There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the February 2022 Android security bulletin:

Critical: none

High: CVE-2020-13112, CVE-2020-13113, CVE-2021-39619, CVE-2021-39663, CVE-2021-39666, CVE-2021-39669, CVE-2021-39674, CVE-2021-39676, CVE-2021-39631, CVE-2021-35068, CVE-2021-35074, CVE-2021-35075, CVE-2021-35077, CVE-2021-35069

Medium: CVE-2021-30324, CVE-2021-30325

Low: none

Already included in previous updates: CVE-2021-39626, CVE-2021-39633, CVE-2021-39634, CVE-2021-0775, CVE-2021-1027, CVE-2021-1028, CVE-2021-1029, CVE-2021-0759, CVE-2021-0852

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40054: Integer underflow vulnerability in the atcmdserver module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40047: Vulnerability of memory not being released after effective lifetime in the Bastet module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40053: Permission control vulnerability in the Nearby module

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability and integrity.

CVE-2021-40052: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40051: Unauthorized access vulnerability in system components

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40050: Out-of-bounds read vulnerability in the IFAA module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause stack overflow.

CVE-2021-40049: Permission control vulnerability in the PMS module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability can lead to sensitive system information being obtained without authorization.

CVE-2021-40048: Incorrect buffer size calculation vulnerability in the video framework

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2021-40062: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40055: Man-in-the-middle attack vulnerability during system update download in recovery mode

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40061: Vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40060: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40059: Permission control vulnerability in the Wi-Fi module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40058: Heap-based buffer overflow vulnerability in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40057: Heap-based and stack-based buffer overflow vulnerabilities in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40056: Vulnerability of copying input buffer without checking its size in the video framework

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2021-40063: Improper access control vulnerability in the video module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40064: Heap-based buffer overflow vulnerability in system components

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect system stability.

CVE-2021-40011: Uncontrolled resource consumption vulnerability in the display module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect integrity.

CVE-2021-40052: March

st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

@@ -316,6 +316,11 @@ int st21nfca\_connectivity\_event\_received(struct nfc\_hci\_dev \*hdev, u8 host, return -ENOMEM;  
transaction->aid\_len = skb->data\[1\];  
/\* Checking if the length of the AID is valid \*/ if (transaction->aid\_len > sizeof(transaction->aid)) return -EINVAL;  
memcpy(transaction->aid, &skb->data\[2\], transaction->aid\_len);  
@@ -325,6 +330,11 @@ int st21nfca\_connectivity\_event\_received(struct nfc\_hci\_dev \*hdev, u8 host, return -EPROTO;  
transaction->params\_len = skb->data\[transaction->aid\_len + 3\];  
/\* Total size is allocated (skb->len - 2) minus fixed array members \*/ if (transaction->params\_len > ((skb->len - 2) - sizeof(struct nfc\_evt\_transaction))) return -EINVAL;  
memcpy(transaction->params, skb->data + transaction->aid\_len + 4, transaction->params\_len);

CVE-2022-26490: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION · torvalds/linux@4fbcc1a

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

'1957616?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3575: Invalid Bug ID

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.

subtlv\_len \= tlv\_len \- ISIS\_ROUTER\_CAP\_SIZE;

while (subtlv\_len \> 2) {

uint8\_t msd\_type;

type \= stream\_getc(s);

length \= stream\_getc(s);

switch (type) {

case ISIS\_SUBTLV\_SID\_LABEL\_RANGE:

/\* Check that SRGB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* Only one SRGB is supported. Skip subsequent one \*/

if (rcap\->srgb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

rcap\->srgb.flags \= stream\_getc(s);

rcap\->srgb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srgb.lower\_bound \= stream\_get3(s);

else

rcap\->srgb.lower\_bound \= stream\_getl(s);

/\* SRGB sanity checks. \*/

if (rcap\->srgb.range\_size \== 0

|| (rcap\->srgb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srgb.lower\_bound + rcap\->srgb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRGB\\n");

rcap\->srgb.lower\_bound \= 0;

rcap\->srgb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_ALGORITHM:

/\* Only 2 algorithms are supported: SPF & Strict SPF \*/

stream\_get(&rcap\->algo, s,

length \> SR\_ALGORITHM\_COUNT

? SR\_ALGORITHM\_COUNT

: length);

if (length \> SR\_ALGORITHM\_COUNT)

stream\_forward\_getp(

s, length \- SR\_ALGORITHM\_COUNT);

break;

case ISIS\_SUBTLV\_SRLB:

/\* Check that SRLB is correctly formated \*/

if (length < SUBTLV\_RANGE\_LABEL\_SIZE

|| length \> SUBTLV\_RANGE\_INDEX\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

/\* RFC 8667 section #3.3: Only one SRLB is authorized \*/

if (rcap\->srlb.range\_size != 0) {

stream\_forward\_getp(s, length);

continue;

}

/\* Ignore Flags which are not defined \*/

stream\_getc(s);

rcap\->srlb.range\_size \= stream\_get3(s);

/\* Skip Type and get Length of SID Label \*/

stream\_getc(s);

size \= stream\_getc(s);

if (size \== ISIS\_SUBTLV\_SID\_LABEL\_SIZE)

rcap\->srlb.lower\_bound \= stream\_get3(s);

else

rcap\->srlb.lower\_bound \= stream\_getl(s);

/\* SRLB sanity checks. \*/

if (rcap\->srlb.range\_size \== 0

|| (rcap\->srlb.lower\_bound <= MPLS\_LABEL\_RESERVED\_MAX)

|| ((rcap\->srlb.lower\_bound + rcap\->srlb.range\_size \- 1)

\> MPLS\_LABEL\_UNRESERVED\_MAX)) {

sbuf\_push(log, indent, "Invalid label range. Reset SRLB\\n");

rcap\->srlb.lower\_bound \= 0;

rcap\->srlb.range\_size \= 0;

}

/\* Only one range is supported. Skip subsequent one \*/

size \= length \- (size + SUBTLV\_SR\_BLOCK\_SIZE);

if (size \> 0)

stream\_forward\_getp(s, length);

break;

case ISIS\_SUBTLV\_NODE\_MSD:

/\* Check that MSD is correctly formated \*/

if (length < MSD\_TLV\_SIZE) {

stream\_forward\_getp(s, length);

continue;

}

msd\_type \= stream\_getc(s);

rcap\->msd \= stream\_getc(s);

/\* Only BMI-MSD type has been defined in RFC 8491 \*/

if (msd\_type != MSD\_TYPE\_BASE\_MPLS\_IMPOSITION)

rcap\->msd \= 0;

/\* Only one MSD is standardized. Skip others \*/

if (length \> MSD\_TLV\_SIZE)

stream\_forward\_getp(s, length \- MSD\_TLV\_SIZE);

break;

default:

stream\_forward\_getp(s, length);

break;

}

subtlv\_len \= subtlv\_len \- length \- 2;

}

CVE-2022-26125: isisd: overflow bugs in unpack_tlv_router_cap · Issue #10507 · FRRouting/frr

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c.

**Comments**

 db-sca changed the title An incorrect check on length in babeld Incorrect checks on length in babeld

Feb 4, 2022

qingkaishi added a commit to qingkaishi/frr that referenced this issue

Feb 4, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

qingkaishi added a commit to qingkaishi/frr that referenced this issue

Feb 4, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

mergify bot pushed a commit that referenced this issue

Feb 8, 2022

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>
(cherry picked from commit c379335)

plsaranya pushed a commit to plsaranya/frr that referenced this issue

Feb 28, 2022

 

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

patrasar pushed a commit to patrasar/frr that referenced this issue

Apr 28, 2022

 

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

gpnaveen pushed a commit to gpnaveen/frr that referenced this issue

Jun 7, 2022

…n length

This patch repairs the checking conditions on length in four functions:
babel\_packet\_examin, parse\_hello\_subtlv, parse\_ihu\_subtlv, and parse\_update\_subtlv

Signed-off-by: qingkaishi <qingkaishi@gmail.com>

CVE-2022-26128: Incorrect checks on length in babeld · Issue #10502 · FRRouting/frr

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.

The code below misses a check on the relationship between packetlen and bodylen before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.

babel\_packet\_examin(const unsigned char \*packet, int packetlen)

{

unsigned i \= 0, bodylen;

const unsigned char \*message;

unsigned char type, len;

if(packetlen < 4 || packet\[0\] != 42 || packet\[1\] != 2)

return 1;

DO\_NTOHS(bodylen, packet + 2);

while (i < bodylen){

message \= packet + 4 + i;

type \= message\[0\];

if(type \== MESSAGE\_PAD1) {

i++;

continue;

}

if(i + 1 \> bodylen) {

debugf(BABEL\_DEBUG\_COMMON,"Received truncated message.");

return 1;

}

len \= message\[1\];

To fix, we may put the code below before the while loop:

    if (packetlen < bodylen + 4) {
        debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
        return 1; 
    }
    

The output of the address sanitizer:

    ==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
    READ of size 1 at 0x603000000114 thread T0
        #0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
        #1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9

CVE-2022-26127: Miss a check on length in Babel · Issue #10487 · FRRouting/frr

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are **8 places** where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis\_notif\_id\_len\_mismatch(const struct isis\_circuit \*circuit,

uint8\_t rcv\_id\_len, const char \*raw\_pdu,

size\_t raw\_pdu\_len)

{

const char \*xpath = "/frr-isisd:id-len-mismatch";

struct list \*arguments = yang\_data\_list\_new();

char xpath\_arg\[XPATH\_MAXLEN\];

struct yang\_data \*data;

struct isis\_area \*area = circuit->area;

notif\_prep\_instance\_hdr(xpath, area, "default", arguments);

notif\_prepr\_iface\_hdr(xpath, circuit, arguments);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/pdu-field-len", xpath);

data = yang\_data\_new\_uint8(xpath\_arg, rcv\_id\_len);

listnode\_add(arguments, data);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/raw-pdu", xpath);

data = yang\_data\_new(xpath\_arg, raw\_pdu);

listnode\_add(arguments, data);

What follows is the output of the address sanitizer:

    ==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
    READ of size 23 at 0x7ffe596a3a76 thread T0
        #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
        #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
        #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
        #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3

CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

'1973689?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3610: Invalid Bug ID

A systemd stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

Username \*

Email Address \*

Email Notifications

I want to receive an email when...

a reply is left to one of my comments

a comment is left on a topic that I commented on

a comment is left on any topic in the Help system

An email has been sent to verify your new profile.Please fill out all required fields before submitting your information.

CVE-2022-25293: Fireware Release Notes

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.

**4 comments on commit 4e889f9**

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

This test fails on Windows: https://github.com/vim/vim/runs/5279219272?check\_suite\_focus=true#step:13:7478

> Caught exception in Test\_vartabstop\_latin1(): Vim(set):E950: Cannot convert between cp1252 and iso-8859- @ command line..script D:/a/vim/vim/src/testdir/runtest.vim\[456\]..function RunTheTest\[44\]..Test\_vartabstop\_latin1, line 3

Maybe we should use set encoding=latin1 instead of set encoding=iso8859?

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

I created #9818, but it didn't work as expected...

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

wait a second, is iso8859 actually a valid encoding? Shouldn't it rather be iso8859-1 e.g. we are missing what kind of a iso-8859 encoding is used (latin1: -1, ... latin9: -15, etc)

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

Ah, that should be better.

Please sign in to comment.

Tag

#buffer_overflow