gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a heap-based buffer over-read, as demonstrated by MP4Box.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Describe the bug**

There is a heap-overflow bug in gp\_rtp\_builder\_do\_hevc, can be triggered via MP4Box+ ASan

**Step to reproduce**

./configure --enable-sanitizer && make -j$(nproc)  
./MP4Box -hint -out /dev/null poc

**Sanitizer output**

    [iso file] Box "hvcC" (start 919) has 26 extra bytes
    Hinting track ID 1 - Type "hvc1:hvc1" (H265) - BW 3 kbps
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 191 but only 3 bytes left in sample 11
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    [rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it
    =================================================================
    ==2628578==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f15 at pc 0x7f14c2411bf5 bp 0x7ffec49a0110 sp 0x7ffec49a0100
    READ of size 1 at 0x602000001f15 thread T0
        #0 0x7f14c2411bf4 in gp_rtp_builder_do_hevc ietf/rtp_pck_mpeg4.c:594
        #1 0x7f14c29c1da6 in gf_hinter_track_process media_tools/isom_hinter.c:834
        #2 0x561e3a6f0d97 in HintFile /home/hzheng/real-validate/gpac/applications/mp4box/main.c:3613
        #3 0x561e3a6f857b in mp4boxMain /home/hzheng/real-validate/gpac/applications/mp4box/main.c:6481
        #4 0x7f14bfb8b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #5 0x561e3a6d0aed in _start (/home/hzheng/real-validate/gpac/bin/gcc/MP4Box+0xa9aed)
    
    0x602000001f15 is located 0 bytes to the right of 5-byte region [0x602000001f10,0x602000001f15)
    allocated by thread T0 here:
        #0 0x7f14c58d9bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f14c268782d in Media_GetSample isomedia/media.c:623
        #2 0x7f14c25e6e5c in gf_isom_get_sample_ex isomedia/isom_read.c:1905
        #3 0x7f14c29c16bd in gf_hinter_track_process media_tools/isom_hinter.c:756
        #4 0x561e3a6f0d97 in HintFile /home/hzheng/real-validate/gpac/applications/mp4box/main.c:3613
        #5 0x561e3a6f857b in mp4boxMain /home/hzheng/real-validate/gpac/applications/mp4box/main.c:6481
        #6 0x7f14bfb8b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg4.c:594 in gp_rtp_builder_do_hevc
    Shadow bytes around the buggy address:
      0x0c047fff8390: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff83a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff83b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff83c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff83d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff83e0: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2628578==ABORTING
    

**version**

system: ubuntu 20.04.3 LTS  
compiler: gcc 9.3.0  
gpac version: latest commit 6dcba53

    MP4Box - GPAC version 2.1-DEV-rev114-g6dcba5347-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Credit**

NCNIPC of China  
Hexhive

**POC**

crash.zip

CVE-2022-29537: [BUG] heap buffer overflow in gp_rtp_builder_do_hevc · Issue #2173 · gpac/gpac

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Thomas Dickey

**Subject**:

Re: An illegal memory access in ncurses, tic

**Date**:

Sat, 16 Apr 2022 19:35:09 -0400

**User-agent**:

Mutt/1.10.1 (2018-07-13)

On Sat, Apr 16, 2022 at 04:55:06PM -0400, Thomas Dickey wrote:
> _On Sat, Apr 16, 2022 at 09:19:48PM +0800, 郑晗 wrote:_
> _> Dear developers,_
> _>_ 
> _> I'm a security researcher and is now trying to test my new fuzzer. I've_ 
> _> just found an illegal memory access in the latest commit of ncurse, tic._ 
> _> Here are the informations:_
> _>_ 
> _> (1) environment_
> _> Ubuntu 20.04.3 LTS_
> _> gcc 9.3.0_
> _> ncurse latest commit 74b10d4a30eec8feb66a4b94a72da65be0048447, tag_ 
> _> v6\_3\_20220409_
> _>_ 
> _>_ 
> _> (2) step to reproduce:_ 
> _> export CFLAGS="-fsanitze=address -g"_
> _> export CXXFLAGS="-fsanitize=address -g"_
> _> ./configure &amp;&amp; make -j$(nproc)_
> _> ./prog/tic -o /dev/null $POC_
> 
> _I can reproduce the problem, but the command is incorrect._
> _With that command, tic will exit (because /dev/null is not a directory)_
> _before getting into the area which produces these messages._

I have a simple fix for the immediate problem, but can see that there's
some additional (time-consuming) investigation needed.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net

 **signature.asc**  
_Description:_ PGP signature

*   **An illegal memory access in ncurses, tic**, _郑晗_, 2022/04/16
    *   **Re: An illegal memory access in ncurses, tic**, _Thomas Dickey_, 2022/04/16
        *   **Re: An illegal memory access in ncurses, tic**, _Thomas Dickey_ **<=**
            *   **Re: An illegal memory access in ncurses, tic**, _郑晗_, 2022/04/17

*   Prev by Date: **Re: An illegal memory access in ncurses, tic**
*   Next by Date: **ANN: ncurses-6.3-20220416**
*   Previous by thread: **Re: An illegal memory access in ncurses, tic**
*   Next by thread: **Re: An illegal memory access in ncurses, tic**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2022-29458: Re: An illegal memory access in ncurses, tic

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Thomas Dickey

**Subject**:

Re: An illegal memory access in ncurses, tic

**Date**:

Sat, 16 Apr 2022 19:35:09 -0400

**User-agent**:

Mutt/1.10.1 (2018-07-13)

On Sat, Apr 16, 2022 at 04:55:06PM -0400, Thomas Dickey wrote:
> _On Sat, Apr 16, 2022 at 09:19:48PM +0800, 郑晗 wrote:_
> _> Dear developers,_
> _>_ 
> _> I'm a security researcher and is now trying to test my new fuzzer. I've_ 
> _> just found an illegal memory access in the latest commit of ncurse, tic._ 
> _> Here are the informations:_
> _>_ 
> _> (1) environment_
> _> Ubuntu 20.04.3 LTS_
> _> gcc 9.3.0_
> _> ncurse latest commit 74b10d4a30eec8feb66a4b94a72da65be0048447, tag_ 
> _> v6\_3\_20220409_
> _>_ 
> _>_ 
> _> (2) step to reproduce:_ 
> _> export CFLAGS="-fsanitze=address -g"_
> _> export CXXFLAGS="-fsanitize=address -g"_
> _> ./configure &amp;&amp; make -j$(nproc)_
> _> ./prog/tic -o /dev/null $POC_
> 
> _I can reproduce the problem, but the command is incorrect._
> _With that command, tic will exit (because /dev/null is not a directory)_
> _before getting into the area which produces these messages._

I have a simple fix for the immediate problem, but can see that there's
some additional (time-consuming) investigation needed.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net

 **![Attachment:](https://lists.gnu.org/icons/generic.png) signature.asc**  
_Description:_ PGP signature

*   **An illegal memory access in ncurses, tic**, _郑晗_, 2022/04/16
    *   **Re: An illegal memory access in ncurses, tic**, _Thomas Dickey_, 2022/04/16
        *   **Re: An illegal memory access in ncurses, tic**, _Thomas Dickey_ **<=**
            *   **Re: An illegal memory access in ncurses, tic**, _郑晗_, 2022/04/17

*   Prev by Date: **Re: An illegal memory access in ncurses, tic**
*   Next by Date: **ANN: ncurses-6.3-20220416**
*   Previous by thread: **Re: An illegal memory access in ncurses, tic**
*   Next by thread: **Re: An illegal memory access in ncurses, tic**
*   Index(es):
    *   **Date**
    *   **Thread**

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS GT.M through V7.0-000. Using crafted input, attackers can cause a type to be incorrectly initialized in the function f_incr in sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.

CVE-2021-44492: GT.M V7.0-002 Release Notes

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.

CVE-2021-43286: Releases - Version notes | GoCD

Tcpreplay v4.4.1 was discovered to contain a double-free via __interceptor_free.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
Double free in tcpreplay.

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CFLAGS="-g -fsanitize=address" export CXXFLAGS="-g -fsanitize=address"
2.  ./configure --disable-local-libopts
3.  make
4.  tcprewrite -i POC1 -o /dev/null

**ASAN**

    Warning: ../../../POC1 was captured using a snaplen of 2 bytes.  This may mean you have truncated packets.
    =================================================================
    ==1805053==ERROR: AddressSanitizer: attempting double-free on 0x60c0000001c0 in thread T0:
        #0 0x7ff303d557cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
        #1 0x56235e5df26c in _our_safe_free /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/common/utils.c:119
        #2 0x56235e5d5642 in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:171
        #3 0x56235e5c43f3 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:463
        #4 0x56235e5b4968 in tcpedit_close /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/tcpedit.c:575
        #5 0x56235e5b08c1 in main /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcprewrite.c:147
        #6 0x7ff303a0e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x56235e5add2d in _start (/home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcprewrite+0x17d2d)
    
    0x60c0000001c0 is located 0 bytes inside of 120-byte region [0x60c0000001c0,0x60c000000238)
    freed by thread T0 here:
        #0 0x7ff303d557cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
        #1 0x56235e5df26c in _our_safe_free /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/common/utils.c:119
        #2 0x56235e5c4597 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:480
        #3 0x56235e5d55ff in dlt_jnpr_ether_cleanup plugins/dlt_jnpr_ether/jnpr_ether.c:170
        #4 0x56235e5c43f3 in tcpedit_dlt_cleanup plugins/dlt_plugins.c:463
        #5 0x56235e5b4968 in tcpedit_close /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/tcpedit.c:575
        #6 0x56235e5b08c1 in main /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcprewrite.c:147
        #7 0x7ff303a0e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    previously allocated by thread T0 here:
        #0 0x7ff303d55bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x56235e5defba in _our_safe_malloc /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/common/utils.c:50
        #2 0x56235e5c2f16 in tcpedit_dlt_init plugins/dlt_plugins.c:130
        #3 0x56235e5d53d4 in dlt_jnpr_ether_post_init plugins/dlt_jnpr_ether/jnpr_ether.c:141
        #4 0x56235e5c3902 in tcpedit_dlt_post_init plugins/dlt_plugins.c:268
        #5 0x56235e5c3571 in tcpedit_dlt_post_args plugins/dlt_plugins.c:213
        #6 0x56235e5b7586 in tcpedit_post_args /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/parse_args.c:252
        #7 0x56235e5b042e in main /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcprewrite.c:87
        #8 0x7ff303a0e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: double-free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) in __interceptor_free
    ==1805053==ABORTING
    

**System (please complete the following information):**

*   Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
*   ./tcprewrite -V

    tcprewrite version: 4.4.0 (build git:v4.3.4-4-g0ca82e31)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Fragroute engine: disabled
    

**Additional context**  
Add any other context about the problem here.

CVE-2022-27416: [Bug] Double-free · Issue #702 · appneta/tcpreplay

Tcpreplay v4.4.1 has a heap-based buffer overflow in do_checksum_math at /tcpedit/checksum.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
heap-buffer-overflow in tcpreplay

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CFLAGS="-g -fsanitize=address" export CXXFLAGS="-g -fsanitize=address"
2.  ./configure --disable-local-libopts
3.  make
4.  ./tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo POC2
5.  POC2.zip

**ASAN**

    =================================================================
    ==2505330==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000002a0 at pc 0x555db3af22a5 bp 0x7ffe70553580 sp 0x7ffe70553570
    READ of size 2 at 0x6060000002a0 thread T0
        #0 0x555db3af22a4 in do_checksum_math /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:193
        #1 0x555db3af1be8 in do_checksum /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:103
        #2 0x555db3ae925c in fix_ipv4_checksums /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/edit_packet.c:81
        #3 0x555db3ae49b4 in tcpedit_packet /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/tcpedit.c:351
        #4 0x555db3acf3b9 in send_packets /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/send_packets.c:397
        #5 0x555db3ae0997 in replay_file /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/replay.c:182
        #6 0x555db3adf92b in tcpr_replay_index /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/replay.c:59
        #7 0x555db3ade6b8 in tcpreplay_replay /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay_api.c:1139
        #8 0x555db3ad6f2a in main /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay.c:178
        #9 0x7f5ea6e440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x555db3ac916d in _start (/home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpreplay-edit+0x2016d)
    
    0x6060000002a0 is located 0 bytes to the right of 64-byte region [0x606000000260,0x6060000002a0)
    allocated by thread T0 here:
        #0 0x7f5ea718bbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f5ea705720e  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2420e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zxq/CVE_testing/ASAN-install/tcpreplay/src/tcpedit/checksum.c:193 in do_checksum_math
    Shadow bytes around the buggy address:
      0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0c7fff8010: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0c7fff8020: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
      0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c0c7fff8040: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
    =>0x0c0c7fff8050: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2505330==ABORTING
    
    
    

**System (please complete the following information):**

*   Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
*   Tcpreplay Version \[e.g. 4.3.2\]

    tcpreplay version: 4.4.0 (build git:v4.3.4-4-g0ca82e31)
    Copyright 2013-2022 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.9.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    Packet editing: enabled
    Fragroute engine: disabled
    Injection method: PF_PACKET send()
    Not compiled with netmap

Tag

#ubuntu