Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.

****Describe the bug****

UndefinedBehaviorSanitizer: multiple signed integers overflow in the codebase. I attach different testcases that trigger different overflows.

****To Reproduce****

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 4b01368

****Example UBSAN Output****

    $ ./sndfile_alt_fuzzer id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
    INFO: Seed: 3120870912
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
    src/au.c:324:54: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:324:54 in 
    src/au.c:326:29: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:326:29 in 
    src/au.c:327:40: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:327:40 in 
    Executed id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0 in 1 ms
    ***
    *** NOTE: fuzzing was not performed, you have only
    ***       executed the target code on a fixed set of inputs.
    ***
    
    or for example
    
    $ ./sndfile_alt_fuzzer id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
    INFO: Seed: 3162641945
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
    src/mat4.c:323:41: runtime error: signed integer overflow: -587202559 * 553648128 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in 
    src/mat4.c:323:48: runtime error: signed integer overflow: 553648128 * 8 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in 
    src/mat4.c:107:35: runtime error: signed integer overflow: 8 * -587202559 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:107:35 in 
    Executed id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4 in 1 ms
    

testcases:  
int overflow.zip

CVE-2022-33065: UndefinedBehaviorSanitizer: multiple signed integer overflow · Issue #833 · libsndfile/libsndfile

An Out of Bounds flaw was discovered in htmodoc 1.9.12 in function parse_tree() in toc.cxx, this possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.

Hi ,

In function parse\_tree() in toc.cxx, there is a out-of-bounds read bug.

If the value of heading_numbers[i] equal to 1000, then the heading_numbers[i] / 100 = 10 , but the length of array HUNDREDS and hundreds is 10, so out of bounds read occurred.

    232               case 'i' :
    233                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", hundreds[heading_numbers[i] / 100],     tens[(heading_numbers[i] / 10) % 10], ones[heading_numbers[i] % 10]);
    234                   break;
    235               case 'I' :
    236                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", HUNDREDS[heading_numbers[i] / 100],     TENS[(heading_numbers[i] / 10) % 10], ONES[heading_numbers[i] % 10]);
    237                   break;
    

**Version:**  
1.9.12 commit \[a5b87b9\]  
**Env:**  
ubuntu 20.04 x86\_64  
clang version 11.0.0

reproduce  
./configure  
make  
./htmldoc \[poc\]

oobr\_parse\_tree.poc.zip

\*\*more \*\*

gdb

    #3  0x00007ffff7a04f76 in __GI___snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:31
    #4  0x0000000000462ae9 in parse_tree (t=0xc50620) at toc.cxx:236
    #5  0x0000000000463047 in parse_tree (t=0xc500a0) at toc.cxx:375
    #6  0x0000000000463047 in parse_tree (t=0x99c9b0) at toc.cxx:375
    #7  0x0000000000463047 in parse_tree (t=0x968080) at toc.cxx:375
    #8  0x0000000000463047 in parse_tree (t=0x967900) at toc.cxx:375
    #9  0x0000000000463047 in parse_tree (t=0x9401c0) at toc.cxx:375
    #10 0x0000000000462439 in toc_build (tree=0x9401c0) at toc.cxx:81
    #11 0x000000000040cfa7 in main (argc=0x2, argv=0x7fffffffe368) at htmldoc.cxx:1275
    
    gef➤   p heading_numbers[i] / 100
    $24 = 0xa
    gef➤  p HUNDREDS[heading_numbers[i] / 100]
    $25 = 0x3131313131313149 <error: Cannot access memory at address 0x3131313131313149>
    
    
    

    ==311711== Invalid read of size 1
    ==311711==    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==311711==    by 0x4CFCE94: __vfprintf_internal (vfprintf-internal.c:1688)
    ==311711==    by 0x4D10119: __vsnprintf_internal (vsnprintf.c:114)
    ==311711==    by 0x4CE5F75: snprintf (snprintf.c:31)
    ==311711==    by 0x462AE8: parse_tree(tree_str*) (toc.cxx:236)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x462438: toc_build (toc.cxx:81)
    ==311711==    by 0x40CFA6: main (htmldoc.cxx:1275)
    ==311711==  Address 0x3131313131313149 is not stack'd, malloc'd or (recently) free'd

CVE-2021-34121: Out of bounds read in function  · Issue #433 · michaelrsweet/htmldoc

An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts.

****Describe the bug****

UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF\_CUE\_POINT \[100\]' in wav.c:524

****To Reproduce****

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 4b01368

****UBSAN Output****

    $ ./sndfile_alt_fuzzer id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
    INFO: Seed: 3446105526
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
    src/wav.c:524:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:524:8 in 
    src/wav.c:525:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:525:8 in 
    src/wav.c:526:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:526:8 in 
    src/wav.c:527:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:527:8 in 
    src/wav.c:528:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:528:8 in 
    src/wav.c:529:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:529:8 in 
    src/wav.c:530:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:530:8 in 
    Executed id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2 in 2 ms
    

testcase:  
idx out of bound.zip

CVE-2022-33064: UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]' · Issue #832 · libsndfile/libsndfile

Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.



**Solution**

 Fixed

Update the WordPress OAuth Single Sign On – SSO (OAuth Client) plugin to the latest available version (at least 6.23.4).

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Broken Authentication vulnerability in WordPress OAuth Single Sign On – SSO (OAuth Client) Plugin. This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website. This vulnerability has been fixed in version 6.23.4.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2022-34155: WordPress OAuth Single Sign On – SSO (OAuth Client) plugin <= 6.23.3 - Broken Authentication vulnerability - Patchstack

An issue was discovered in asn1c through v0.9.28. A NULL pointer dereference exists in the function _default_error_logger() located in asn1fix.c. It allows an attacker to cause Denial of Service.

The crash is caused by this debug/error message:

https://github.com/vlm/asn1c/blob/v0.9.28/libasn1fix/asn1fix\_enum.c#L82

    FATAL("HERE HERE HERE", 1);
    

It looks like some temporary message added while debugging some issue, but that assumption is hard to confirm as it was included in the initial import to git.

The FATAL macro effectively expands to something like this:

    printf("HERE HERE HERE" " in %s", 1, source_file_name);
    

leading to %s format applied to argument 1 (i.e. pointer 0x1) instead of the file name string.

The most trivial fix is to remove extraneous , 1 argument. A better fix would be to remove the FATAL call completely if it's not needed, or user proper message if it is needed.

CVE-2020-23911: A Segmentation fault in asn1fix_enum.c:82:5 · Issue #394 · vlm/asn1c

The vulnerability could be locally exploited to allow escalation of privilege.

CVE-2023-30906

Stack-based buffer overflow vulnerability in asn1c through v0.9.28 via function genhash_get in genhash.c.

CVE-2020-23910: A stack overflow in genhash.c:506:7 causes Segmentation fault · Issue #396 · vlm/asn1c

Heap-based buffer over-read in function png_convert_4 in file pngex.cc in AdvanceMAME through 2.1.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Tickets ▾
    *   Patches
    *   Feature Requests
    *   Bugs
*   Discussion
*   Donate
*   Git ▾
    *   advancecd
    *   makebootfat

Menu ▾ ▴

Status: open

Owner: nobody

Priority: 5

Updated: 2020-08-06

Created: 2020-08-06

Private: No

**System info**

Ubuntu x86\_64, clang 6.0, advmng (latest master fcf71a)

**Command line**

./advmng -c -q -e -r -x @@

**AddressSanitizer output**

\=================================================================
\==46247\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x602000000075 at pc 0x0000004dff5d bp 0x7ffd0b37a770 sp 0x7ffd0b379f20
READ of size 260 at 0x602000000075 thread T0
    #0 0x4dff5c in \_\_asan\_memcpy /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23
    #1 0x543a90 in png\_convert\_4(unsigned int, unsigned int, unsigned int, unsigned char\*, unsigned int, unsigned char\*, unsigned int, unsigned char\*\*, unsigned int\*, unsigned int\*) /home/seviezhou/advancecomp/pngex.cc:433:4
    #2 0x52a28f in extract(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \> const&) /home/seviezhou/advancecomp/remng.cc:766:4
    #3 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #4 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #5 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #6 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291
    #7 0x41cec8 in \_start (/home/seviezhou/advancecomp/advmng+0x41cec8)

0x602000000075 is located 0 bytes to the right of 5\-byte region \[0x602000000070,0x602000000075)
allocated by thread T0 here:
    #0 0x4e10d8 in \_\_interceptor\_malloc /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:88
    #1 0x5715be in mng\_read\_ihdr /home/seviezhou/advancecomp/lib/mng.c:139:18
    #2 0x5715be in mng\_read /home/seviezhou/advancecomp/lib/mng.c:650
    #3 0x56dfa2 in adv\_mng\_read /home/seviezhou/advancecomp/lib/mng.c:748:9
    #4 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #5 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #6 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #7 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23 in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fd fa fa\[05\]fa
  0x0c047fff8010: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==46247\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-23909: AdvanceMAME / Bugs / #285 A heap overflow in pngex.cc:433:4

A vulnerability, which was classified as critical, was found in Blue Yonder postgraas_server up to 2.0.0b2. Affected is the function _create_pg_connection/create_postgres_db of the file postgraas_server/backends/postgres_cluster/postgres_cluster_driver.py of the component PostgreSQL Backend Handler. The manipulation leads to sql injection. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 7cd8d016edc74a78af0d81c948bfafbcc93c937c. It is recommended to upgrade the affected component. VDB-234246 is the identifier assigned to this vulnerability.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Harden the database creation against SQL injections

If using the PostgreSQL backend, database creation was previously vulnerable to SQL injections. This commit fixes these.

There are two tests which no longer behave as expected and have been disabled for now. They use usernames that previously broke the SQL statement but have now become valid. We might want to think about restricting the possible username somewhat again.

*   Loading branch information

CVE-2018-25088: Harden the database creation against SQL injections · blue-yonder/postgraas_server@7cd8d01

Cross-Site Request Forgery (CSRF) vulnerability in akhlesh-nagar, a.Ankit Social Media Icons Widget plugin <= 1.6 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Social Media Icons Widget Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Source

CVE