 02 fa fa 00 02 fa fa 04 fa fa fa 04 fa
      0x200ff0d01990: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 00 05
      0x200ff0d019a0: fa fa 00 06 fa fa 00 05 fa fa 00 07 fa fa 00 07
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==25373==ABORTING
    
    
    

this bug in htmldoc/htmldoc/html.cxx:588:

    	  if (t->data[strlen((char *)t->data) - 1] == '\n')
                col = 0;
    

similar to

    #include <string.h>
    #include <iostream>
    int main()
    {
       const char * s = "";
       std::cout<<(int)(strlen((char *)s) - 1);
       return 0;
    }
    

the index out of bounds。

CVE-2022-34035: AddressSanitizer: heap-buffer-overflow on write_node htmldoc/htmldoc/html.cxx:588 · Issue #426 · michaelrsweet/htmldoc

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 19, 2022

· 0 comments

**Comments**

Environment

Commit  : 6cef7f5055ec24275f0ae121c7f8709ff3e0c454
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // minified
    function f() {}                                                                                                                         
    Object.defineProperty(f, 'length', {set: () => {}});                                                                                    
    Object.defineProperty(f, 'length', Object.getOwnPropertyDescriptor([], 'length'));                                                      
    f.length  
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25984==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ea634 bp 0x7ffdd4213270 sp 0x7ffdd42130c0 T0)
    ==25984==The signal is caused by a READ memory access.
    ==25984==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4ea634 in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19
        #1 0x521273 in njs_object_length /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_object.c:2628:11
        #2 0x600a64 in njs_promise_race /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_promise.c:1727:11
        #3 0x54c08e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:728:11
        #4 0x54a9a7 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:766:16
        #5 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #6 0x54b526 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:693:11
        #7 0x54a9b9 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:769:16
        #8 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #9 0x4f25ba in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vm.c:541:11
        #10 0x4de3fd in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:890:19
        #11 0x4dd98f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:619:11
        #12 0x4dd98f in main /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:303:15
        #13 0x7f7bafed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #14 0x41ea5d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-asan/build/njs+0x41ea5d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19 in njs_value_property
    ==25984==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer

May 19, 2022

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer SEGV njs\_value.c:1083:19 in njs\_value\_property

May 19, 2022

2 participants

CVE-2022-34027: SEGV njs_value.c:1083:19 in njs_value_property · Issue #504 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

Tag

#ubuntu