Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.

Skip to content

*   Review changes
    

*   
*   Download
    
*   
*   

Merged 4ugustus requested to merge waugustus/libtiff:issue-278 into master Mar 04, 2022

fix #278 (closed).

**Note that** I currently only do bounds checking on _out_ because I don't know how to do bounds checking on _in_ without changing the function parameters. But this fix works for this crash.

To add check for _in_, we need to do this,

    if (row * rowsize + s + spp * imagewidth * nrows > scanlinesize * imagelength)

where scanlinesize is assigned in tiffcp.c:1408,

    scanlinesize = TIFFRasterScanlineSize(in);

But _in_ (or named _tif_) is not accessible in _writeBufferToSeparateStrips_, so I have no idea how to check for this.

By the way, after testing with multiple files, I found that _stripsize_ and _scanlinesize_ always seem to be equal. If so, it will be easy to add bounds checking on _in_ as this,

    if (row * rowsize + s + spp * imagewidth * nrows > stripsize * imagelength)

Edited Mar 07, 2022 by 4ugustus

CVE-2022-0924: fix heap buffer overflow in tiffcp (#278) (!311) · Merge requests · libtiff / libtiff · GitLab

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-0891.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · fb58dca3
    
    🤖 GitLab Bot 🤖 authored Mar 09, 2022
    
    fb58dca3

CVE-2022-0891: 2022/CVE-2022-0891.json · master · GitLab.org / cves · GitLab

There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the February 2022 Android security bulletin:

Critical: none

High: CVE-2020-13112, CVE-2020-13113, CVE-2021-39619, CVE-2021-39663, CVE-2021-39666, CVE-2021-39669, CVE-2021-39674, CVE-2021-39676, CVE-2021-39631, CVE-2021-35068, CVE-2021-35074, CVE-2021-35075, CVE-2021-35077, CVE-2021-35069

Medium: CVE-2021-30324, CVE-2021-30325

Low: none

Already included in previous updates: CVE-2021-39626, CVE-2021-39633, CVE-2021-39634, CVE-2021-0775, CVE-2021-1027, CVE-2021-1028, CVE-2021-1029, CVE-2021-0759, CVE-2021-0852

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40054: Integer underflow vulnerability in the atcmdserver module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40047: Vulnerability of memory not being released after effective lifetime in the Bastet module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40053: Permission control vulnerability in the Nearby module

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability and integrity.

CVE-2021-40052: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40051: Unauthorized access vulnerability in system components

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40050: Out-of-bounds read vulnerability in the IFAA module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause stack overflow.

CVE-2021-40049: Permission control vulnerability in the PMS module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.

CVE-2021-40048: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2021-40062: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40055: Man-in-the-middle attack vulnerability during system update download in recovery mode

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40061: Vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40060: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40059: Permission control vulnerability in the Wi-Fi module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40058: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40057: Heap-based and stack-based buffer overflow vulnerabilities in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40056: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40063: Improper access control vulnerability in the video module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40064: Heap-based buffer overflow vulnerability in system components

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect system stability.

CVE-2021-40011: Uncontrolled resource consumption vulnerability in the display module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40052: March

st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

@@ -316,6 +316,11 @@ int st21nfca\_connectivity\_event\_received(struct nfc\_hci\_dev \*hdev, u8 host, return -ENOMEM;  
transaction->aid\_len = skb->data\[1\];  
/\* Checking if the length of the AID is valid \*/ if (transaction->aid\_len > sizeof(transaction->aid)) return -EINVAL;  
memcpy(transaction->aid, &skb->data\[2\], transaction->aid\_len);  
@@ -325,6 +330,11 @@ int st21nfca\_connectivity\_event\_received(struct nfc\_hci\_dev \*hdev, u8 host, return -EPROTO;  
transaction->params\_len = skb->data\[transaction->aid\_len + 3\];  
/\* Total size is allocated (skb->len - 2) minus fixed array members \*/ if (transaction->params\_len > ((skb->len - 2) - sizeof(struct nfc\_evt\_transaction))) return -EINVAL;  
memcpy(transaction->params, skb->data + transaction->aid\_len + 4, transaction->params\_len);

CVE-2022-26490: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION · torvalds/linux@4fbcc1a

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

'1957616?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3575: Invalid Bug ID

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.

subtlv\_len \= tlv\_len \- ISIS\_ROUTER\_CAP\_SIZE;

while (subtlv\_len \> 2) {

uint8\_t msd\_type;

type \= stream\_getc(s);

length \= stream\_getc(s);

switch (type) {

case ISIS\_SUBTLV\_SID\_LABEL\_RANGE:

/\* Check that SRGB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* Only one SRGB is supported. Skip subsequent one \*/

if (rcap\->srgb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

rcap\->srgb.flags \= stream\_getc(s);

rcap\->srgb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srgb.lower\_bound \= stream\_get3(s);

else

rcap\->srgb.lower\_bound \= stream\_getl(s);

/\* SRGB sanity checks. \*/

if (rcap\->srgb.range\_size \== 0

|| (rcap\->srgb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srgb.lower\_bound + rcap\->srgb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRGB\\n");

rcap\->srgb.lower\_bound \= 0;

rcap\->srgb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_ALGORITHM:

/\* Only 2 algorithms are supported: SPF & Strict SPF \*/

stream\_get(&rcap\->algo, s,

length \> SR\_ALGORITHM\_COUNT

? SR\_ALGORITHM\_COUNT

: length);

if (length \> SR\_ALGORITHM\_COUNT)

stream\_forward\_getp(

s, length \- SR\_ALGORITHM\_COUNT);

break;

case ISIS\_SUBTLV\_SRLB:

/\* Check that SRLB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* RFC 8667 section #3.3: Only one SRLB is authorized \*/

if (rcap\->srlb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

/\* Ignore Flags which are not defined \*/

stream\_getc(s);

rcap\->srlb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srlb.lower\_bound \= stream\_get3(s);

else

rcap\->srlb.lower\_bound \= stream\_getl(s);

/\* SRLB sanity checks. \*/

if (rcap\->srlb.range\_size \== 0

|| (rcap\->srlb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srlb.lower\_bound + rcap\->srlb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRLB\\n");

rcap\->srlb.lower\_bound \= 0;

rcap\->srlb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_NODE\_MSD:

/\* Check that MSD is correctly formated \*/

if (length < MSD\_TLV\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

msd\_type \= stream\_getc(s);

rcap\->msd \= stream\_getc(s);

/\* Only BMI-MSD type has been defined in RFC 8491 \*/

if (msd\_type != MSD\_TYPE\_BASE\_MPLS\_IMPOSITION)

rcap\->msd \= 0;

/\* Only one MSD is standardized. Skip others \*/

if (length \> MSD\_TLV\_SIZE)

stream\_forward\_getp(s, length \- MSD\_TLV\_SIZE);

break;

default:

stream\_forward\_getp(s, length);

break;

}

subtlv\_len \= subtlv\_len \- length \- 2;

}

CVE-2022-26125: isisd: overflow bugs in unpack_tlv_router_cap · Issue #10507 · FRRouting/frr

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c.

**Comments**

 db-sca changed the title An incorrect check on length in babeld Incorrect checks on length in babeld

Feb 4, 2022

qingkaishi added a commit to qingkaishi/frr that referenced this issue

Feb 4, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

qingkaishi added a commit to qingkaishi/frr that referenced this issue

Feb 4, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

mergify bot pushed a commit that referenced this issue

Feb 8, 2022

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
(cherry picked from commit c379335)

plsaranya pushed a commit to plsaranya/frr that referenced this issue

Feb 28, 2022

 

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

patrasar pushed a commit to patrasar/frr that referenced this issue

Apr 28, 2022

 

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

gpnaveen pushed a commit to gpnaveen/frr that referenced this issue

Jun 7, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

CVE-2022-26128: Incorrect checks on length in babeld · Issue #10502 · FRRouting/frr

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.

The code below misses a check on the relationship between packetlen and bodylen before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.

babel\_packet\_examin(const unsigned char \*packet, int packetlen)

{

unsigned i \= 0, bodylen;

const unsigned char \*message;

unsigned char type, len;

if(packetlen < 4 || packet\[0\] != 42 || packet\[1\] != 2)

return 1;

DO\_NTOHS(bodylen, packet + 2);

while (i < bodylen){

message \= packet + 4 + i;

type \= message\[0\];

if(type \== MESSAGE\_PAD1) {

i++;

continue;

}

if(i + 1 \> bodylen) {

debugf(BABEL\_DEBUG\_COMMON,"Received truncated message.");

return 1;

}

len \= message\[1\];

To fix, we may put the code below before the while loop:

    if (packetlen < bodylen + 4) {
        debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
        return 1; 
    }
    

The output of the address sanitizer:

    ==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
    READ of size 1 at 0x603000000114 thread T0
        #0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
        #1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9

CVE-2022-26127: Miss a check on length in Babel · Issue #10487 · FRRouting/frr

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are **8 places** where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis\_notif\_id\_len\_mismatch(const struct isis\_circuit \*circuit,

uint8\_t rcv\_id\_len, const char \*raw\_pdu,

size\_t raw\_pdu\_len)

{

const char \*xpath = "/frr-isisd:id-len-mismatch";

struct list \*arguments = yang\_data\_list\_new();

char xpath\_arg\[XPATH\_MAXLEN\];

struct yang\_data \*data;

struct isis\_area \*area = circuit->area;

notif\_prep\_instance\_hdr(xpath, area, "default", arguments);

notif\_prepr\_iface\_hdr(xpath, circuit, arguments);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/pdu-field-len", xpath);

data = yang\_data\_new\_uint8(xpath\_arg, rcv\_id\_len);

listnode\_add(arguments, data);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/raw-pdu", xpath);

data = yang\_data\_new(xpath\_arg, raw\_pdu);

listnode\_add(arguments, data);

What follows is the output of the address sanitizer:

    ==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
    READ of size 23 at 0x7ffe596a3a76 thread T0
        #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
        #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
        #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
        #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3

CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

'1973689?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#buffer_overflow