There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

@@ -26,6 +26,13 @@ extern "C" { /\* Workaround for JPEG header problems... \*/

#endif // HAVE\_LIBPNG

  

  

/\*

\* Limits...

\*/

  

#define IMAGE\_MAX\_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)

  

  

/\*

\* GIF definitions...

\*/

@@ -926,7 +933,7 @@ image\_load\_bmp(image\_t \*img, /\* I - Image to load into \*/

colors\_used = (int)read\_dword(fp);

read\_dword(fp);

  

if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info\_size < 0)

if (img->width <= 0 || img->width > IMAGE\_MAX\_DIM || img->height <= 0 || img->height > IMAGE\_MAX\_DIM || info\_size < 0)

return (-1);

  

if (info\_size > 40)

@@ -1278,7 +1285,7 @@ image\_load\_gif(image\_t \*img, /\* I - Image pointer \*/

img->height = (buf\[9\] << 8) | buf\[8\];

ncolors = 2 << (buf\[10\] & 0x07);

  

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)

if (img->width <= 0 || img->width > IMAGE\_MAX\_DIM || img->height <= 0 || img->height > IMAGE\_MAX\_DIM)

return (-1);

  

// If we are writing an encrypted PDF file, bump the use count so we create

@@ -1326,7 +1333,7 @@ image\_load\_gif(image\_t \*img, /\* I - Image pointer \*/

img->height = (buf\[7\] << 8) | buf\[6\];

img->depth = gray ? 1 : 3;

  

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)

if (img->width <= 0 || img->width > IMAGE\_MAX\_DIM || img->height <= 0 || img->height > IMAGE\_MAX\_DIM)

return (-1);

  

if (transparent >= 0)

@@ -1443,6 +1450,12 @@ JSAMPROW row; /\* Sample row pointer \*/

img->height = (int)cinfo.output\_height;

img->depth = (int)cinfo.output\_components;

  

if (img->width <= 0 || img->width > IMAGE\_MAX\_DIM || img->height <= 0 || img->height > IMAGE\_MAX\_DIM)

{

jpeg\_destroy\_decompress(&cinfo);

return (-1);

}

  

if (!load\_data)

{

jpeg\_destroy\_decompress(&cinfo);

@@ -1598,6 +1611,12 @@ image\_load\_png(image\_t \*img, /\* I - Image pointer \*/

img->width = (int)png\_get\_image\_width(pp, info);

img->height = (int)png\_get\_image\_height(pp, info);

  

if (img->width <= 0 || img->width > IMAGE\_MAX\_DIM || img->height <= 0 || img->height > IMAGE\_MAX\_DIM)

{

png\_destroy\_read\_struct(&pp, &info, NULL);

return (-1);

}

  

if (color\_type & PNG\_COLOR\_MASK\_ALPHA)

{

if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)

CVE-2022-27114: Fix a potential integer overflow bug in the JPEG and PNG loaders (Iss… · michaelrsweet/htmldoc@31f7804

ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.

@@ -451,6 +451,8 @@ static Image \*ReadCINImage(const ImageInfo \*image\_info,ExceptionInfo \*exception)

image->endian\=(magick\[0\] == 0x80) && (magick\[1\] == 0x2a) &&

(magick\[2\] == 0x5f) && (magick\[3\] == 0xd7) ? MSBEndian : LSBEndian;

cin.file.image\_offset\=ReadBlobLong(image);

if (cin.file.image\_offset < 712)

ThrowReaderException(CorruptImageError,"ImproperImageHeader");

offset+=4;

cin.file.generic\_length\=ReadBlobLong(image);

offset+=4;

CVE-2022-28463: https://github.com/ImageMagick/ImageMagick/issues/4988 · ImageMagick/ImageMagick6@e6ea587

CVE-2022-28463

Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution

**Description**

Heap-based Buffer Overflow in function cmdline\_erase\_chars at ex\_getln.c:1085

**POC**

    ./vim -u NONE -X -Z -e -s -S ./poc_h1.dat -c :qa!
    =================================================================
    ==3840814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000087f at pc 0x00000088665a bp 0x7fffffff67e0 sp 0x7fffffff67d8
    READ of size 1 at 0x60b00000087f thread T0
        #0 0x886659 in cmdline_erase_chars /home/fuzz/vim/vim-master/src/ex_getln.c:1085:22
        #1 0x86c472 in getcmdline_int /home/fuzz/vim/vim-master/src/ex_getln.c:2029:12
        #2 0x86483e in getcmdline /home/fuzz/vim/vim-master/src/ex_getln.c:1571:12
        #3 0x872ce6 in getexline /home/fuzz/vim/vim-master/src/ex_getln.c:2853:12
        #4 0x7e3982 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:875:46
        #5 0xb70283 in nv_colon /home/fuzz/vim/vim-master/src/normal.c:3191:19
        #6 0xb45243 in normal_cmd /home/fuzz/vim/vim-master/src/normal.c:930:5
        #7 0x82eefe in exec_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8753:6
        #8 0x82e728 in exec_normal_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:8716:5
        #9 0x82e2d9 in ex_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8634:6
        #10 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
        #11 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
        #12 0xe88e0c in do_source_ext /home/fuzz/vim/vim-master/src/scriptfile.c:1674:5
        #13 0xe85866 in do_source /home/fuzz/vim/vim-master/src/scriptfile.c:1801:12
        #14 0xe8519c in cmd_source /home/fuzz/vim/vim-master/src/scriptfile.c:1174:14
        #15 0xe8487e in ex_source /home/fuzz/vim/vim-master/src/scriptfile.c:1200:2
        #16 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
        #17 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
        #18 0x7e95f1 in do_cmdline_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:586:12
        #19 0x144d0a2 in exe_commands /home/fuzz/vim/vim-master/src/main.c:3108:2
        #20 0x144922d in vim_main2 /home/fuzz/vim/vim-master/src/main.c:780:2
        #21 0x143e484 in main /home/fuzz/vim/vim-master/src/main.c:432:12
        #22 0x7ffff78260b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41fe5d in _start (/home/fuzz/fuzz-vim/vim-master/src/vim+0x41fe5d)
    
    0x60b00000087f is located 1 bytes to the left of 100-byte region [0x60b000000880,0x60b0000008e4)
    allocated by thread T0 here:
        #0 0x49b0bd in malloc (/home/fuzz/fuzz-vim/vim-master/src/vim+0x49b0bd)
        #1 0x4cc79a in lalloc /home/fuzz/vim/vim-master/src/alloc.c:246:11
        #2 0x4cc67a in alloc /home/fuzz/vim/vim-master/src/alloc.c:151:12
        #3 0x876aa5 in alloc_cmdbuff /home/fuzz/vim/vim-master/src/ex_getln.c:3283:22
        #4 0x8807c0 in init_ccline /home/fuzz/vim/vim-master/src/ex_getln.c:1525:5
        #5 0x865080 in getcmdline_int /home/fuzz/vim/vim-master/src/ex_getln.c:1638:9
        #6 0x86483e in getcmdline /home/fuzz/vim/vim-master/src/ex_getln.c:1571:12
        #7 0x872ce6 in getexline /home/fuzz/vim/vim-master/src/ex_getln.c:2853:12
        #8 0x7e3982 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:875:46
        #9 0xb70283 in nv_colon /home/fuzz/vim/vim-master/src/normal.c:3191:19
        #10 0xb45243 in normal_cmd /home/fuzz/vim/vim-master/src/normal.c:930:5
        #11 0x82eefe in exec_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8753:6
        #12 0x82e728 in exec_normal_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:8716:5
        #13 0x82e2d9 in ex_normal /home/fuzz/vim/vim-master/src/ex_docmd.c:8634:6
        #14 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
        #15 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
        #16 0xe88e0c in do_source_ext /home/fuzz/vim/vim-master/src/scriptfile.c:1674:5
        #17 0xe85866 in do_source /home/fuzz/vim/vim-master/src/scriptfile.c:1801:12
        #18 0xe8519c in cmd_source /home/fuzz/vim/vim-master/src/scriptfile.c:1174:14
        #19 0xe8487e in ex_source /home/fuzz/vim/vim-master/src/scriptfile.c:1200:2
        #20 0x7f7a25 in do_one_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:2567:2
        #21 0x7e49a5 in do_cmdline /home/fuzz/vim/vim-master/src/ex_docmd.c:992:17
        #22 0x7e95f1 in do_cmdline_cmd /home/fuzz/vim/vim-master/src/ex_docmd.c:586:12
        #23 0x144d0a2 in exe_commands /home/fuzz/vim/vim-master/src/main.c:3108:2
        #24 0x144922d in vim_main2 /home/fuzz/vim/vim-master/src/main.c:780:2
        #25 0x143e484 in main /home/fuzz/vim/vim-master/src/main.c:432:12
        #26 0x7ffff78260b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/vim-master/src/ex_getln.c:1085:22 in cmdline_erase_chars
    Shadow bytes around the buggy address:
      0x0c167fff80b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c167fff80c0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
      0x0c167fff80d0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c167fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c167fff80f0: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
    =>0x0c167fff8100: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa[fa]
      0x0c167fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
      0x0c167fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c167fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3840814==ABORTING
    
    

poc\_h1.dat

**Impact**

This vulnerabilities are capable of crashing software, modify memory, and possible remote execution

CVE-2022-1619: Heap-based Buffer Overflow in function cmdline_erase_chars in vim

Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution

Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Permalink

Browse files

patch 8.2.4895: buffer overflow with invalid command with composing c…

…hars

Problem:    Buffer overflow with invalid command with composing chars.
Solution:   Check that the whole character fits in the buffer.

*   Loading branch information

1 parent 5a7b6dc commit d88934406c5375d88f8f1b65331c9f0cab68cc6c

Showing with **16 additions** and **1 deletion**.

1.  +3 −1 src/ex\_docmd.c
2.  +11 −0 src/testdir/test\_cmdline.vim
3.  +2 −0 src/version.c

@@ -3435,14 +3435,16 @@ append\_command(char\_u \*cmd)

  

STRCAT(IObuff, ": ");

d = IObuff + STRLEN(IObuff);

while (\*s != NUL && d - IObuff < IOSIZE - 7)

while (\*s != NUL && d - IObuff \+ 5 < IOSIZE)

{

if (enc\_utf8 ? (s\[0\] == 0xc2 && s\[1\] == 0xa0) : \*s == 0xa0)

{

s += enc\_utf8 ? 2 : 1;

STRCPY(d, "<a0>");

d += 4;

}

else if (d - IObuff + (\*mb\_ptr2len)(s) + 1 >= IOSIZE)

break;

else

MB\_COPY\_CHAR(s, d);

}

@@ -3353,6 +3353,17 @@ func Test\_cmdline\_complete\_scriptnames()

set wildmenu&

endfunc

  

" this was going over the end of IObuff

func Test\_report\_error\_with\_composing()

let caught \= 'no'

try

exe repeat('0', 987) .. "0\\xdd\\x80\\xdd\\x80\\xdd\\x80\\xdd\\x80"

catch /E492:/

let caught \= 'yes'

endtry

call assert\_equal('yes', caught)

endfunc

  

" Test for expanding 2-letter and 3-letter :substitute command arguments.

" These commands don't accept an argument.

func Test\_cmdline\_complete\_substitute\_short()

@@ -746,6 +746,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

4895,

/\*\*/

4894,

/\*\*/

**0 comments on commit d889344**

Please sign in to comment.

CVE-2022-1616: patch 8.2.4895: buffer overflow with invalid command with composing c… · vim/vim@d889344

Use after free in append_command in GitHub repository vim/vim prior to 8.2. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Adobe After Effects versions 22.2.1 (and earlier) and 18.4.5 (and earlier) are affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in After Effects.

Security Updates Available for Adobe After Effects | APSB22-19

Bulletin ID

Date Published

Priority

ASPB22-19  

April 12, 2022    

3

**Summary**

Adobe has released an update for Adobe After Effects for Windows and macOS.  This update addresses  critical  security vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.         

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe After Effects

22.2.1 and earlier versions     

Windows and macOS

Adobe After Effects  

18.4.5 and earlier versions       

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe After Effects

22.3  

Windows and macOS

3

Download Center

Adobe After Effects  

18.4.6  

Windows and macOS

3

Download Center  

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution   

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-27783  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution   

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-27784  

**Acknowledgements**

Adobe would like to thank the following researchers for reporting these issues and for working with Adobe to help protect our customers:  

*   Yongjun Liu of nsfocus security team - CVE-2022-27783 and CVE-2022-27784

**Revisions: **

December 17, 2021: CVSS Base Scores updated for CVE-2021-44190, CVE-2021-44191, CVE-2021-44192, CVE-2021-44193, CVE-2021-44194, CVE-2021-44195, CVE-2021-44188  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-27784: Adobe Security Bulletin

In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.

Tag

#buffer_overflow