A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0.

Expand Up @@ -383,21 +383,18 @@ static inline ut64 dwarf\_read\_offset(bool is\_64bit, const ut8 \*\*buf, const ut8 \* if (is\_64bit) { result \= READ64 (\*buf); } else { result \= READ32 (\*buf); result \= (ut64)READ32 (\*buf); } return result; }  
static inline ut64 dwarf\_read\_address(size\_t size, const ut8 \*\*buf, const ut8 \*buf\_end) { ut64 result; switch (size) { case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: case 2: result \= READ16 (\*buf); break; case 4: result \= READ32 (\*buf); break; case 8: result \= READ64 (\*buf); break; default: result \= 0; \*buf += size; eprintf ("Weird dwarf address size: %zu.", size); Expand Down Expand Up @@ -1857,8 +1854,7 @@ static const ut8 \*parse\_attr\_value(const ut8 \*obuf, int obuf\_len, \* @param sdb \* @return const ut8\* Updated buffer \*/ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevDecl \*abbrev, RBinDwarfCompUnitHdr \*hdr, RBinDwarfDie \*die, const ut8 \*debug\_str, size\_t debug\_str\_len, Sdb \*sdb) { size\_t i; for (i \= 0; i < abbrev\->count \- 1; i++) { memset (&die\->attr\_values\[i\], 0, sizeof (die\->attr\_values\[i\])); Expand All @@ -1868,9 +1864,8 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD  
RBinDwarfAttrValue \*attribute \= &die\->attr\_values\[i\];  
bool is\_valid\_string\_form \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string) && attribute\->string.content; bool is\_string \= (attribute\->attr\_form \== DW\_FORM\_strp || attribute\->attr\_form \== DW\_FORM\_string); bool is\_valid\_string\_form \= is\_string && attribute\->string.content; // TODO does this have a purpose anymore? // Or atleast it needs to rework becase there will be // more comp units -> more comp dirs and only the last one will be kept Expand All @@ -1880,7 +1875,6 @@ static const ut8 \*parse\_die(const ut8 \*buf, const ut8 \*buf\_end, RBinDwarfAbbrevD } die\->count++; }  
return buf; }  
Expand Down

CVE-2022-28068: Fix oobread crash in DWARF parser (tests_64924) ##crash · radareorg/radare2@637f4bd

An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to retrieve PHP files from the server via Local File Inclusion.

Passer au contenu

*   Géomatika
    *   Présentation
    *   Réalisations
    *   Géoservices à la carte.
    *   Applications métiers
    *   Recrutement
    *   Formations
    *   Contact
*   IsiGéo
    *   IsiGéo Web
    *   IsiGéo API Js
    *   IsiGéo Apps
    *   Portail cartographique
    *   Boite à outils
    *   IsiGéo – Développements en cours
*   Solutions
    *   Cadastre / Urbanisme
    *   Logiciel Cimetière pour les Mairies
    *   Logiciel d’adressage
    *   Catalogage de plans Autocad
    *   Gestion de l’ANC ( Assainissement Non Collectif )
    *   Contrôle Poteaux Incendie
    *   Gestion d’un parc d’éclairage public
*   Mobilité
    *   Solutions terrain
    *   GPS centimétriques pour les SIG
*   npg
*   

IsiGéo web Géomatika2023-01-23T22:44:57+01:00

Page load link

Aller en haut

CVE-2023-23565: IsiGéo web

A use after free in r_reg_set_value function in radare2 5.4.2 and 5.4.0.

Expand Up @@ -4766,7 +4766,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { int size \= 0, i, type \= R\_REG\_TYPE\_GPR; int bits \= (core\->anal\->bits & R\_SYS\_BITS\_64)? 64: 32; int use\_colors \= r\_config\_get\_i (core\->config, "scr.color"); RRegItem \*r; RRegItem \*r \= NULL; const char \*use\_color; const char \*name; char \*arg; Expand Down Expand Up @@ -5098,6 +5098,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { arg \= strchr (str + 1, '='); if (arg) { \*arg \= 0; ut64 n \= r\_num\_math (core\->num, arg + 1); char \*ostr \= r\_str\_trim\_dup (str + 1); char \*regname \= r\_str\_trim\_nc (ostr); r \= r\_reg\_get (core\->dbg\->reg, regname, \-1); Expand All @@ -5113,8 +5114,7 @@ void cmd\_anal\_reg(RCore \*core, const char \*str) { if (r) { //eprintf ("%s 0x%08"PFMT64x" -> ", str, // r\_reg\_get\_value (core->dbg->reg, r)); r\_reg\_set\_value (core\->dbg\->reg, r, r\_num\_math (core\->num, arg + 1)); r\_reg\_set\_value (core\->dbg\->reg, r, n); r\_debug\_reg\_sync (core\->dbg, R\_REG\_TYPE\_ALL, true); //eprintf ("0x%08"PFMT64x"\\n", // r\_reg\_get\_value (core->dbg->reg, r)); Expand Down

CVE-2022-28073: Fix uaf crash in aaft (tests_64927) ##crash · radareorg/radare2@59a9dfb

A use after free in r_reg_get_name_idx function in radare2 5.4.2 and 5.4.0.

Expand Up

@@ -504,11 +504,12 @@ R\_API void r\_core\_anal\_type\_match(RCore \*core, RAnalFunction \*fcn) {

char prev\_type\[256\] \= {0};

const char \*prev\_dest \= NULL;

char \*ret\_reg \= NULL;

const char \*pc \= r\_reg\_get\_name (core\->dbg\->reg, R\_REG\_NAME\_PC);

if (!pc) {

free (buf);

const char \*\_pc \= r\_reg\_get\_name (core\->dbg\->reg, R\_REG\_NAME\_PC);

if (!\_pc) {

free (buf);

return;

}

char \*pc \= strdup (\_pc);

RRegItem \*r \= r\_reg\_get (core\->dbg\->reg, pc, \-1);

if (!r) {

free (buf);

Expand Down Expand Up

@@ -778,4 +779,5 @@ R\_API void r\_core\_anal\_type\_match(RCore \*core, RAnalFunction \*fcn) {

free (buf);

r\_cons\_break\_pop();

anal\_emul\_restore (core, hc, dt, et);

free (pc);

}

CVE-2022-28071: Fix UAF in aaft (tests_64923) ##crash · radareorg/radare2@6544881

A null pointer deference in __core_anal_fcn function in radare2 5.4.2 and 5.4.0.

Expand Up

@@ -831,7 +831,7 @@ static bool \_\_core\_anal\_fcn(RCore \*core, ut64 at, ut64 from, int reftype, int de

const RList \*syms \= r\_bin\_get\_symbols (core\->bin);

ut64 baddr \= r\_config\_get\_i (core\->config, "bin.baddr");

r\_list\_foreach (syms, iter, sym) {

if ((sym\->paddr + baddr) \== fcn\->addr && !strcmp (sym\->type, R\_BIN\_TYPE\_FUNC\_STR)) {

if (sym\->type && (sym\->paddr + baddr) \== fcn\->addr && !strcmp (sym\->type, R\_BIN\_TYPE\_FUNC\_STR)) {

free (new\_name);

new\_name \= r\_str\_newf ("sym.%s", sym\->name);

break;

Expand Down

CVE-2022-28070: Fix oobread crash in the analysis loop with corrupted ELFs (tests_649… · radareorg/radare2@4aff1bb

There is a use-after-free vulnerability in file pdd_simplifier.cpp in Z3 before 4.8.8. It occurs when the solver attempt to simplify the constraints and causes unexpected memory access. It can cause segmentation faults or arbitrary code execution.

Hi, there.

There is a use after free issue that causes segmentation fault using z3.

To reproduce this issue, simply run  
z3 poc.smt2  
z3-uaf\_pdd\_simplified.smt2.zip

OS: Ubuntu 16.06  
commit 6ad261e

Here is the trace reported by ASAN.

    ==42916==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000057aa8 at pc 0x000002126476 bp 0x7ffce1825cf0 sp 0x7ffce1825ce0
    READ of size 8 at 0x603000057aa8 thread T0
        #0 0x2126475 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:131
        #1 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #2 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #3 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #4 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #5 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #6 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #7 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #8 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #9 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #10 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #11 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #12 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #13 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #14 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #15 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #16 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #17 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #18 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #19 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #20 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #21 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #22 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #23 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #24 0x19dff24 in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1023
        #25 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #26 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #27 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #28 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #29 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #30 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #31 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #32 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #33 0x19dd595 in unary_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:763
        #34 0x1a0cc80 in exec(tactic&, ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactic.cpp:148
        #35 0x1a0d11b in check_sat(tactic&, ref<goal>&, ref<model>&, labels_vec&, obj_ref<app, ast_manager>&, obj_ref<dependency_manager<ast_manager::expr_dependency_config>::dependency, ast_manager>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../src/tactic/tactic.cpp:168
        #36 0x19830fb in check_sat_core2 ../src/solver/tactic2solver.cpp:176
        #37 0x196bcb1 in solver_na2as::check_sat_core(unsigned int, expr* const*) ../src/solver/solver_na2as.cpp:67
        #38 0x19807b0 in combined_solver::check_sat_core(unsigned int, expr* const*) ../src/solver/combined_solver.cpp:246
        #39 0x196a68b in solver::check_sat(unsigned int, expr* const*) ../src/solver/solver.cpp:330
        #40 0x19306d2 in cmd_context::check_sat(unsigned int, expr* const*) ../src/cmd_context/cmd_context.cpp:1581
        #41 0x18bcc6b in smt2::parser::parse_check_sat() ../src/parsers/smt2/smt2parser.cpp:2596
        #42 0x18c0c07 in smt2::parser::parse_cmd() ../src/parsers/smt2/smt2parser.cpp:2938
        #43 0x18c2319 in smt2::parser::operator()() ../src/parsers/smt2/smt2parser.cpp:3130
        #44 0x18a12fe in parse_smt2_commands(cmd_context&, std::istream&, bool, params_ref const&, char const*) ../src/parsers/smt2/smt2parser.cpp:3179
        #45 0x41efab in read_smtlib2_commands(char const*) ../src/shell/smtlib_frontend.cpp:89
        #46 0x415a9e in main ../src/shell/main.cpp:352
        #47 0x7f65a714482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #48 0x414808 in _start (/home/heqing/dependence/z3/build/z3+0x414808)
    
    0x603000057aa8 is located 24 bytes inside of 32-byte region [0x603000057a90,0x603000057ab0)
    freed by thread T0 here:
        #0 0x7f65a8044961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
        #1 0x253bf9c in memory::reallocate(void*, unsigned long) ../src/util/memory_manager.cpp:295
        #2 0x212548d in old_vector<dd::solver::equation*, false, unsigned int>::expand_vector() ../src/util/old_vector.h:87
        #3 0x2124abe in old_vector<dd::solver::equation*, false, unsigned int>::push_back(dd::solver::equation* const&) ../src/util/old_vector.h:419
        #4 0x2129020 in dd::simplifier::add_to_use(dd::solver::equation*, old_vector<old_ptr_vector<dd::solver::equation>, true, unsigned int>&) ../src/math/grobner/pdd_simplifier.cpp:350
        #5 0x2126789 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:156
        #6 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #7 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #8 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #9 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #10 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #11 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #12 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #13 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #14 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #15 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #16 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #17 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #18 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #19 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #20 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #21 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #22 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #23 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #24 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #25 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #26 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #27 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #28 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #29 0x19dff24 in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1023
    
    previously allocated by thread T0 here:
        #0 0x7f65a8044602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
        #1 0x253bdd5 in memory::allocate(unsigned long) ../src/util/memory_manager.cpp:268
        #2 0x21251bc in old_vector<dd::solver::equation*, false, unsigned int>::expand_vector() ../src/util/old_vector.h:65
        #3 0x2124abe in old_vector<dd::solver::equation*, false, unsigned int>::push_back(dd::solver::equation* const&) ../src/util/old_vector.h:419
        #4 0x2129020 in dd::simplifier::add_to_use(dd::solver::equation*, old_vector<old_ptr_vector<dd::solver::equation>, true, unsigned int>&) ../src/math/grobner/pdd_simplifier.cpp:350
        #5 0x21292d0 in dd::simplifier::get_use_list() ../src/math/grobner/pdd_simplifier.cpp:375
        #6 0x21260c2 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:112
        #7 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #8 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #9 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #10 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #11 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #12 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #13 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #14 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #15 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #16 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #17 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #18 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #19 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #20 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #21 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #22 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #23 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #24 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #25 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #26 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #27 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #28 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #29 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
    
    SUMMARY: AddressSanitizer: heap-use-after-free ../src/math/grobner/pdd_simplifier.cpp:131 dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&)
    Shadow bytes around the buggy address:
      0x0c0680002f00: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
      0x0c0680002f10: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c0680002f20: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c0680002f30: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
      0x0c0680002f40: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
    =>0x0c0680002f50: fa fa fd fd fd[fd]fa fa 00 00 00 00 fa fa 00 00
      0x0c0680002f60: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
      0x0c0680002f70: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
      0x0c0680002f80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
      0x0c0680002f90: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
      0x0c0680002fa0: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==42916==ABORTING

CVE-2020-19725: use after free in ../src/math/grobner/pdd_simplifier.cpp:131 · Issue #3363 · Z3Prover/z3

Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.

**概述**

**2019年09月10日， 华为AntiDDoS8000设备某荷兰数据中心局点捕获新型UDP反射放大攻击，反射源端口为1194。客户在AntiDDoS8000清洗设备上配置硬件过滤规则有效阻断了攻击。华为未然实验室通过对攻击流量深入分析，很快发现攻击流量来自在网络中开放的OpenVPN服务。**

OpenVPN是一个用于创建虚拟专用网络加密通道的软件包，最早由James Yonan编写。OpenVPN允许创建的VPN使用公开密钥、电子证书、或者用户名／密码来进行身份验证。

**攻击原理**

OpenVPN支持UDP、TCP两种隧道模式，默认使用UDP，在认证模式上支持Pre-sharedstatic key 和 TLS 两个模式，默认为TLS模式。

图1 TLS mode OpenVPN状态图（数据来源见参考资料1）  

OpenVPN有Data channel和Control channel两个通道，在UDP隧道模式下，Data channel的可靠性需要业务层自己维护，Control channel的可靠性则需要OpenVPN自己来维护，这也是问题的关键所在。通过分析OpenVPN可靠性实现代码，可以发现当OpenVPN发送出数据包后，若在超时时间内没有收到对应的确认包，则会进行多次数据重传，直到socket超时（默认30s）。超时时间计算逻辑有两种方式（见图2），一种是指数增长方式（默认配置），另一种是固定值（默认2秒）的方式。

图2 OpenVPN源码            

**攻击模拟**

根据图1所示，我们让客户端向服务器发送P\__CONTROL\__HARD\__RESET\__CLIENT\__V2__数据包，服务器则会响应__P\__CONTROL\__HARD\__RESET\__SERVER\__V2数据包，客户端对服务器响应的数据包不做P\_ACK\_V1应答，服务器便会对_P\__CONTROL\__HARD\__RESET\__SERVER\__V2数据包进行多次重传。

以下是P\__CONTROL\__HARD\__RESET\__CLIENT\__V2_数据包字符串的十六进制格式：

"\\x38\\x11\\xad\\x18\\x24\\xa7\\x8a\\xad\\x41\\x00\\x00\\x00\\x01\\x5d\\x85\\x8a"\\

"\\x31\\x65\\xc3\\x17\\xa6\\xe9\\x35\\x8b\\x51\\xcf\\xfb\\x6c\\xa5\\x1b\\xc4\\x08"\\

"\\x90\\x43\\xa1\\x6a\\xa7\\xa1\\x20\\xc8\\x69\\x37\\x85\\x60\\xe3\\x44\\xa6\\x4c"\\

"\\x33\\x3f\\xdc\\x86\\xd5\\x29"

图3 默认配置“指数增加超时时间”下OpenVPN服务遭受攻击时数据抓包  

图4 “固定超时时间”配置下OpenVPN服务遭受攻击时数据抓包  

根据图3、图4可见，服务器对未及时应答的数据包，会进行多次重传。根据该特性，结合UDP反射攻击手法，即可实现UDP反射放大攻击。为了更高效的利用反射源，客户端需要将每次请求的源端口设置为不一样，如果是同一个源端口，在30秒有效期内，将被忽略。

**放大倍数****指数增加超时时间方式**

如图3所示，客户端发送一个96字节的一个报文，服务器将在30秒内响应大小与请求包相当的5个数据包，所以放大倍数应该是 5 / 1 = **5**倍，同时流量的PPS也放大了**5**倍。

**固定超时时间方式**

如图4所示，客户端发送一个96字节的一个报文，服务器将在后续的30秒内，以0.5秒的间隔响应一个大小为与请求包相当的数据包，所以放大倍数应该是 30 / 0.5 = **60** 倍，同时流量的PPS也放大了**60**倍。

**攻击风险**

通过shodan网络空间搜索引擎查询，可以发现在网络空间有将近70万个对外开放的OpenVPN服务。如果攻击者利用这些OpenVPN服务进行UDP反射放大攻击，将会对被攻击者造成严重影响。

 图5 网络空间1194端口统计图（数据来源shodan）

**防范建议**

> 1、在大带宽的数据中心场景， 可以在专业Anti-DDoS设备或者边界路由上配置过滤规则(protocol udp, source port 1194, packetlength >= 56 Bytes)
> 
> 2、小带宽的企业数据中心当遭遇这种攻击时会引发链路带宽拥塞，只能靠上游云清洗过滤

**参考资料**

> Protocol state fuzzing of anOpenVPN
> 
> OpenVPN

**\*本文原创作者：null001，属于FreeBuf原创奖励计划，未经许可禁止转载**

CVE-2020-20813: OpenVPN服务被利用于UDP反射放大DDoS攻击 - FreeBuf网络安全行业门户

Cross Site Scripting (XSS) in Nagios XI 5.7.1 allows remote attackers to run arbitrary code via returnUrl parameter in a crafted GET request.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Nagios-XI-Reflected-XSS**

A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

**PoC**

To exploit vulnerability, someone could use a GET request to 'http://\[server\]/includes/components/ccm/' by manipulating 'returnUrl' parameter in the request body to impact users who open a maliciously crafted link or third-party web page.

    http://[server]/includes/components/ccm/?cmd=modify&id=1&page=1&returnUrl=%22%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&type=host

CVE-2020-23992: GitHub - EmreOvunc/Nagios-XI-Reflected-XSS: A reflected cross-site scripting (XSS) in Nagios XI 5.7.1 can result in an attacker performing malicious actions to users who open a maliciously crafted lin

A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

> tl;dr:  
> When Load RIFF format files, "size" is read from file. FreeImage seek file pos by "size", and function Validate will call LibRaw::open\_datastream with LibRaw\_freeimage\_datastream, it will call to LibRaw::parse\_riff. If "size" is a negative number(>0x7ffffffff), FreeImage will call LibRaw::parse\_riff function by itself, it eventually causing the stack to be filled.

When the program reads a RIFF format file, it will call to the Validate function of the 'PluginRAW.cpp' file , to validata format.

In Validate function, it will use LibRaw\_freeimage\_datastream to call LibRaw::open\_datastream

static BOOL DLL\_CALLCONV
Validate(FreeImageIO \*io, fi\_handle handle) {           //<---- io is LibRaw\_freeimage\_datastream
......
    // no magic signature : we need to open the file (it will take more time to identify it)
    // do not declare RawProcessor on the stack as it may be huge (300 KB)
    {
        LibRaw \*RawProcessor \= new(std::nothrow) LibRaw;

        if(RawProcessor) {
            BOOL bSuccess \= TRUE;

            // wrap the input datastream
            LibRaw\_freeimage\_datastream datastream(io, handle);

            // open the datastream
            if(RawProcessor->open\_datastream(&datastream) != LIBRAW\_SUCCESS) {     //<---- call LibRaw::open\_datastream
                bSuccess \= FALSE;   // LibRaw : failed to open input stream (unknown format)
            }

            // clean-up internal memory allocations
            RawProcessor-\>recycle();
            delete RawProcessor;

            return bSuccess;
        }
    }

    return FALSE;
}

And will call to LibRaw::parse\_riff function if file start with "RIFF".

FreeImaged.dll!LibRaw::parse\_riff()
FreeImaged.dll!LibRaw::identify()
FreeImaged.dll!LibRaw::open\_datastream(LibRaw\_abstract\_datastream \* stream)
FreeImaged.dll!Validate(FreeImageIO \* io, void \* handle)
FreeImaged.dll!FreeImage\_ValidateFIF(FREE\_IMAGE\_FORMAT fif, FreeImageIO \* io, void \* handle)
FreeImaged.dll!FreeImage\_GetFileTypeFromHandle(FreeImageIO \* io, void \* handle, int size)
FreeImaged.dll!FreeImage\_GetFileType(const char \* filename, int size)

In LibRaw::parse\_riff function, it call itslef by variable "tag". And the "tag" is read from file.

void LibRaw::parse\_riff()
{
  unsigned i, size, end;
  char tag\[4\], date\[64\], month\[64\];
  static const char mon\[12\]\[4\] \= {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
                                  "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
  struct tm t;

  order \= 0x4949;
  fread(tag, 4, 1, ifp);
  size \= get4();                                //<---- size read from file
  end \= ftell(ifp) + size;
  if (!memcmp(tag, "RIFF", 4) || !memcmp(tag, "LIST", 4))
  {
    int maxloop \= 1000;
    get4();
    while (ftell(ifp) + 7 < end && !feof(ifp) && maxloop\--)
      parse\_riff();                             //<---- call itself
  }
.......
  }
  else
    fseek(ifp, size, SEEK\_CUR);                 //<---- seek pos by size
}

function get4() just read four bytes.

unsigned LibRaw::get4()
{
  uchar str\[4\] \= {0xff, 0xff, 0xff, 0xff};
  fread(str, 1, 4, ifp);
  return sget4(str);
}

\_\_int64 is file default variable type at LibRaw\_bigfile\_buffered\_datastream in "libraw\_datastream.h"

class DllDef LibRaw\_bigfile\_buffered\_datastream : public LibRaw\_abstract\_datastream
{
public:
......
    virtual INT64 tell();
    virtual INT64 size() { return \_fsize; }
......
protected:
    INT64   readAt(void \*ptr, size\_t size, INT64 off);
......
    INT64 \_fsize;
    INT64 \_fpos; /\* current file position; current buffer start position \*/
......
};

But long is file default variable type at "LibRaw\_freeimage\_datastream" in FreeImageIO.cpp

unsigned DLL\_CALLCONV 
\_ReadProc(void \*buffer, unsigned size, unsigned count, fi\_handle handle) {
    return (unsigned)fread(buffer, size, count, (FILE \*)handle);
}

unsigned DLL\_CALLCONV 
\_WriteProc(void \*buffer, unsigned size, unsigned count, fi\_handle handle) {
    return (unsigned)fwrite(buffer, size, count, (FILE \*)handle);
}

int DLL\_CALLCONV
\_SeekProc(fi\_handle handle, long offset, int origin) {
    return fseek((FILE \*)handle, offset, origin);
}

long DLL\_CALLCONV
\_TellProc(fi\_handle handle) {
    return ftell((FILE \*)handle);
}

So if we let "size" to a negative number, the the file cursor pos could go back to begining of function.  
LibRaw::parse\_riff will call function by itself, it eventually causing the stack to be filled. An attacker can reach a remote denial of service attack by sending a specially constructed file.

windbg:

ModLoad: 00000001\`80000000 00000001\`80a65000   D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Dist\\x64\\FreeImaged.dll
ModLoad: 00007ffa\`f4430000 00007ffa\`f44bd000   C:\\Windows\\SYSTEM32\\MSVCP140.dll
ModLoad: 00007ffb\`5eda0000 00007ffb\`5edac000   C:\\Windows\\SYSTEM32\\VCRUNTIME140\_1.dll
ModLoad: 00007ffb\`7de50000 00007ffb\`7debb000   C:\\Windows\\System32\\WS2\_32.dll
ModLoad: 00007ffb\`69a60000 00007ffb\`69a7b000   C:\\Windows\\SYSTEM32\\VCRUNTIME140.dll
ModLoad: 00007ffb\`39170000 00007ffb\`391a7000   C:\\Windows\\SYSTEM32\\VCOMP140D.DLL
ModLoad: 00007ffb\`7dd20000 00007ffb\`7de4a000   C:\\Windows\\System32\\RPCRT4.dll
(4460.8c84): Break instruction exception \- code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffb\`7ed80770 cc              int     3
0:000\> g
(4460.8c84): Stack overflow \- code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FreeImaged!\_\_crt\_stdio\_stream::has\_any\_buffer+0x13:
00000001\`8058e103 e808000000      call    FreeImaged!\_\_crt\_stdio\_stream::has\_any\_of (00000001\`8058e110)
0:000\> k
 # Child\-SP          RetAddr               Call Site
00 000000a9\`09a03ff0 00000001\`805a2947     FreeImaged!\_\_crt\_stdio\_stream::has\_any\_buffer+0x13 \[minkernel\\crts\\ucrt\\inc\\corecrt\_internal\_stdio.h @ 221\] 
01 000000a9\`09a04020 00000001\`805a31c0     FreeImaged!\_fread\_nolock\_s+0x2b7 \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 93\] 
02 000000a9\`09a04100 00000001\`805a307d     FreeImaged!fread\_s+0x130 \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 56\] 
03 000000a9\`09a04150 00000001\`8000f564     FreeImaged!fread+0x3d \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 240\] 
04 000000a9\`09a04190 00000001\`8005192b     FreeImaged!\_ReadProc+0x34 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\FreeImage\\FreeImageIO.cpp @ 33\] 
05 000000a9\`09a041c0 00000001\`802f1bf1     FreeImaged!LibRaw\_freeimage\_datastream::read+0x3b \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\FreeImage\\PluginRAW.cpp @ 67\] 
06 000000a9\`09a041f0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x81 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 256\] 
07 000000a9\`09a043b0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
08 000000a9\`09a04570 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
09 000000a9\`09a04730 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0a 000000a9\`09a048f0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0b 000000a9\`09a04ab0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0c 000000a9\`09a04c70 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 

TestFile:

data:image/raw;base64,UklGRiAAAAAAAAAAMHg3OQAAAAAwMDAw5P///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\==

CVE-2021-40262: FreeImage / Bugs / #338 A stack buff overflower in function Validate() located in PluginRAW.cpp

Buffer Overflow vulnerability in ExtractorInformation function in streamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to run arbitrary code via opening of crafted ogg file.

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:  
oggLength <testcase>  
The testcase I used is put in the attachment.  
This software can also be installed by command apt install oggvideotools but the version is 0.8a-7, which can also get segment fault with the same testcase.</testcase>

MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
\=================================================================  
\==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050  
WRITE of size 4 at 0x60600000e4b8 thread T0  
#0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17  
#1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12  
#2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210  
#3 0x43b0c4 in oggLengthCmd(int, char\*\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#4 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#5 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#6 0x43aa78 in \_start (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x43aa78)</streamconfig,>

0x60600000e4b8 is located 0 bytes to the right of 56-byte region \[0x60600000e480,0x60600000e4b8)  
allocated by thread T0 here:  
#0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x4468b4 in \_\_gnu\_cxx::new\_allocator<streamconfig>::allocate(unsigned long, void const_) /usr/include/c++/5/ext/new\_allocator.h:104  
#2 0x4460b3 in std::allocator\_traits<std::allocator<streamconfig> >::allocate(std::allocator<streamconfig>&, unsigned long) /usr/include/c++/5/bits/alloc\_traits.h:491  
#3 0x4451fd in std::\_Vector\_base<streamconfig, std::allocator<streamconfig=""> >::\_M\_allocate(unsigned long) /usr/include/c++/5/bits/stl\_vector.h:170  
#4 0x443257 in std::vector<streamconfig, std::allocator<streamconfig=""> >::\_M\_default\_append(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x443257)  
#5 0x441d5e in std::vector<streamconfig, std::allocator<streamconfig=""> >::resize(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x441d5e)  
#6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206  
#7 0x43b0c4 in oggLengthCmd(int, char</streamconfig,></streamconfig,></streamconfig,></streamconfig,></streamconfig></std::allocator<streamconfig>_\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#8 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#9 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)</streamconfig>

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)  
Shadow bytes around the buggy address:  
0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c0c7fff9c90: 00 00 00 00 00 00 00\[fa\]fa fa fa fa 00 00 00 00  
0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa  
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa  
0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd  
0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa  
0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==32390==ABORTING

My system is:  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04

The software information:  
oggvideotools:  
Installed: 0.8a-7  
Candidate: 0.8a-7  
Version table:  
\*\*\* 0.8a-7 500  
500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages  
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages  
100 /var/lib/dpkg/status

ProblemType: Bug  
DistroRelease: Ubuntu 16.04  
Package: oggvideotools 0.8a-7  
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18  
Uname: Linux 4.15.0-66-generic x86\_64  
ApportVersion: 2.20.1-0ubuntu2.21  
Architecture: amd64  
CurrentDesktop: Unity  
Date: Thu Nov 14 19:56:47 2019  
InstallationDate: Installed on 2019-01-24 (293 days ago)  
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)  
SourcePackage: oggvideotools  
UpgradeStatus: No upgrade log present (probably fresh install)

**1 Attachments**