An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF\_IPMPX\_WatermarkingInit  
ASAN info:

\==26293\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
    #0 0x7ffff6ef6903 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x4709b5 in memcpy /usr/include/x86\_64-linux-gnu/bits/string3.h:53
    #2 0x4709b5 in gf\_bs\_read\_data utils/bitstream.c:461
    #3 0x7bc40d in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1517
    #4 0x7bc40d in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020
    #5 0x7beab7 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:293
    #6 0x7a97c9 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #7 0x795b43 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #8 0x7afa76 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #9 0xad3e13 in esds\_Read isomedia/box\_code\_base.c:1256
    #10 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #11 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #12 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #13 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #14 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #15 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan/applications/mp4box/main.c:4767
    #17 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region \[0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7bc3bf in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1516
    #2 0x7bc3bf in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa\[01\]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          \[vvar\]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          \[vdso\]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          \[stack\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in \_\_GI\_abort () at abort.c:89
#2  0x00007ffff73447ea in \_\_libc\_message (do\_abort=do\_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "\*\*\* Error in \`%s': %s: 0x%s \*\*\*\\n") at ../sysdeps/posix/libc\_fatal.c:175
#3  0x00007ffff734d37a in malloc\_printerr (ar\_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  \_int\_free (av=<optimized out>, p=<optimized out>, have\_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in \_\_GI\_\_\_libc\_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000568b82 in DelGF\_IPMPX\_OpaqueData (\_p=<optimized out>) at odf/ipmpx\_code.c:1205
#7  gf\_ipmpx\_data\_del (\_p=\_p@entry=0x9cc760) at odf/ipmpx\_code.c:1835
#8  0x00000000005624bd in gf\_odf\_del\_ipmp (ipmp=0x9cc670) at odf/odf\_code.c:2390
#9  0x000000000055a031 in gf\_odf\_parse\_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc\_size=desc\_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#10 0x0000000000564f7b in gf\_odf\_desc\_read (raw\_desc=raw\_desc@entry=0x9cc590 "\\v@\\377\\377\\377\\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf\_codec.c:302
#11 0x00000000006ca6f4 in esds\_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box\_code\_base.c:1256
#12 0x00000000005137e1 in gf\_isom\_box\_read (bs=0x9cb460, a=0x9cc550) at isomedia/box\_funcs.c:1528
#13 gf\_isom\_box\_parse\_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is\_root\_box=is\_root\_box@entry=GF\_TRUE, parent\_type=0) at isomedia/box\_funcs.c:208
#14 0x0000000000513e15 in gf\_isom\_parse\_root\_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/box\_funcs.c:42
#15 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/isom\_intern.c:206
#16 0x000000000051c48c in gf\_isom\_parse\_movie\_boxes (progressive\_mode=GF\_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom\_intern.c:194
#17 gf\_isom\_open\_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF\_IPMPX\_WatermarkingInit", OpenMode=0, tmp\_dir=0x0) at isomedia/isom\_intern.c:615
#18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#19 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe348) at ../csu/libc-start.c:291
#20 0x000000000040eba9 in \_start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20161: AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 · Issue #1320 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex-2  
For POC-new-gf\_isom\_box\_parse\_ex  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex-2  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex  
ASAN info:

\==25783\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000df80 is located 0 bytes to the right of 48-byte region \[0x60400000df50,0x60400000df80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9bf0:\[fa\]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25783==ABORTING

For POC-new-gf\_isom\_box\_parse\_ex-2

ASAN info：  
==25917\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000e000 is located 0 bytes to the right of 48-byte region \[0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25917==ABORTING

Edit

**This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d**

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.

**Steps to Reproduce**

poc  
magick convert $poc ./test.sgi  
=================================================================  
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40  
WRITE of size 1 at 0x7f70c67db7f8 thread T0  
    #0 0x6c216e in WriteSGIImage coders/sgi.c:1051  
    #1 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #2 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #5 0x4100a1 in MagickMain utilities/magick.c:149  
    #6 0x410282 in main utilities/magick.c:180  
    #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)  
    #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)

0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)  
allocated by thread T0 here:  
    #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)  
    #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265  
    #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621  
    #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030  
    #4 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #5 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #8 0x4100a1 in MagickMain utilities/magick.c:149  
    #9 0x410282 in main utilities/magick.c:180  
    #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage  
Shadow bytes around the buggy address:  
  0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]  
  0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
 Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Heap right redzone:      fb  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack partial redzone:   f4  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
==41720==ABORTING

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org  
    Copyright: ? 1999-2019 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)   
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
*   Environment (Operating system, version and so on):  
    Distributor ID:	Ubuntu  
    Description:	Ubuntu 16.04.1 LTS  
    Release:	16.04  
    Codename:	xenial
*   Additional information:

CVE-2019-19948: heap-buffer-overflow in WriteSGIImage of coders/sgi.c · Issue #1562 · ImageMagick/ImageMagick

In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.

There is a heap-buffer-overflow in function ImportRLEPixels of coders/miff.c whick can be reproduced as below.  
gm convert ./heap-buffer-overflow\_ImportRLEPixels /dev/null

\=================================================================
==27431==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fed1 at pc 0x00000071ab86 bp 0x7ffcc60ecb20 sp 0x7ffcc60ecb10
WRITE of size 1 at 0x61500000fed1 thread T0
    #0 0x71ab85 in ImportRLEPixels coders/miff.c:428
    #1 0x729d09 in ReadMIFFImage coders/miff.c:1850
    #2 0x477730 in ReadImage magick/constitute.c:1607
    #3 0x421598 in ConvertImageCommand magick/command.c:4365
    #4 0x436b0d in MagickCommand magick/command.c:8889
    #5 0x45f2ca in GMCommandSingle magick/command.c:17434
    #6 0x45f516 in GMCommand magick/command.c:17487
    #7 0x40cc65 in main utilities/gm.c:61
    #8 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x40cb78 in \_start (/home/graphicsmagick-code/utilities/gm+0x40cb78)

0x61500000fed1 is located 0 bytes to the right of 465-byte region \[0x61500000fd00,0x61500000fed1)
allocated by thread T0 here:
    #0 0x7f5e5228b602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4df677 in MagickRealloc magick/memory.c:494
    #2 0x501826 in OpenCache magick/pixel\_cache.c:2497
    #3 0x507f01 in ModifyCache magick/pixel\_cache.c:4584
    #4 0x4fb19e in SetCacheNexus magick/pixel\_cache.c:922
    #5 0x508d90 in SetCacheViewPixels magick/pixel\_cache.c:4881
    #6 0x508e6a in SetImagePixels magick/pixel\_cache.c:4947
    #7 0x7298da in ReadMIFFImage coders/miff.c:1831
    #8 0x477730 in ReadImage magick/constitute.c:1607
    #9 0x421598 in ConvertImageCommand magick/command.c:4365
    #10 0x436b0d in MagickCommand magick/command.c:8889
    #11 0x45f2ca in GMCommandSingle magick/command.c:17434
    #12 0x45f516 in GMCommand magick/command.c:17487
    #13 0x40cc65 in main utilities/gm.c:61
    #14 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/miff.c:428 ImportRLEPixels
Shadow bytes around the buggy address:
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27431==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190423 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64-pc-linux-gnu

Configured using the command:
  ./configure  'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

CVE-2019-19951: GraphicsMagick / Bugs / #608 heap-buffer-overflow in ImportRLEPixels of coders/miff.c

In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.

/home/graphicsmagick/utilities/gm convert ./heap\-buffer\-overflow\-READ\-0x08417e7a.webp ./test.pct
\==9938\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568
READ of size 1 at 0xf12147ff thread T0
    #0 0x8417e79 in EncodeImage coders/pict.c:1067
    #1 0x8421228 in WritePICTImage coders/pict.c:2408
    #2 0x80c6919 in WriteImage magick/constitute.c:2245
    #3 0x80c728f in WriteImages magick/constitute.c:2404
    #4 0x8072623 in ConvertImageCommand magick/command.c:6135
    #5 0x807ea51 in MagickCommand magick/command.c:8880
    #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #7 0x80abc86 in GMCommand magick/command.c:17465
    #8 0x80511ea in main utilities/gm.c:61
    #9 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)
    #10 0x80510f0  (/home/graphicsmagick/utilities/gm+0x80510f0)

0xf12147ff is located 1 bytes to the left of 65536\-byte region \[0xf1214800,0xf1224800)
allocated by thread T0 here:
    #0 0xf72bbdee in malloc (/usr/lib/i386\-linux\-gnu/libasan.so.2+0x96dee)
    #1 0x8132492 in MagickMalloc magick/memory.c:174
    #2 0x841f32a in WritePICTImage coders/pict.c:2126
    #3 0x80c6919 in WriteImage magick/constitute.c:2245
    #4 0x80c728f in WriteImages magick/constitute.c:2404
    #5 0x8072623 in ConvertImageCommand magick/command.c:6135
    #6 0x807ea51 in MagickCommand magick/command.c:8880
    #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #8 0x80abc86 in GMCommand magick/command.c:17465
    #9 0x80511ea in main utilities/gm.c:61
    #10 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap\-buffer\-overflow coders/pict.c:1067 EncodeImage
Shadow bytes around the buggy address:
  0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==9938\==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot\-20191208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002\-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (\> 32 bit)   yes
  Large Memory (\> 32 bit)  no
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG\-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64\-pc\-linux\-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '\--enable-shared=no'

Final Build Parameters:
  CC       \= gcc
  CFLAGS   \= \-fopenmp \-g \-fsanitize\=address \-Wall \-pthread
  CPPFLAGS \= \-I/usr/include/freetype2 \-I/usr/include/libxml2
  CXX      \= g++
  CXXFLAGS \= \-pthread
  LDFLAGS  \= 
  LIBS     \= \-ljbig \-lwebp \-lwebpmux \-llcms2 \-ltiff \-lfreetype \-ljasper \-ljpeg \-lpng12 \-lwmflite \-lXext \-lSM \-lICE \-lX11 \-llzma \-lbz2 \-lxml2 \-lz \-lm \-lpthread

CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2019-18391: Red Hat Customer Portal - Access to 24x7 support and knowledge

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

Skip to content

GitLab 

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   virgl
*   virglrenderer
*   Merge requests
*   !314

**Fix fuzzer failures**

*   Review changes
    

*   
*   Download
    
*   Email patches
    
*   Plain diff
    

Merged Gert Wollny requested to merge gerddie/virglrenderer:fix-fuzzer-failures into master Oct 07, 2019

*   Overview 55
*   Commits 20
*   Pipelines 42
*   Changes 13

This series of patches improves the resource handling by checking the resource creation, blit, and sampler view parameters more thoroughly.

@MatthewShao

Edited Oct 08, 2019 by Gert Wollny

CVE-2019-18389: Fix fuzzer failures (!314) · Merge requests · virgl / virglrenderer · GitLab

Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Frederic Cambus

**Subject**:

Heap-based buffer overflow in the srcnext() function

**Date**:

Fri, 20 Dec 2019 19:00:59 +0100

Hi,

While fuzzing lout 3.40 with Honggfuzz, I found a heap-based buffer
overflow in the srcnext() function, in z02.c.

Attaching a reproducer (gzipped so it doesn't get mangled).

Issue can be reproduced by running:

\`\`\`
lout test01
\`\`\`

\`\`\`
=================================================================
==30030==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6260000000ff at pc 0x0000004d9b84 bp 0x7fff16458220 sp 0x7fff16458218
WRITE of size 1 at 0x6260000000ff thread T0
    #0 0x4d9b83 in srcnext /home/fcambus/lout-3.40/z02.c:381:26
    #1 0x4d37b2 in LexGetToken /home/fcambus/lout-3.40/z02.c:491:15
    #2 0x4f75fd in Parse /home/fcambus/lout-3.40/z06.c:819:7
    #3 0x4ce4b5 in run /home/fcambus/lout-3.40/z01.c:898:9
    #4 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
    #5 0x7f11f51731e2 in \_\_libc\_start\_main 
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #6 0x41b45d in \_start (/home/fcambus/lout-3.40/lout+0x41b45d)

0x6260000000ff is located 1 bytes to the left of 10243-byte region 
\[0x626000000100,0x626000002903)
allocated by thread T0 here:
    #0 0x49335d in malloc (/home/fcambus/lout-3.40/lout+0x49335d)
    #1 0x4d1c2d in LexPush /home/fcambus/lout-3.40/z02.c:240:29

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/fcambus/lout-3.40/z02.c:381:26 in srcnext
Shadow bytes around the buggy address:
  0x0c4c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0c4c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30030==ABORTING
\`\`\`

 **test01.gz**  
_Description:_ application/gunzip

*   **Heap-based buffer overflow in the srcnext() function**, _Frederic Cambus_ **<=**
    *   **Re: Heap-based buffer overflow in the srcnext() function**, _Frederic Cambus_, 2019/12/21

*   Prev by Date: **Re: Experiments with @Graph**
*   Next by Date: **Buffer overflow in the StringQuotedWord() function**
*   Previous by thread: **Re: Experiments with @Graph**
*   Next by thread: **Re: Heap-based buffer overflow in the srcnext() function**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2019-19918: Heap-based buffer overflow in the srcnext() function

A logic issue was addressed with improved state management. This issue is fixed in tvOS 13, iTunes for Windows 12.10.1, iCloud for Windows 10.7, iCloud for Windows 7.14. Processing maliciously crafted web content may lead to universal cross site scripting.

Released October 7, 2019

**CoreCrypto**

Available for: Windows 7 and later

Impact: Processing a large input may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added October 29, 2019

**CoreMedia**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8825: Found by GWP-ASan in Google Chrome

Entry added October 29, 2019

**Foundation**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry added October 29, 2019

**libxml2**

Available for: Windows 7 and later

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 29, 2019

**libxslt**

Available for: Windows 7 and later

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

**UIFoundation**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry updated October 29, 2019

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry updated October 29, 2019

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

CVE-2019-8719: About the security content of iTunes 12.10.1 for Windows

An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, watchOS 5.2. A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing.

Released March 25, 2019

**802.1X**

Available for: macOS Mojave 10.14.3

Impact: An attacker in a privileged network position may be able to intercept network traffic

Description: A logic issue was addressed with improved state management.

CVE-2019-6203: Dominic White of SensePost (@singe)

Entry added April 15, 2019

**802.1X**

Available for: macOS High Sierra 10.13.6

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

Entry added May 15, 2019

**Accounts**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted vcf file may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8538: Trevor Spiniolas (@TrevorSpiniolas)

Entry added April 3, 2019

**APFS**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2019-8534: Mac working with Trend Micro's Zero Day Initiative

Entry added April 15, 2019

**AppleGraphicsControl**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved size validation.

CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek\_wzw of Qihoo 360 Nirvan Team

**Bom**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved handling of file metadata.

CVE-2019-6239: Ian Moorhouse and Michael Trimm

**CFString**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted string may lead to a denial of service

Description: A validation issue was addressed with improved logic.

CVE-2019-8516: SWIPS Team of Frifee Inc.

**configd**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8552: Mohamed Ghannam (@\_simo36)

**Contacts**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2019-8511: an anonymous researcher

**CoreCrypto**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8542: an anonymous researcher

**DiskArbitration**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password

Description: A logic issue was addressed with improved state management.

CVE-2019-8522: Colin Meginnis (@falc420)

**FaceTime**

Available for: macOS Mojave 10.14.3

Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing

Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

CVE-2019-8550: Lauren Guzniczak of Keystone Academy

**FaceTime**

Available for: macOS Mojave 10.14.3

Impact: A local attacker may be able to view contacts from the lock screen

Description: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.

CVE-2019-8777: Abdullah H. AlJaber (@aljaber) of AJ.SA

Entry added October 8, 2019

**Feedback Assistant**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to gain root privileges

Description: A race condition was addressed with additional validation.

CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs

**Feedback Assistant**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed with improved checks.

CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs

**file**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted file might disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8906: Francisco Alonso

Entry updated April 15, 2019

**Graphics Drivers**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative, Lilang Wu and Moony Li of Trend Micro

Entry updated August 1, 2019

**iAP**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8542: an anonymous researcher

**IOGraphics**

Available for: macOS Mojave 10.14.3

Impact: A Mac may not lock when disconnecting from an external monitor

Description: A lock handling issue was addressed with improved lock handling.

CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, and Romke van Dijk of Z-CERT

**IOHIDFamily**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team

**IOKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8504: an anonymous researcher

**IOKit SCSI**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Research working with Trend Micro's Zero Day Initiative

Entry updated April 15, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2018-4448: Brandon Azad

Entry added September 17, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A remote attacker may be able to alter network traffic data

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-5608: Apple

Entry added August 6, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A buffer overflow was addressed with improved size validation.

CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)

**Kernel**

Available for: macOS Mojave 10.14.3, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8528: Fabiano Anemone (@anoane), Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team

Entry added April 3, 2019, updated August 1, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8508: Dr. Silvio Cesare of InfoSect

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2019-8514: Samuel Groß of Google Project Zero

**Kernel**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to read kernel memory

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-7293: Ned Williamson of Google

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)

CVE-2019-8510: Stefan Esser of Antid0te UG

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-8547: derrek (@derrekr6)

Entry added August 1, 2019

**Kernel**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8525: Zhuo Liang and shrek\_wzw of Qihoo 360 Nirvan Team

Entry added August 1, 2019

**libmalloc**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: A malicious application may be able to modify protected parts of the file system

Description: A configuration issue was addressed with additional restrictions.

CVE-2018-4433: Vitaly Cheptsov

Entry added August 1, 2019, updated September 17, 2019

**Mail**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted mail message may lead to S/MIME signature spoofing

Description: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.

CVE-2019-8642: Maya Sigal of Freie Universität Berlin and Volker Roth of Freie Universität Berlin

Entry added August 1, 2019

**Mail**

Available for: macOS Mojave 10.14.3

Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail

Description: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.

CVE-2019-8645: Maya Sigal of Freie Universität Berlin and Volker Roth of Freie Universität Berlin

Entry added August 1, 2019

**Messages**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2019-8546: ChiYuan Chang

**Modem CCL**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: An input validation issue was addressed with improved memory handling.

CVE-2019-8579: an anonymous researcher

Entry added April 15, 2019

**Notes**

Available for: macOS Mojave 10.14.3

Impact: A local user may be able to view a user’s locked notes

Description: An access issue was addressed with improved memory management.

CVE-2019-8537: Greg Walker (gregwalker.us)

**PackageKit**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved validation.

CVE-2019-8561: Jaron Bradley of Crowdstrike

**Perl**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: Multiple issues in Perl

Description: Multiple issues in Perl were addressed in this update.

CVE-2018-12015: Jakub Wilk

CVE-2018-18311: Jayakrishna Menon

CVE-2018-18313: Eiichi Tsukata

**Power Management**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation.

CVE-2019-8549: Mohamed Ghannam (@\_simo36) of SSD Secure Disclosure (ssd-disclosure.com)

**QuartzCore**

Available for: macOS Mojave 10.14.3

Impact: Processing malicious data may lead to unexpected application termination

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8507: Kai Lu of Fortinet's FortiGuard Labs

**Sandbox**

Available for: macOS Mojave 10.14.3

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8618: Brandon Azad

Entry added August 1, 2019

**Security**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8526: Linus Henze (pinauten.de)

**Security**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)

**Security**

Available for: macOS Mojave 10.14.3

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

**Security**

Available for: macOS Mojave 10.14.3

Impact: An untrusted radius server certificate may be trusted

Description: A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation.

CVE-2019-8531: an anonymous researcher, QA team of SecureW2

Entry added May 15, 2019

**Siri**

Available for: macOS Mojave 10.14.3

Impact: A malicious application may be able to initiate a Dictation request without user authorization

Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation.

CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Time Machine**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: A local user may be able to execute arbitrary shell commands

Description: This issue was addressed with improved checks.

CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs

**Touch Bar Support**

Available for: macOS Mojave 10.14.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8569: Viktor Oreshkin (@stek29)

Entry added August 1, 2019

**TrueTypeScaler**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative

**Wi-Fi**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3

Impact: An attacker in a privileged network position can modify driver state

Description: A logic issue was addressed with improved validation.

CVE-2019-8564: Hugues Anguelkov during an internship at Quarkslab

Entry added April 15, 2019

**Wi-Fi**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An attacker in a privileged network position can modify driver state

Description: A logic issue was addressed with improved state management.

CVE-2019-8612: Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added August 1, 2019

**Wi-Fi**

Available for: macOS Mojave 10.14.3

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8567: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added August 1, 2019

**xar**

Available for: macOS Mojave 10.14.3

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2019-6238: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added April 15, 2019

**XPC**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed with improved checks.

CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs

Tag

#buffer_overflow