Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-19190: fuzzpoc/infotocap_poc6.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-04

Private: No

There is a heap-buffer-overflow in function LoadRGB of PluginDDS.cpp whick may cause a code execution or denial of service. Version of Freeimage is 3180. This vulneribility can be reproduced with the attachment image file.  
Asan log as below:

\==32112\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf4103e04 at pc 0x08087ebd bp 0xffc70e68 sp 0xffc70a40
WRITE of size 91 at 0xf4103e04 thread T0
    #0 0x8087ebc in fread (/home/FreeImage/test+0x8087ebc)
    #1 0x883a341 in \_ReadProc(void\*, unsigned int, unsigned int, void\*) /home/FreeImage/Source/FreeImage/FreeImageIO.cpp:32:19
    #2 0x815b75a in LoadRGB(tagDDSURFACEDESC2 const\*, FreeImageIO\*, void\*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:649:4
    #3 0x815b75a in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9
    #4 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #5 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #6 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8
    #7 0xf71fcfb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #8 0x806f8f5 in \_start (/home/FreeImage/test+0x806f8f5)

0xf4103e04 is located 0 bytes to the right of 1412\-byte region \[0xf4103880,0xf4103e04)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/test+0x80e6675)
    #1 0x812aa32 in FreeImage\_Aligned\_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19
    #2 0x812aa32 in FreeImage\_AllocateBitmap(int, unsigned char\*, unsigned int, FREE\_IMAGE\_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26
    #3 0x812b63f in FreeImage\_Allocate /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:487:9
    #4 0x815b159 in LoadRGB(tagDDSURFACEDESC2 const\*, FreeImageIO\*, void\*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp
    #5 0x815b159 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginDDS.cpp:869:9
    #6 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #7 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #8 0x811a7a0 in main /home/FreeImage/test.cpp.cpp:115:8
    #9 0xf71fcfb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16

SUMMARY: AddressSanitizer: heap\-buffer\-overflow (/home/FreeImage/test+0x8087ebc) in fread
Shadow bytes around the buggy address:
  0x3e820770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e820780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e820790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8207a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e8207b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x3e8207c0:\[04\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8207d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8207e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e8207f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e820800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e820810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==32112\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21428: FreeImage / Bugs / #299 heap-buffer-overflow in function LoadRGB of PluginDDS.cpp

Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginBMP.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Code
*   Tickets ▾
    *   Feature Requests
    *   Patches
    *   Bugs
    *   Support Requests
*   News
*   Discussion
*   FreeImage

Menu ▾ ▴

Milestone: None

Status: pending

Labels: None

Priority: 5

Updated: 2021-04-04

Created: 2019-12-03

Private: No

There is a heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp whick may cause a code execution or denial of service.  
The asan log as below:

\=================================================================
\==28346\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf4b02ca0 at pc 0x081595db bp 0xff8e4b28 sp 0xff8e4b20
WRITE of size 1 at 0xf4b02ca0 thread T0
    #0 0x81595da in LoadPixelDataRLE8(FreeImageIO\*, void\*, int, int, FIBITMAP\*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22
    #1 0x8153442 in LoadWindowsBMP(FreeImageIO\*, void\*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:555:11
    #2 0x8153442 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12
    #3 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #4 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #5 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #6 0xf7290fb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x806f8f5 in \_start (/home/FreeImage/test+0x806f8f5)

0xf4b02ca0 is located 0 bytes to the right of 544\-byte region \[0xf4b02a80,0xf4b02ca0)
allocated by thread T0 here:
    #0 0x80e6675 in malloc (/home/FreeImage/TestAPI/testAPI+0x80e6675)
    #1 0x812aa32 in FreeImage\_Aligned\_Malloc(unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:183:19
    #2 0x812aa32 in FreeImage\_AllocateBitmap(int, unsigned char\*, unsigned int, FREE\_IMAGE\_TYPE, int, int, int, unsigned int, unsigned int, unsigned int) /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:390:26
    #3 0x812b600 in FreeImage\_AllocateHeader /home/FreeImage/Source/FreeImage/BitmapAccess.cpp:482:9
    #4 0x8152bf1 in LoadWindowsBMP(FreeImageIO\*, void\*, int, unsigned int, int) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:494:11
    #5 0x8152bf1 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/FreeImage/Source/FreeImage/PluginBMP.cpp:1135:12
    #6 0x814d00b in FreeImage\_LoadFromHandle /home/FreeImage/Source/FreeImage/Plugin.cpp:388:24
    #7 0x814d00b in FreeImage\_Load /home/FreeImage/Source/FreeImage/Plugin.cpp:408:22
    #8 0x811a7a0 in main /home/FreeImage/test.cpp:115:8
    #9 0xf7290fb8 in \_\_libc\_start\_main /build/glibc\-jYPHgv/glibc\-2.30/csu/../csu/libc\-start.c:308:16

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/FreeImage/Source/FreeImage/PluginBMP.cpp:445:22 in LoadPixelDataRLE8(FreeImageIO\*, void\*, int, int, FIBITMAP\*)
Shadow bytes around the buggy address:
  0x3e960540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e960550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e960560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e960570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e960580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x3e960590: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa
  0x3e9605a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9605b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9605c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9605d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e9605e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==28346\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21427: FreeImage / Bugs / #298 heap-buffer-overflow in function LoadPixelDataRLE8 of PluginBMP.cpp

Buffer Overflow vulnerability in FreeImage_Load function in FreeImage Library 3.19.0(r1828) allows attackers to cuase a denial of service via crafted PFM file.

**SEGV in function Load() in PluginPFM.cpp****Summary:**

There is a SEGV in PluginPFM.cpp while loading image with FreeImage_Load function。

**Version Affected: 3.19.0 (r1828)****ASAN Details**

AddressSanitizer:DEADLYSIGNAL
\=================================================================
\==24231\==ERROR: AddressSanitizer: SEGV on unknown address 0x613fa5f646c0 (pc 0x0000005a86b3 bp 0x7ffee3d2c080 sp 0x7ffee3d2b8e0 T0)
\==24231\==The signal is caused by a WRITE memory access.
    #0 0x5a86b2 in Load(FreeImageIO\*, void\*, int, int, void\*) /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp
    #1 0x5252fc in FreeImage\_LoadFromHandle /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:388:24
    #2 0x52550c in FreeImage\_Load /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:408:22
    #3 0x50640c in main /home/src/freeimage-svn/FreeImage/trunk/load\-test.c:16:18
    #4 0x7f6f56aa6b6a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x26b6a)
    #5 0x428569 in \_start (/home/src/freeimage-svn/FreeImage/trunk/load\-test+0x428569)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/src/freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginPFM.cpp in Load(FreeImageIO\*, void\*, int, int, void\*)
\==24231\==ABORTING

**Reproduce**

To reproduce it ,compile FreeImage with ASAN. Then compile and execute the test file in the attachment as follows:

Clang++ \-g \-fsanitize\=address load\-test.c \-lfreeimage \-L. \-lm \-o load\-test
./load\-test SEGV\_PluginPFM\_cpp

**Credit**

ADLab of Venustech

CVE-2020-22524: FreeImage / Bugs / #319 SEGV in function Load() in PluginPFM.cpp

Buffer Overflow vulnerability in function H5S_close in H5S.c in HDF5 1.10.4 allows remote attackers to run arbitrary code via creation of crafted file.

CVE-2020-18232: PAAFS/vul2 at master · winson2004aa/PAAFS

CVE-2020-18494: PAAFS/vul12 at master · magicSwordsMan/PAAFS

Buffer Overflow vulnerability in WEBP_Support.cpp in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted webp file.

**Commit acee2894** authored Jul 27, 2019 by  **Hubert Figuiere**

Browse files

**Bug #12 - Invalid WebP cause memory overflow.**

#12

parent 53379ec2

*   Changes 1

Hide whitespace changes

Inline Side-by-side

Supports Markdown

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2020-18652: Bug #12 - Invalid WebP cause memory overflow. (acee2894) · Commits · libopenraw / exempi · GitLab

There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.

'2848?cve=title' is not a valid bug number.

Please press **Back** and try again.

CVE-2020-18768: Invalid Bug ID

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Heap buffer overflow vulnerability in FilePOSIX::read in File.cpp in audiofile 0.3.6 may cause denial-of-service via a crafted wav file, this bug can be triggered by the executable sfconvert.

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.  
poc.zip

$uname -a  
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86\_64 GNU/Linux

**$./sfconvert poc.wav output format wave  
asan:**

\==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38  
WRITE of size 2 at 0x61a00001f708 thread T0  
#0 0x7f64fd42ee54 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x45e54)  
#1 0x7f64fd14b8cb in FilePOSIX::read(void\*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126  
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353  
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375  
#4 0x7f64fd14ee93 in \_AFfilehandle::readS16(short\*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397  
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289  
#6 0x7f64fd171751 in WAVEFile::readInit(\_AFfilesetup\*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733  
#7 0x7f64fd18067e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356  
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#10 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#11 0x401568 in \_start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region \[0x61a00001f280,0x61a00001f708)  
allocated by thread T0 here:  
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x7f64fd14c4f1 in \_AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80  
#2 0x7f64fd18042e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337  
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#5 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??  
Shadow bytes around the buggy address:  
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c347fffbee0: 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==90086==ABORTING

Tag

#buffer_overflow