A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.

**#8260 closed defect (fixed)**

Reported by:

Owned by:

Priority:

normal

Component:

undetermined

Version:

git-master

Keywords:

asan

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There is a heap-buffer-overflow at libavfilter/vf\_edgedetect.c:153 in gaussian\_blur.  

I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.  
How to reproduce:  

% ffmpeg\_g -y -i $PoC -filter\_complex edgedetect -target dvd -loglevel 99 tmp.u32le

ffmpeg version N-95336-g4f4334bcbc Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's ASAN log  

\=================================================================
==24040==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000b681 at pc 0x0000004dcadc bp 0x7fffffffa750 sp 0x7fffffff9f00
WRITE of size 1 at 0x60900000b681 thread T0
    #0 0x4dcadb in \_\_asan\_memcpy (ffmpeg\_asan+0x4dcadb)
    #1 0xcd16cd in gaussian\_blur ffmpeg/libavfilter/vf\_edgedetect.c:153:5
    #2 0xcd16cd in filter\_frame ffmpeg/libavfilter/vf\_edgedetect.c:359
    #3 0x826e29 in ff\_filter\_activate\_default ffmpeg/libavfilter/avfilter.c:1071:11
    #4 0x826e29 in ff\_filter\_activate ffmpeg/libavfilter/avfilter.c:1430
    #5 0x86fd22 in push\_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #6 0x86fd22 in av\_buffersrc\_add\_frame\_internal ffmpeg/libavfilter/buffersrc.c:261
    #7 0x86e762 in av\_buffersrc\_add\_frame\_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #8 0x666407 in ifilter\_send\_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #9 0x666407 in send\_frame\_to\_filters ffmpeg/fftools/ffmpeg.c:2260
    #10 0x607666 in decode\_video ffmpeg/fftools/ffmpeg.c:2459:11
    #11 0x607666 in process\_input\_packet ffmpeg/fftools/ffmpeg.c:2613
    #12 0x644c58 in process\_input ffmpeg/fftools/ffmpeg.c:4303:23
    #13 0x5e7157 in transcode\_step ffmpeg/fftools/ffmpeg.c:4628:11
    #14 0x5e7157 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #15 0x5db65b in main ffmpeg/fftools/ffmpeg.c:4884:9
    #16 0x7ffff5c93b96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41def9 in \_start (ffmpeg\_asan+0x41def9)

0x60900000b681 is located 0 bytes to the right of 1-byte region \[0x60900000b680,0x60900000b681)
allocated by thread T0 here:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_asan+0x4de9e8)
    #1 0x8598211 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0xcdc71c in config\_props ffmpeg/libavfilter/vf\_edgedetect.c:137:29

SUMMARY: AddressSanitizer: heap-buffer-overflow (ffmpeg\_asan+0x4dcadb) in \_\_asan\_memcpy

Please confirm.  
Thanks

CVE-2020-22025: #8260 (heap-buffer-overflow at libavfilter/vf_edgedetect.c:153) – FFmpeg

A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences.

**#8309 closed defect (fixed)**

Reported by:

Owned by:

Priority:

important

Component:

undetermined

Version:

git-master

Keywords:

asan

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug:  
There is a heap-buffer-overflow at libavfilter/drawutils.c:341 in ff\_fill\_rectangle  

I compiled ffmpeg with "--toolchain=clang-asan" to check the memory corruption and attached log file.  
How to reproduce:  

% ffmpeg\_g -y -i $PoC  -filter\_complex oscilloscope tmp.mp3

ffmpeg version N-95450-g1d479300cb Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE\_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-asan

Here's ASAN log  

\=================================================================
==8790==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000001180 at pc 0x0000004dcadc bp 0x7ffc64ef8590 sp 0x7ffc64ef7d40
WRITE of size 4 at 0x611000001180 thread T0
    #0 0x4dcadb in \_\_asan\_memcpy (ffmpeg\_g+0x4dcadb)
    #1 0x1b12aad in ff\_fill\_rectangle ffmpeg/libavfilter/drawutils.c:341:13
    #2 0xbdb58b in oscilloscope\_filter\_frame ffmpeg/libavfilter/vf\_datascope.c:981:13
    #3 0x827129 in ff\_filter\_activate\_default ffmpeg/libavfilter/avfilter.c:1084:11
    #4 0x827129 in ff\_filter\_activate ffmpeg/libavfilter/avfilter.c:1443
    #5 0x86ffd5 in push\_frame ffmpeg/libavfilter/buffersrc.c:187:15
    #6 0x86ffd5 in av\_buffersrc\_add\_frame\_internal ffmpeg/libavfilter/buffersrc.c:261
    #7 0x86ea62 in av\_buffersrc\_add\_frame\_flags ffmpeg/libavfilter/buffersrc.c:170:16
    #8 0x666467 in ifilter\_send\_frame ffmpeg/fftools/ffmpeg.c:2186:11
    #9 0x666467 in send\_frame\_to\_filters ffmpeg/fftools/ffmpeg.c:2260
    #10 0x6076c6 in decode\_video ffmpeg/fftools/ffmpeg.c:2459:11
    #11 0x6076c6 in process\_input\_packet ffmpeg/fftools/ffmpeg.c:2613
    #12 0x64a767 in process\_input ffmpeg/fftools/ffmpeg.c:4508:5
    #13 0x5e71b7 in transcode\_step ffmpeg/fftools/ffmpeg.c:4628:11
    #14 0x5e71b7 in transcode ffmpeg/fftools/ffmpeg.c:4682
    #15 0x5db6bb in main ffmpeg/fftools/ffmpeg.c:4884:9
    #16 0x7fb30df9cb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41def9 in \_start (ffmpeg\_g+0x41def9)

0x611000001180 is located 64 bytes to the left of 143-byte region \[0x6110000011c0,0x61100000124f)
allocated by thread T0 here:
    #0 0x4de9e8 in posix\_memalign (ffmpeg\_g+0x4de9e8)
    #1 0x85c4251 in av\_malloc ffmpeg/libavutil/mem.c:87:9
    #2 0x852b181 in av\_buffer\_alloc ffmpeg/libavutil/buffer.c:72:12
    #3 0x852b181 in av\_buffer\_allocz ffmpeg/libavutil/buffer.c:85
    #4 0x852f9a6 in pool\_alloc\_buffer ffmpeg/libavutil/buffer.c:313:26
    #5 0x852f9a6 in av\_buffer\_pool\_get ffmpeg/libavutil/buffer.c:349
    #6 0x2ef33d2 in video\_get\_buffer ffmpeg/libavcodec/decode.c:1678:23
    #7 0x2ef33d2 in avcodec\_default\_get\_buffer2 ffmpeg/libavcodec/decode.c:1717
    #8 0x2efaedc in get\_buffer\_internal ffmpeg/libavcodec/decode.c:1945:11
    #9 0x2efaedc in ff\_get\_buffer ffmpeg/libavcodec/decode.c:1970

SUMMARY: AddressSanitizer: heap-buffer-overflow (ffmpeg\_g+0x4dcadb) in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c227fff81e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff81f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c227fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8220: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8230:\[fa\]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8240: 00 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa
  0x0c227fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8270: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8790==ABORTING

Please confirm.  
Thanks

CVE-2020-22017: #8309 (heap-buffer-overflow at libavfilter/drawutils.c:341) – FFmpeg

A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

**Related Articles**

Product Affected

Pulse Connect Secure

Problem

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:

**CVE**

**CVSS Score (V3.1)**

**Summary**

**Product Affected**

CVE-2021-22893

10 Critical  
3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services.

  
PCS 9.0R3/9.1R1 and Higher  
 

CVE-2021-22894

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22899

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Command Injection in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22900

7.2 High  
3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

PCS:  
9.1Rx  
9.0Rx

Solution

**The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.** 

**IMPORTANT NOTE:**  The latest Integrity Checker Utility found here must be run PRIOR to upgrading your PCS appliance to ensure your appliance has not been impacted.     

If the PCS version is installed:

Then deploy this version (or later) to resolve the issue:

Expected Release

Notes (if any)

Pulse Connect Secure 9.0RX & 9.1RX

Pulse Connect Secure 9.1R11.4

Available Now

**Known cert issue for browser clients if upgrading from any version below 9.1R8.  See** **KB44781**

_Document History:_  
April 20, 2021 - Initial advisory posted and workaround files posted under Download Centre.  
May 3, 2021 - Added 3 (CVE-2021-22894, CVE-2021-22899, CVE-2021-22900) additional CVE's and software posted to the Download Centre.  
May 25, 2021 - Highlighted upgrade process including running the Integrity Checker Utility prior to upgrade.

**LEGAL DISCLAIMER**

*   THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
*   A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.

Workaround

**CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.**

**Impact:** XML File disables the following features under PCS appliance.

*   Windows File Share Browser
*   Pulse Secure Collaboration

We are using the blacklisting feature to disable the URL-Based Attack.

**Download**

Download (Download Center at https://my.pulsesecure.net)

**Note:**

*   XML file is the zipped format, please unzip and then import the XML file.
*   Import of this XML into any one node of a Cluster is enough.

Customers can download and import the file under the following location:  
Go to Maintenance > Import/Export > Import XML. Import the file. 

*   This disables the Pulse Collaboration & Windows File Share browser functionality.
*   If there is a load balancer in front of the PCS, this may affect the Load Balancer.
    *   If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,

*   Navigate to User > User Role > Click Default Option >> Click on General 
*   Under the Access Feature, make sure the "Files, Window" & "Meetings" options are not checked.
*   Go to Users > User Roles
*   Click on each role in turn and ensure under the Access Feature of each role, the **File, Windows** & **Meetings** options are not enabled.

There is no need to reboot or restart services under the Pulse Secure Appliance.

The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:

^/+dana/+meeting  
^/+dana/+fb/+smb  
^/+dana-cached/+fb/+smb  
^/+dana-ws/+namedusers  
^/+dana-ws/+metric

This is only possible if there is an inline load balancer that does SSL decryption.  

**NOTE:** When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:

*   Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
*   Restore the previous settings for "Files, Windows" & "Meetings".

**Limitations:**

*   Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
*   The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions. 

Implementation

**Frequently Asked Questions (FAQ):**

**Question 1: Why do I need to run the latest version of the Integrity Checker Tool prior to upgrading to the latest PCS release?**  
Answer: Running the Integrity Checker Tool against unsupported PCS versions will not return scan results. Please see the ICT KB for details on the expected output.  To validate the supported versions of the Integrity Checker Tool against the supported PCS versions please visit KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

**Question 1: What if I upgraded to 9.1r11.4 without running, or ran an unsupported version, of the Integrity Checker Tool?**  
Answer: Pulse Secure recommends rolling back to the previous version using the administrator console to run the latest version of Integrity Checker Tool given the nature of the threat actors ability to allow persistency throughout upgrade.  

1.  Take system offline 
    

2.  Roll back to previous version 
    

3.  Run ICT on previous version 
    

4.  If clean, then upgrade again 
    

5.  If file additions/mismatches are found follow the mitigation steps mentioned here:  KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements
    

NOTE: Only one rollback version is stored in the rollback partition.  I.E. if you upgraded from 9.1r11 to 9.1r11.3 then to 9.1r11.4 you will only be able to rollback to 9.1r11.3.    

**Question 3: I've already applied the XML do I need to install 9.1R11.4?**  
Answer: If you are on 9.1R9 or above and have applied the XML we are still recommending moving to 9.1R11.4 to fully patch against the latest vulnerabilities. 

If you are running any version below 9.1R9 even with the applied XML you are susceptible to old vulnerabilities so we highly recommend upgrading to 9.1R9 or R10 code branches with the applied XML or 9.1R11.4.

**Question 4: Will the device reboot after importing the XML File?**  
Answer: No, the Workaround-2104.xml file does not reboot or restart services under the Pulse Secure Appliance.

**Question 5: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?**  
**Answer:** No, we need to import Workaround-2104.xml under one node, the cluster will sync the configuration between nodes.

**Question 6:** ****How do I **upgrade Pulse Connect Secure** to resolve this vulnerability?****  
Answer:  Download a fixed version of the Pulse Connect Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:

*   Upgrade PCS Cluster
*   Upgrade PCS Standalone Device

**Question 7:  I do not have access to my.pulsesecure.net to download the recommended PCS version?**  
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

**Question 8:  How we can restore File Share & Meeting functionality post-upgrade to the 9.1R11.4 PCS version?**  
Answer: Post upgrade to PCS 9.1R11.4, Please import the remove-workaround-2104.xml to restore the settings.

*   Download the remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
    *   \# Once redirected to my.pulsesecure.net  
        \# Login to my.pulsesecure.net  
        \# Click Software Licensing and Download  
        \# Select Pulse License and Download Center  
        \# Software Download (LEFT)  
        \# Select the Product Line and Product Type as Pulse Connect Secure >>  
        \# Click on Download for "Pulse Connect Secure SA44784 Workaround XML"  
        \# Accept to compliance and Agreement  
        \# Select View detail under "ps-pcs-sa-44784-remove-workaround-2104.xml.zip"  
        \# Scroll down and click on Download.
*   Go to Maintenance > Import/Export > Import XML. Import the **remove-workaround-2104.xml.**
*   It will restore **Pulse Collaboration** & **Windows File Share** browser functionality.

CVSS Score

10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Alert Type

SA - Security Advisory

CVE-2021-22894: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

A flaw was found in libcaca. A buffer overflow of export.c in function export_troff might lead to memory corruption and other potential consequences.

'1948679?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-30499: Invalid Bug ID

A flaw was found in PoDoFo 0.9.7. A stack-based buffer overflow in PdfEncryptMD5Base::ComputeOwnerKey function in PdfEncrypt.cpp is possible because of a improper check of the keyLength value.

'1947458?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-30472: Invalid Bug ID

A flaw was found in libcaca. A heap buffer overflow in export.c in function export_tga might lead to memory corruption and other potential consequences.

'1948675?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-30498: Invalid Bug ID

Trend Micro Home Network Security version 6.6.604 and earlier is vulnerable to an iotcl stack-based buffer overflow vulnerability which could allow an attacker to issue a specially crafted iotcl to escalate privileges on affected devices. An attacker must first obtain the ability to execute low-privileged code on the target device in order to exploit this vulnerability.

**Summary**

A privilege escalation vulnerability exists in the tdts.ko chrdev\_ioctl\_handle functionality of Trend Micro, Inc. Home Network Security 6.1.567. A specially crafted ioctl can lead to increased privileges. An attacker can issue an ioctl to trigger this vulnerability.

**Tested Versions**

Trend Micro, Inc. Home Network Security 6.1.567

**Product URLs**

https://www.trendmicro.com/en\_us/forHome/products/homenetworksecurity.html

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

This vulnerability is caused by the lack of input validation on a user’s ioctl request from user land. The upper 16 bits from the ioctl request (AND with 0x3FFF, so 14 bits total) are blindly used as input to __memzero to a stack-based buffer in kernel space. The stack-based buffer is smaller than the maximum ioctl request copy size of 0x3FFF and thus overflows. A user can leverage this to write \\x00 to a large portion of the kernel stack causing a kernel panic and in turn, a denial of service. This could potentially also be leveraged into a privilege escalation vulnerability.

    chrdev_ioctl_handle:
    0000074c  10402de9   push    {r4, lr} {__saved_lr} {__saved_r4}
    00000750  5034e7e7   ubfx    r3, r0, #0x8, #0x8
    00000754  be0053e3   cmp     r3, #0xbe
    00000758  1800e013   mvnne   r0, #0x18  {0xffffffe7}
    0000075c  38d04de2   sub     sp, sp, #0x38
    00000760  2900001a   bne     0x80c
    
    // Check that the bits 8-15 are 0xbe in the IOCTL request
    00000764  ff0010e3   tst     r0, #0xff
    00000768  1500e003   mvneq   r0, #0x15  {0xffffffea}
    0000076c  2600000a   beq     0x80c
    
    00000770  0d20a0e1   mov     r2, sp {var_40}
    00000774  000050e3   cmp     r0, #0
    00000778  7f3dc2e3   bic     r3, r2, #0x1fc0 {var_40}
    // Extract the size of the buffer encoded in the IOCTL request
    0000077c  5028ede7   ubfx    r2, r0, #0x10, #0xe
    00000780  3f30c3e3   bic     r3, r3, #0x3f
    00000784  380000ba   blt     0x86c
    
    // Sanity checks to make sure that the encoded size is not negative
    0000086c  084093e5   ldr     r4, [r3,  #0x8]
    00000870  020091e0   add.s   r0, r1, r2
    00000874  0400d030   sbc.slo r0, r0, r4
    00000878  0040a033   movlo   r4, #0
    0000087c  000054e3   cmp     r4, #0
    00000880  c3ffff0a   beq     0x794
    
    00000794  083093e5   ldr     r3, [r3,  #0x8]
    00000798  020091e0   add.s   r0, r1, r2
    0000079c  0300d030   sbc.slo r0, r0, r3
    000007a0  0030a033   movlo   r3, #0
    000007a4  000053e3   cmp     r3, #0
    000007a8  2a00000a   beq     0x858
    
    // Ensure that r2 is not zero
    000007ac  000052e3   cmp     r2, #0
    000007b0  3400001a   bne     0x888
    
    // Vulnerable __memzero with user provided length and set size stack-buffer
    00000888  0d00a0e1   mov     r0, sp {var_40}
    0000088c  0210a0e1   mov     r1, r2
    00000890  b16901eb   bl      __memzero
    

**Crash Information**

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8faac000
    [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#1] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    PC is at 0x0
    LR is at 0x0
    pc : [<00000000>]    lr : [<00000000>]    psr: 00000013
    sp : 8fad3f28  ip : 00000000  fp : 7efffc24
    r10: 00000000  r9 : 8fad2000  r8 : 8fae9540
    r7 : 00000003  r6 : 8fae9540  r5 : ffffffff  r4 : 00000000
    r3 : 00000000  r2 : 00000000  r1 : ffffffff  r0 : fffffff2
    Flags: nzcv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6faac06a  DAC: 00000015
    Process poc2 (pid: 1539, stack limit = 0x8fad2238)
    Stack: (0x8fad3f28 to 0x8fad4000)
    3f20:                   00000000 00000000 00000000 00000000 00000000 00000000
    3f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    Code: bad PC value
    ---[ end trace 7b9adcd427e025e9 ]---
    Dec  2 21:12:17 Diamond user.alert kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000
    Dec  2 21:12:17 Diamond user.alert kernel: pgd = 8faac000
    Dec  2 21:12:17 Diamond user.alert kernel: [00000000] pgd=6b222831, pte=00000000, ppte=00000000
    Dec  2 21:12:17 Diamond user.emerg kernel: Internal error: Oops: 80000017 [#1] SMP ARM
    Dec  2 21:12:17 Diamond user.warn kernel: Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    Dec  2 21:12:17 Diamond user.warn kernel: CPU: 0 PID: 1539 Comm: poc2 Tainted: P           O 3.10.70 #2
    Dec  2 21:12:17 Diamond user.warn kernel: task: 8f966000 ti: 8fad2000 task.ti: 8fad2000
    Dec  2 21:12:17 Diamond user.warn kernel: PC is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: LR is at 0x0
    Dec  2 21:12:17 Diamond user.warn kernel: pc : [<00000000>]    lr : [<00000000>]    psr: 00000013Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 8fa68000
    [00000000] pgd=6f924831, pte=00000000, ppte=00000000
    Internal error: Oops: 80000017 [#2] SMP ARM
    Modules linked in: kmdiamond(O) tdtsudb(PO) tdts(PO)
    CPU: 0 PID: 559 Comm: syslogd Tainted: P      D    O 3.10.70 #2
    task: 8f92c3c0 ti: 8fa60000 task.ti: 8fa60000
    PC is at 0x0
    LR is at calltimerfn.isra.35+0x24/0x84
    pc : [<00000000>]    lr : [<8002cabc>]    psr: 60000113
    sp : 8fa61d90  ip : 00000000  fp : 00000004
    r10: 00000001  r9 : 80548894  r8 : 805140c0
    r7 : 00000000  r6 : 00000100  r5 : 8fa60000  r4 : 8fa60010
    r3 : 8fa61d90  r2 : 00000000  r1 : 00000000  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC32  ISA ARM  Segment user
    Control: 10c53c7d  Table: 6fa6806a  DAC: 00000015
    Process syslogd (pid: 559, stack limit = 0x8fa60238)
    Stack: (0x8fa61d90 to 0x8fa62000)
    1d80:                                     00000000 00000022 8f8059c0 80548080
    1da0: 8fa61db0 00000000 00200200 8002cc9c 8fa61db0 8fa61db0 ffffbfcc 00000101
    1dc0: 80514084 00000004 8fa60000 00000100 8fa60018 80026d2c 00000001 00015220
    1de0: 00000000 805106c0 80547e40 0000000a ffffbfcd 805140c0 80526524 00400040
    1e00: 00000000 60000193 00000022 00000000 f8200100 8f1d7e00 8f86f410 a0000013
    1e20: 8f87e061 80026ea4 80510cc4 800270e0 80510cc4 8000ee44 f820010c 8051a7f8
    1e40: 8fa61e60 8000857c 803aaf18 60000013 ffffffff 8fa61e94 8f1d7e00 8000db80
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff 801daa18 00000062 8f87e000 8f1d7e00 8fa00a70 8fa60010
    1ec0: 8fa00800 803c1ab8 8fae99c0 801c4b2c 00000000 8f87e000 00000000 8f1d7f4c
    1ee0: 8ad51000 00000000 8f92c3c0 800480dc 8f1d7f50 8f1d7f50 00000041 00000062
    1f00: 8f1d7e00 000be334 00000062 8fae99c0 00000000 8fa60000 8fa60000 801c1a04
    1f20: 8f442080 801c4860 8f1d2380 00000062 00000000 8fae99c0 00000062 000be334
    1f40: 8fa61f80 801c1bac 00000062 00000000 7ef0ac14 800bf350 8ad51000 8fae99c8
    1f60: 8f442080 8fae99c0 000be334 00000000 00000000 00000000 00000062 800bf8c4
    1f80: 00000000 00000000 00000000 000bde08 00000062 000be334 00000004 8000e0e8
    1fa0: 8fa60000 8000df40 000bde08 00000062 00000005 000be334 00000062 00000000
    1fc0: 000bde08 00000062 000be334 00000004 00000001 000bde40 00000062 7ef0ac14
    1fe0: 00000000 7ef0ab54 0001d488 76f0100c 60000010 00000005 00000000 00000000
    [<8002cabc>] (calltimerfn.isra.35+0x24/0x84) from [<8002cc9c>] (runtimersoftirq+0x180/0x204)
    [<8002cc9c>] (runtimersoftirq+0x180/0x204) from [<80026d2c>] (dosoftirq+0x108/0x1e0)
    [<80026d2c>] (dosoftirq+0x108/0x1e0) from [<80026ea4>] (dosoftirq+0x50/0x58)
    [<80026ea4>] (dosoftirq+0x50/0x58) from [<800270e0>] (irqexit+0x5c/0x94)
    [<800270e0>] (irqexit+0x5c/0x94) from [<8000ee44>] (handleIRQ+0x44/0x90)
    [<8000ee44>] (handleIRQ+0x44/0x90) from [<8000857c>] (gichandleirq+0x2c/0x5c)
    [<8000857c>] (gichandleirq+0x2c/0x5c) from [<8000db80>] (irqsvc+0x40/0x50)
    Exception stack(0x8fa61e60 to 0x8fa61ea8)
    1e60: 8f86f410 60000013 00000070 00006adc 00000000 8f819000 00000000 00000061
    1e80: 8f1d7e00 8f86f410 a0000013 8f87e061 00000000 8fa61ea8 801daac8 803aaf18
    1ea0: 60000013 ffffffff
    [<8000db80>] (irqsvc+0x40/0x50) from [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20)
    [<803aaf18>] (rawspinunlockirqrestore+0x1c/0x20) from [<801daac8>] (uartwrite+0xb0/0xd0)
    [<801daac8>] (uartwrite+0xb0/0xd0) from [<801c4b2c>] (nttywrite+0x2cc/0x450)
    [<801c4b2c>] (nttywrite+0x2cc/0x450) from [<801c1a04>] (ttywrite+0x10c/0x2b4)
    [<801c1a04>] (ttywrite+0x10c/0x2b4) from [<800bf350>] (vfswrite+0xb0/0x194)
    [<800bf350>] (vfswrite+0xb0/0x194) from [<800bf8c4>] (SySwrite+0x3c/0x78)
    [<800bf8c4>] (SySwrite+0x3c/0x78) from [<8000df40>] (retfastsyscall+0x0/0x30)
    Code: bad PC value
    ---[ end trace 7b9adcd427e025ea ]---
    Kernel panic - not syncing: Fatal exception in interrupt***
    

**Timeline**

2021-01-22 - Vendor Disclosure  
2021-04-06 - 75+ day follow up  
2021-04-20 - Talos granted timeline extension for disclosure  
2021-05-20 - Vendor Patched  
2021-05-24 - Public Release

Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.

CVE-2021-32457: TALOS-2021-1230 || Cisco Talos Intelligence Group

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24().

'1956922?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25012: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter().

'1956918?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-25010: Invalid Bug ID

A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().

'1956926?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#buffer_overflow