dpic 2021.01.01 has a Global buffer overflow in theyylex() function in main.c and reads out of the bound array.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Topics Snippets
    
*   Register
*   Sign in

*   Dwight Aplevich
*   dpic
*   Commits
*   d317e406

**Commit d317e406** authored Apr 10, 2021 by  **Dwight Aplevich**

Browse files

**Improved robustness to fuzzed input**

parent 68ab9432

*   Changes 33

Expand all Hide whitespace changes

Inline Side-by-side

*   Neeraj Pal @bsdb0y
    
    mentioned in issue #8 (closed)
    
    · May 09, 2021
    
    mentioned in issue #8 (closed)
    
    mentioned in issue #8
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #9 (closed)
    
    · May 09, 2021
    
    mentioned in issue #9 (closed)
    
    mentioned in issue #9
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #10 (closed)
    
    · May 09, 2021
    
    mentioned in issue #10 (closed)
    
    mentioned in issue #10
    
    Toggle commit list
    
*   Neeraj Pal @bsdb0y
    
    mentioned in issue #11 (closed)
    
    · May 09, 2021
    
    mentioned in issue #11 (closed)
    
    mentioned in issue #11
    
    Toggle commit list
    

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2021-32422: Improved robustness to fuzzed input (d317e406) · Commits · Dwight Aplevich / dpic · GitLab

Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in FreeImage 3.19.0 [r1859] allows remote attackers to ru narbitrary code via use of crafted psd file.

1.PluginICO.cpp/LoadStandardIcon( )/heap\_overflow  
When the program reads a ico file, it will be handed to the Load function of the 'PluginICO.cpp' file, but in the '332' line of the program, when the 'io->read\_proc' function is executed, the size of the "height \* pitch" are not considered, which will cause the heap\_overflow.  
  
  
From the above,we can find that the "FreeImage\_GetBits" function return a pointer,which corresponds to the buffer as follows.  
  
The buffer size is (0x259aa44df50 + 0x663 - 259aa44df50) 0xa3  
  
  
At the same time ,the "handle" stores the pointer to the ICO data we read in. Moreover,we can see that the buffer has read the ico data when the 'io->read\_proc' function is executed.  
  
Also the size of the "height \* pitch" can be controlled.  
Finally,it will cause the heap overflow if we make the "height \* pitch" is greater than the size of buffer. Moreover, it may has the risk of arbitrary code execution.

2.PSDParser.cpp/ReadImageLine( )/heap\_overflow  
When the program reads a psd file, it will be handed to the Load function of the 'PSDParser.cpp' file, but in the '1298' line of the program, when the 'memcpy' function is executed, the size of the "lineSize" are not considered, which will cause the heap\_overflow.  
  
  
  
The lineSize is determined by the nWidth we passed in,which is controllable.  
  
The buffer size of "dst" is (0x19f53cdffe0 + 0x2013 -0x0000019f53ce1f90) 0x63  
  
  
Also the content of "src" comes from the psd file we read in.  
Finally,it will cause the heap overflow when the 'memcpy' function is executed,if we make the 'lineSize' is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.

3.PSDParser.cpp/UnpackRLE( )/Integer overflow  
A Integer overflow in line "1328" of the "psdParser::UnpackRLE" function in "PSDParser.cpp". Where the "srcSize" is an unsigned integer. But it is still recognized as a positive number in the memory when "srcSize-=len" is a negative number(0xffffff94). Eventually results in "srcSize > 0", which causes rle\_line to generate an out-of-bounds read.  
  

4.PSDParser.cpp/psdThumbnail::Read( )/heap\_overflow  
When the program reads a psd file, it will be handed to the Load function of the 'PSDParser.cpp' file, but in the '801' line of the "psdThumbnail::Read", when the 'memcpy' function is executed, the size of the "\_Width \* \_BitPerPixel" are not considered, which will cause the heap\_overflow.  
  
The buffer size of "dst\_line\_start" is (0x231fdfde8f0 + 0x70b - 0x00000231fdfdefe4 ) 0x17 and the "\_Width \* \_BitPerPixel" is determined by the nWidth we passed in,which is controllable.  
  
In the code above，the "io->read\_proc(line\_start, \_WidthBytes, 1, handle)" function is executed, where the "handle" stores the pointer to the psd data we read in. Also the "\_WidthBytes" is controllable,which means the content of "line\_start" is controllable.  
  
Finally,it will cause the heap overflow when the 'memcpy' function is executed,if we make the "\_Width \* \_BitPerPixel" is greater than the size of buffer.Moreover, it may has the risk of arbitrary code execution.

Author by avscx.z@dbappsecurity.com.cn

 

Last edit: Avscx 2020-08-07

CVE-2020-24295: FreeImage / Discussion / Developers: Four Vulnerabilities about Freeimage 3.19.0

Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm before 2.15.05 allows attackers to cause a denial of service via crafted file.

NameLast modifiedSizeDescription

Parent Directory  -   doc/2020-08-28 09:05 - Online documentation dos/2020-08-28 09:08 - MS-DOS executables linux/2020-08-28 09:08 - Linux packages macosx/2020-08-28 09:08 - MacOS X packages win32/2020-08-28 09:08 - Windows packages (32 bit) win64/2020-08-28 09:08 - Windows packages (64 bit) git.id2020-08-28 09:08 41 Corresponding git revision ID nasm-2.15.05-xdoc.tar.bz22020-08-28 09:05 900KDownloadable documentation nasm-2.15.05-xdoc.tar.gz2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05-xdoc.tar.xz2020-08-28 09:05 804KDownloadable documentation nasm-2.15.05-xdoc.zip2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05.tar.bz22020-08-28 09:04 1.2MSource code nasm-2.15.05.tar.gz2020-08-28 09:04 1.6MSource code nasm-2.15.05.tar.xz2020-08-28 09:04 972KSource code nasm-2.15.05.zip2020-08-28 09:05 1.8MSource code

CVE-2022-29654: Index of /pub/nasm/releasebuilds/2.15.05

Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b allows local attackers to hijack control flow via manipulation of SmcSecurityEraseSetupVar variable.

Variable Modification Due to Stack Overflow

**Vulnerability Disclosure:**

The purpose of this vulnerability disclosure is to communicate the potential vulnerability affecting Supermicro products that was reported by an external researcher.

**Acknowledgement:**

Supermicro would like to acknowledge the work done by the researcher from Wuhan University, China for discovering a potential vulnerability in the X12DPG-QR motherboard.

**Findings:**

Possible stack overflow occurrence in the BIOS firmware may allow an attacker to exploit this vulnerability by manipulating a variable to potentially hijack the control flow, allowing attackers with the kernel level privileges to escalate their privileges and potentially leading to the execution of arbitrary code.

**CVE:**

*   CVE-2023-34853
*   **Severity**: High

**Affected products:**

Supermicro BIOS in X11, X12, X13, and H11, H12, H13 motherboards.

**Solution:**

All affected Supermicro motherboard SKUs will require a BIOS update to mitigate this potential vulnerability.

An updated BIOS firmware had been created to mitigate this potential vulnerability. Supermicro is currently testing and validating affected products. Please check Release Notes for the resolution.

CVE-2023-34853: Variable Modification Due to Stack Overflow | Supermicro

Buffer Overflow vulnerability in ExtractorInformation function in streamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to run arbitrary code via opening of crafted ogg file.

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:  
oggLength <testcase>  
The testcase I used is put in the attachment.  
This software can also be installed by command apt install oggvideotools but the version is 0.8a-7, which can also get segment fault with the same testcase.</testcase>

MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
\=================================================================  
\==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050  
WRITE of size 4 at 0x60600000e4b8 thread T0  
#0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17  
#1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12  
#2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210  
#3 0x43b0c4 in oggLengthCmd(int, char\*\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#4 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#5 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#6 0x43aa78 in \_start (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x43aa78)</streamconfig,>

0x60600000e4b8 is located 0 bytes to the right of 56-byte region \[0x60600000e480,0x60600000e4b8)  
allocated by thread T0 here:  
#0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x4468b4 in \_\_gnu\_cxx::new\_allocator<streamconfig>::allocate(unsigned long, void const_) /usr/include/c++/5/ext/new\_allocator.h:104  
#2 0x4460b3 in std::allocator\_traits<std::allocator<streamconfig> >::allocate(std::allocator<streamconfig>&, unsigned long) /usr/include/c++/5/bits/alloc\_traits.h:491  
#3 0x4451fd in std::\_Vector\_base<streamconfig, std::allocator<streamconfig=""> >::\_M\_allocate(unsigned long) /usr/include/c++/5/bits/stl\_vector.h:170  
#4 0x443257 in std::vector<streamconfig, std::allocator<streamconfig=""> >::\_M\_default\_append(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x443257)  
#5 0x441d5e in std::vector<streamconfig, std::allocator<streamconfig=""> >::resize(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x441d5e)  
#6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206  
#7 0x43b0c4 in oggLengthCmd(int, char</streamconfig,></streamconfig,></streamconfig,></streamconfig,></streamconfig></std::allocator<streamconfig>_\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#8 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#9 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)</streamconfig>

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)  
Shadow bytes around the buggy address:  
0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c0c7fff9c90: 00 00 00 00 00 00 00\[fa\]fa fa fa fa 00 00 00 00  
0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa  
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa  
0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd  
0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa  
0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==32390==ABORTING

My system is:  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04

The software information:  
oggvideotools:  
Installed: 0.8a-7  
Candidate: 0.8a-7  
Version table:  
\*\*\* 0.8a-7 500  
500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages  
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages  
100 /var/lib/dpkg/status

ProblemType: Bug  
DistroRelease: Ubuntu 16.04  
Package: oggvideotools 0.8a-7  
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18  
Uname: Linux 4.15.0-66-generic x86\_64  
ApportVersion: 2.20.1-0ubuntu2.21  
Architecture: amd64  
CurrentDesktop: Unity  
Date: Thu Nov 14 19:56:47 2019  
InstallationDate: Installed on 2019-01-24 (293 days ago)  
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)  
SourcePackage: oggvideotools  
UpgradeStatus: No upgrade log present (probably fresh install)

**1 Attachments**

CVE-2020-21724: Ogg Video Tools / Bugs

Buffer Overflow vulnerability in oggvideotools 0.9.1 allows remote attackers to run arbitrary code via opening of crafted ogg file.

CVE-2020-21722

Buffer Overflow vulnerability in scan function in stdscan.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392645?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21687: Invalid Bug ID

Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392644?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21685: Invalid Bug ID

Buffer Overflow vulnerability in LibRaw::stretch() function in libraw\src\postprocessing\aspect_ratio.cpp.

**Description**

An out-of-bounds read vulnerability exists within the "LibRaw::stretch()" function (libraw\\src\\postprocessing\\aspect\_ratio.cpp) when parsing a crafted CRW file.

**Steps to Reproduce**

(poc archive password= girlelecta):  
https://drive.google.com/open?id=1Y70DxvWYfsNS7DBu4cuoUVOoMOyheA8O

cmd:  
magick.exe convert poc.crw new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\ImageMagick-7.0.9-Q16\\magick.exe" convert E:\\Workspace\\poc.crw E:\\Workspace\\new.png

\*\*\*\*\*\*\*\*\*\*\*\*\* Path validation summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*  
Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00007ff7 93fc0000 00007ff7 93fcc000 image00007ff7 93fc0000  
ModLoad: 00007ff8 87ea0000 00007ff8 88090000 ntdll.dll  
ModLoad: 00007ff8 70fb0000 00007ff8 71021000 C:\\WINDOWS\\System32\\verifier.dll  
Page heap: pid 0x2ADC: page heap enabled with flags 0x3.  
ModLoad: 00007ff8 87bb0000 00007ff8 87c62000 C:\\WINDOWS\\System32\\KERNEL32.DLL  
ModLoad: 00007ff8 85820000 00007ff8 85ac3000 C:\\WINDOWS\\System32\\KERNELBASE.dll  
ModLoad: 00007ff8 6e630000 00007ff8 6e808000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_MagickCore\_.dll  
ModLoad: 00007ff8 6e550000 00007ff8 6e629000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_MagickWand\_.dll  
ModLoad: 00007ff8 6e460000 00007ff8 6e54f000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCR120.dll  
ModLoad: 000002c7 22170000 000002c7 2225f000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCR120.dll  
ModLoad: 00007ff8 74a90000 00007ff8 74ab2000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\VCOMP120.DLL  
ModLoad: 00007ff8 876f0000 00007ff8 87884000 C:\\WINDOWS\\System32\\USER32.dll  
ModLoad: 00007ff8 85e80000 00007ff8 85ea1000 C:\\WINDOWS\\System32\\win32u.dll  
ModLoad: 00007ff8 862f0000 00007ff8 86316000 C:\\WINDOWS\\System32\\GDI32.dll  
ModLoad: 00007ff8 855b0000 00007ff8 85744000 C:\\WINDOWS\\System32\\gdi32full.dll  
ModLoad: 00007ff8 85eb0000 00007ff8 85f4e000 C:\\WINDOWS\\System32\\msvcp\_win.dll  
ModLoad: 00007ff8 87c70000 00007ff8 87d13000 C:\\WINDOWS\\System32\\ADVAPI32.dll  
ModLoad: 00007ff8 86680000 00007ff8 8671e000 C:\\WINDOWS\\System32\\msvcrt.dll  
ModLoad: 00007ff8 861f0000 00007ff8 86287000 C:\\WINDOWS\\System32\\sechost.dll  
ModLoad: 00007ff8 85ad0000 00007ff8 85bca000 C:\\WINDOWS\\System32\\ucrtbase.dll  
ModLoad: 00007ff8 87d40000 00007ff8 87e60000 C:\\WINDOWS\\System32\\RPCRT4.dll  
ModLoad: 00007ff8 74f30000 00007ff8 74f44000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_bzlib\_.dll  
ModLoad: 00007ff8 86600000 00007ff8 8666f000 C:\\WINDOWS\\System32\\WS2\_32.dll  
ModLoad: 00007ff8 6e400000 00007ff8 6e456000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_lcms\_.dll  
ModLoad: 00007ff8 6e360000 00007ff8 6e400000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_freetype\_.dll  
ModLoad: 00007ff8 73500000 00007ff8 73513000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_lqr\_.dll  
ModLoad: 00007ff8 73000000 00007ff8 73018000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_zlib\_.dll  
ModLoad: 00007ff8 6e100000 00007ff8 6e355000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_glib\_.dll  
ModLoad: 00007ff8 86720000 00007ff8 86e05000 C:\\WINDOWS\\System32\\SHELL32.dll  
ModLoad: 00007ff8 857d0000 00007ff8 8581a000 C:\\WINDOWS\\System32\\cfgmgr32.dll  
ModLoad: 00007ff8 85f50000 00007ff8 85ff9000 C:\\WINDOWS\\System32\\shcore.dll  
ModLoad: 00007ff8 86e10000 00007ff8 87146000 C:\\WINDOWS\\System32\\combase.dll  
ModLoad: 00007ff8 85d20000 00007ff8 85da0000 C:\\WINDOWS\\System32\\bcryptPrimitives.dll  
ModLoad: 00007ff8 84e30000 00007ff8 855af000 C:\\WINDOWS\\System32\\windows.storage.dll  
ModLoad: 00007ff8 84e10000 00007ff8 84e2f000 C:\\WINDOWS\\System32\\profapi.dll  
ModLoad: 00007ff8 84d80000 00007ff8 84dca000 C:\\WINDOWS\\System32\\powrprof.dll  
ModLoad: 00007ff8 84d70000 00007ff8 84d80000 C:\\WINDOWS\\System32\\UMPDC.dll  
ModLoad: 00007ff8 87910000 00007ff8 87962000 C:\\WINDOWS\\System32\\shlwapi.dll  
ModLoad: 00007ff8 84dd0000 00007ff8 84de1000 C:\\WINDOWS\\System32\\kernel.appcore.dll  
ModLoad: 00007ff8 857b0000 00007ff8 857c7000 C:\\WINDOWS\\System32\\cryptsp.dll  
ModLoad: 00007ff8 87a50000 00007ff8 87ba6000 C:\\WINDOWS\\System32\\ole32.dll  
ModLoad: 00007ff8 842f0000 00007ff8 8432a000 C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL  
ModLoad: 00007ff8 84330000 00007ff8 843fa000 C:\\WINDOWS\\SYSTEM32\\DNSAPI.dll  
ModLoad: 00007ff8 87900000 00007ff8 87908000 C:\\WINDOWS\\System32\\NSI.dll  
ModLoad: 00007ff8 6e090000 00007ff8 6e0f8000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_libxml\_.dll  
(2adc.2ae0): Break instruction exception - code 80000003 (first chance)  
ntdll!LdrInitShimEngineDynamic+0x35c:  
00007ff8 87f7121c cc int 3  
0:000> g  
ModLoad: 00007ff8 86000000 00007ff8 8602e000 C:\\WINDOWS\\System32\\IMM32.DLL  
ModLoad: 00007ff8 77200000 00007ff8 7720a000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\modules\\coders\\IM\_MOD\_RL\_DNG\_.dll  
ModLoad: 00007ff8 5fe70000 00007ff8 5ff74000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\CORE\_RL\_libraw\_.dll  
ModLoad: 00007ff8 6df60000 00007ff8 6e006000 C:\\Program Files\\ImageMagick-7.0.9-Q16\\MSVCP120.dll  
(2adc.2ae0): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
CORE\_RL\_libraw\_!LibRaw::stretch+0x17d:  
00007ff8 5febc7ed 430fb70402 movzx eax,word ptr \[r10+r8\] ds:000002c7 284ac5c0=????  
0:000> k  
Child-SP RetAddr Call Site  
00 000000e1 ef2f3af0 00007ff8 5fedb222 CORE\_RL\_libraw\_!LibRaw::stretch+0x17d  
01 000000e1 ef2f3b70 00007ff8 772016b4 CORE\_RL\_libraw\_!LibRaw::dcraw\_process+0x562  
02 000000e1 ef2f3be0 00007ff8 6e6704ac IM\_MOD\_RL\_DNG\_+0x16b4  
03 000000e1 ef2f5c70 00007ff8 6e670fbc CORE\_RL\_MagickCore\_!ReadImage+0x47c  
04 000000e1 ef2fadc0 00007ff8 6e569636 CORE\_RL\_MagickCore\_!ReadImages+0x1ac  
05 000000e1 ef2fbe40 00007ff8 6e5ac907 CORE\_RL\_MagickWand\_!ConvertImageCommand+0x566  
06 000000e1 ef2fd760 00007ff7 93fc130b CORE\_RL\_MagickWand\_!MagickCommandGenesis+0x5a7  
07 000000e1 ef2fe920 00007ff7 93fc13ec image00007ff7\_93fc0000+0x130b  
08 000000e1 ef2ffb30 00007ff7 93fc1783 image00007ff7\_93fc0000+0x13ec  
09 000000e1 ef2ffb60 00007ff8 87bc7bd4 image00007ff7\_93fc0000+0x1783  
0a 000000e1 ef2ffb90 00007ff8 87f0ced1 KERNEL32!BaseThreadInitThunk+0x14  
0b 000000e1 ef2ffbc0 00000000 00000000 ntdll!RtlUserThreadStart+0x21

**System Configuration**

*   ImageMagick:  
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-22628: "LibRaw::stretch()" Out-of-bounds read vulnerability · Issue #269 · LibRaw/LibRaw

Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.

Buffer overflow in mg\_resolve\_from\_hosts\_file function (line 124) in mongoose/src/mg\_resolv.c in Mongoose 6.18, where sscanf copies data from p to alias without limiting the size of the copied data not to exceed the alias array size, which is 256. Note that p can be up to 1024 (minus the IP digits) and is copied from a tainted file. This bug can be triggered by a malformed hosts file that includes a hostname that is larger than 256.

One way to fix this bug is by adding the format width specifier

for (p = line + len; sscanf(p, "%**255**ss%n", alias, &len) == 1; p += len) {

Tag

#buffer_overflow