A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command.

'25362?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-19724: Invalid Bug ID

An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.

Passer au contenu

*   Géomatika
    *   Présentation
    *   Réalisations
    *   Géoservices à la carte.
    *   Applications métiers
    *   Recrutement
    *   Formations
    *   Contact
*   IsiGéo
    *   IsiGéo Web
    *   IsiGéo API Js
    *   IsiGéo Apps
    *   Portail cartographique
    *   Boite à outils
    *   IsiGéo – Développements en cours
*   Solutions
    *   Cadastre / Urbanisme
    *   Logiciel Cimetière pour les Mairies
    *   Logiciel d’adressage
    *   Catalogage de plans Autocad
    *   Gestion de l’ANC ( Assainissement Non Collectif )
    *   Contrôle Poteaux Incendie
    *   Gestion d’un parc d’éclairage public
*   Mobilité
    *   Solutions terrain
    *   GPS centimétriques pour les SIG
*   npg
*   

IsiGéo web Géomatika2023-01-23T22:44:57+01:00

Page load link

Aller en haut

CVE-2023-23565: IsiGéo web

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

CVE-2020-21469: Buffer overflow when continuously send SIGHUP to postgres

Buffer Overflow vulnerability in function C_IStream::read in PluginEXR.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function C\_IStream::read of PluginEXR.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.  
Asan log as below:

\==2194\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf3b06d00 at pc 0x08087ebd bp 0xffe389d8 sp 0xffe385b0
WRITE of size 329845 at 0xf3b06d00 thread T0
    #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
    #1 0x883a341 in \_ReadProc(void\*, unsigned int, unsigned int, void\*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
    #2 0x816a96f in C\_IStream::read(char\*, int) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:66:26
    #3 0x851cd1f in Imf\_2\_2::(anonymous namespace)::readPixelData(Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, char\*&, int&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:440:25
    #4 0x8519bd7 in Imf\_2\_2::(anonymous namespace)::newLineBufferTask(IlmThread\_2\_2::TaskGroup\*, Imf\_2\_2::InputStreamMutex\*, Imf\_2\_2::ScanLineInputFile::Data\*, int, int, int, Imf\_2\_2::OptimizationMode) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1033:14
    #5 0x8519bd7 in Imf\_2\_2::ScanLineInputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1612:44
    #6 0x849dba8 in Imf\_2\_2::InputFile::readPixels(int, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:815:23
    #7 0x81638a2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:428:9
    #8 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #9 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #10 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #11 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #12 0x806f8f5 in \_start (/home/FreeImage/test+0x806f8f5)

0xf3b06d00 is located 0 bytes to the right of 6144\-byte region \[0xf3b05500,0xf3b06d00)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
    #1 0x8510c1f in Imf\_2\_2::EXRAllocAligned(unsigned int, unsigned int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfSystemSpecific.h:139:12
    #2 0x8510c1f in Imf\_2\_2::ScanLineInputFile::initialize(Imf\_2\_2::Header const&) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132:58
    #3 0x8511e19 in Imf\_2\_2::ScanLineInputFile::ScanLineInputFile(Imf\_2\_2::Header const&, Imf\_2\_2::IStream\*, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #4 0x8496904 in Imf\_2\_2::InputFile::initialize() /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #5 0x8498d15 in Imf\_2\_2::InputFile::InputFile(Imf\_2\_2::IStream&, int) /home/FreeImage/Source/OpenEXR/IlmImf/ImfInputFile.cpp:450:13
    #6 0x8161d1f in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginEXR.cpp:193:18
    #7 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #8 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #9 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #10 0xf71fefb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16

SUMMARY: AddressSanitizer: heap\-buffer\-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
  0x3e760d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e760d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x3e760da0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e760df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==2194\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21426: FreeImage / Bugs / #300 heap-buffer-overflow in function C_IStream::read of PluginEXR.cpp

An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled.

'25249?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21490: Invalid Bug ID

dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y

Skip to content

**Heap-based Buffer Overflow in the makevar() function**

Hi,

I found a **heap buffer overflow write of size 1** in the makevar() function, in dpic.y on dpic 2021.04.10 (commit: d317e406)

Heap buffer overflow issue: for loop in https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5769 as given below:

    void
    makevar(char *s, int ln, double varval)
    {
      nametype *vn, *lastvar, *namptr;
      int j, tstval;
      for (j = 0; j < ln; j++) { chbuf[chbufi + j] = s[j]; }
      ...

And, as per the code, https://gitlab.com/aplevich/dpic/-/blob/master/main.c#L1777

chbuf = malloc (sizeof (chbufarray)); if (chbuf==NULL){ fatal(9); } the sizeof chbufarray of char datatype is: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.h#L78

    typedef Char chbufarray[CHBUFSIZ + 1];

and upper limit of chbuf buffers is CHBUFSIZ which is of 4095 limit so sizeof (chbufarray) becomes 4096 and while running the executable, the value of chbufi can be seen as 4089 for this test file, so it means any value which is greater than 6 will cause heap buffer overflow write in the makevar() function for loop, in this case.

    if ln (second input parameter of makevar()) is 7:
        chbuf[4089 + 6] = s[6];
        chbuf[4095] = s[6];
    
    if ln is greater than 7 like 8 or 9:
        chbuf[4089 + 7] = s[6];
        which is, chbuf[4096] = s[6]; // heap buffer overflow of write 1 byte

And, as per the code: https://gitlab.com/aplevich/dpic/-/blob/master/dpic.y#L5735 as given below, it can be seen as many makevar() function has second input parameter greater than 7

    void
    mkOptionVars(void)
    {
        makevar("dpicopt", 7, drawmode);
        if (safemode) { i = 1; } else { i = 0; }
        makevar("optsafe", 7, i);
        makevar("optMFpic", 8, MFpic);
        makevar("optMpost", 8, MPost);
        makevar("optPDF", 6, PDF);
        makevar("optPGF", 6, PGF);
        makevar("optPict2e", 9, Pict2e);
        makevar("optPS", 5, PS);
        makevar("optPSfrag", 9, PSfrag);
        makevar("optPSTricks", 11, PSTricks);
        makevar("optSVG", 6, SVG);
        makevar("optTeX", 6, TeX);
        makevar("opttTeX", 7, tTeX);
        makevar("optxfig", 7, xfig);
        ...

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap\_bof\_write\_test

the issue can be reproduced by running:

dpic heap_bof_write_test

With ASAN report

    =================================================================
    ==582741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001100 at pc 0x000000538ae3 bp 0x7ffead55dc90 sp 0x7ffead55dc88
    WRITE of size 1 at 0x621000001100 thread T0
        #0 0x538ae2 in makevar /home/bsdboy/projects/again/dpic/dpic.y:5769:48
        #1 0x511042 in mkOptionVars /home/bsdboy/projects/again/dpic/dpic.y:5748:5
        #2 0x4de391 in yyparse /home/bsdboy/projects/again/dpic/dpic.y:495:19
        #3 0x4dbcb4 in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #5 0x41c65d in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c65d)
    
    0x621000001100 is located 0 bytes to the right of 4096-byte region [0x621000000100,0x621000001100)
    allocated by thread T0 here:
        #0 0x4978bd in malloc (/home/bsdboy/projects/again/dpic/dpic+0x4978bd)
        #1 0x4dbb9d in main /home/bsdboy/projects/again/dpic/main.c:1779:11
        #2 0x7f9a899740b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/projects/again/dpic/dpic.y:5769:48 in makevar
    Shadow bytes around the buggy address:
      0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff8220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==582741==ABORTING

Edited May 09, 2021 by Neeraj Pal

CVE-2021-33388: Heap-based Buffer Overflow in the makevar() function (#8) · Issues · Dwight Aplevich / dpic · GitLab

dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.

Skip to content

**Heap Use After Free in the deletestringbox() function (different than #7)**

Hi,

While fuzzing dpic 2021.04.10 (commit: d317e406), I found a heap use-after-free in the cmpstring() function, in dpic.y:L5724.

I have already confirmed the previous issue: #7 (closed) and that is already patched but this seems to be similar but not the same with this input test file and in the same deletestringbox() function.

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=20.04
    DISTRIB_CODENAME=focal
    DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Attaching a reproducer: heap-uaf-read-test-deletestringbox

the issue can be reproduced by running:

dpic heap-uaf-read-test-deletestringbox

    =================================================================
    ==3692838==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000060 at pc 0x0000005094cf bp 0x7ffdf2d88ed0 sp 0x7ffdf2d88ec8
    READ of size 8 at 0x60d000000060 thread T0
        #0 0x5094ce in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5724:19
        #1 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
        #2 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #3 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #4 0x41c3dd in _start (/home/bsdboy/projects/again/dpic/dpic+0x41c3dd)
    
    0x60d000000060 is located 32 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
    freed by thread T0 here:
        #0 0x4973d2 in free (/home/bsdboy/projects/again/dpic/dpic+0x4973d2)
        #1 0x501778 in deletetree /home/bsdboy/projects/again/dpic/dpic.y:3917:12
        #2 0x50989b in deletestringbox /home/bsdboy/projects/again/dpic/dpic.y:5732:3
        #3 0x4fce1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:2839:4
        #4 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #5 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x49763d in malloc (/home/bsdboy/projects/again/dpic/dpic+0x49763d)
        #1 0x507b27 in newprim /home/bsdboy/projects/again/dpic/dpic.y:4984:13
        #2 0x4deb1a in yyparse /home/bsdboy/projects/again/dpic/dpic.y:892:19
        #3 0x4d69ac in main /home/bsdboy/projects/again/dpic/main.c:1813:13
        #4 0x7f638b8eb0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/bsdboy/projects/again/dpic/dpic.y:5724:19 in deletestringbox
    Shadow bytes around the buggy address:
      0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
      0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3692838==ABORTING

CVE-2021-33390: Heap Use After Free in the deletestringbox() function (different than #7) (#10) · Issues · Dwight Aplevich / dpic · GitLab

A heap buffer overflow in r_read_le32 function in radare25.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread crash in RAnal.hexagon (tests\_64900) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **4 additions** and **1 deletion**.

5 changes: 4 additions & 1 deletion libr/anal/p/anal\_hexagon.c

Expand Up

@@ -10,8 +10,11 @@

#include "hexagon\_anal.h"

  

static int hexagon\_v6\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len, RAnalOpMask mask) {

HexInsn hi \= {0};;

HexInsn hi \= {0};

ut32 data \= 0;

if (len < 4) {

return 0;

}

data \= r\_read\_le32 (buf);

int size \= hexagon\_disasm\_instruction (data, &hi, (ut32) addr);

op\->size \= size;

Expand Down

**0 comments on commit 027cd9b**

Please sign in to comment.

CVE-2022-28072: Fix oobread crash in RAnal.hexagon (tests_64900) ##crash · radareorg/radare2@027cd9b

A heap buffer overflow in vax_opfunction in radare2 5.4.2 and 5.4.0.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 2.9k

*   Code
*   Issues 811
*   Pull requests 31
*   Discussions
*   Actions
*   Projects 27
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Fix oobread in VAX disassembler (tests\_64920) ##crash

Reported by giantbranch of NSFOCUS TIANJI Lab

*   Loading branch information

Showing **1 changed file** with **1 addition** and **1 deletion**.

2 changes: 1 addition & 1 deletion libr/anal/p/anal\_vax.c

Expand Up

@@ -150,7 +150,7 @@ static int vax\_op(RAnal \*anal, RAnalOp \*op, ut64 addr, const ut8 \*buf, int len,

case 0xfb: // calls

op\->type \= R\_ANAL\_OP\_TYPE\_CALL;

op\->size \= 7;

{

if (len \> 6) {

int oa \= 3;

ut32 delta \= buf\[oa\];

delta |= (ut32)(buf\[oa + 1\]) << 8;

Expand Down

**0 comments on commit 49b0ceb**

Please sign in to comment.

CVE-2022-28069: Fix oobread in VAX disassembler (tests_64920) ##crash · radareorg/radare2@49b0ceb

A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0.

Expand Up @@ -383,21 +383,18 @@ static inline ut64 dwarf\_read\_offset(bool is\_64bit, const ut8 \*\*buf, const ut8 \* if (is\_64bit) { result \= READ64 (\*buf); } else { result \= READ32 (\*buf); result \= (ut64)READ32 (\*buf); } return result; }  
static inline ut64 dwarf\_read\_address(size\_t size, const ut8 \*\*buf, const ut8 \*buf\_end) { ut64 result; switch (size) { case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: result \= 0; \*buf += size; eprintf ("Weird dwarf address size: %zu.", size); Expand Down Expand Up @@ -1857,8 +1854,7 @@ static const ut8 \*parse\_attr\_value(const ut8 \*obuf, int obuf\_len, \* @param sdb \* @return const ut8\* Updated buffer \*/ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { size\_t i; for (i \= 0; i < abbrev\->count \- 1; i++) { memset (&die\->attr\_values\[i\], 0, sizeof (die\->attr\_values\[i\])); Expand All @@ -1868,9 +1864,8 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD  
RBinDwarfAttrValue \*attribute \= &die\->attr\_values\[i\];  
bool is\_valid\_string\_form \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string) && attribute\->string.content; bool is\_string \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string); bool is\_valid\_string\_form \= is\_string && attribute\->string.content; // TODO does this have a purpose anymore? // Or atleast it needs to rework becase there will be // more comp units -> more comp dirs and only the last one will be kept Expand All @@ -1880,7 +1875,6 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD } die\->count++; }  
return buf; }  
Expand Down