An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF\_IPMPX\_WatermarkingInit  
ASAN info:

\==26293\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
    #0 0x7ffff6ef6903 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x4709b5 in memcpy /usr/include/x86\_64-linux-gnu/bits/string3.h:53
    #2 0x4709b5 in gf\_bs\_read\_data utils/bitstream.c:461
    #3 0x7bc40d in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1517
    #4 0x7bc40d in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020
    #5 0x7beab7 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:293
    #6 0x7a97c9 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #7 0x795b43 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #8 0x7afa76 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #9 0xad3e13 in esds\_Read isomedia/box\_code\_base.c:1256
    #10 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #11 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #12 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #13 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #14 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #15 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan/applications/mp4box/main.c:4767
    #17 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region \[0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7bc3bf in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1516
    #2 0x7bc3bf in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa\[01\]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          \[vvar\]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          \[vdso\]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          \[stack\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in \_\_GI\_abort () at abort.c:89
#2  0x00007ffff73447ea in \_\_libc\_message (do\_abort=do\_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "\*\*\* Error in \`%s': %s: 0x%s \*\*\*\\n") at ../sysdeps/posix/libc\_fatal.c:175
#3  0x00007ffff734d37a in malloc\_printerr (ar\_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  \_int\_free (av=<optimized out>, p=<optimized out>, have\_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in \_\_GI\_\_\_libc\_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000568b82 in DelGF\_IPMPX\_OpaqueData (\_p=<optimized out>) at odf/ipmpx\_code.c:1205
#7  gf\_ipmpx\_data\_del (\_p=\_p@entry=0x9cc760) at odf/ipmpx\_code.c:1835
#8  0x00000000005624bd in gf\_odf\_del\_ipmp (ipmp=0x9cc670) at odf/odf\_code.c:2390
#9  0x000000000055a031 in gf\_odf\_parse\_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc\_size=desc\_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#10 0x0000000000564f7b in gf\_odf\_desc\_read (raw\_desc=raw\_desc@entry=0x9cc590 "\\v@\\377\\377\\377\\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf\_codec.c:302
#11 0x00000000006ca6f4 in esds\_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box\_code\_base.c:1256
#12 0x00000000005137e1 in gf\_isom\_box\_read (bs=0x9cb460, a=0x9cc550) at isomedia/box\_funcs.c:1528
#13 gf\_isom\_box\_parse\_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is\_root\_box=is\_root\_box@entry=GF\_TRUE, parent\_type=0) at isomedia/box\_funcs.c:208
#14 0x0000000000513e15 in gf\_isom\_parse\_root\_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/box\_funcs.c:42
#15 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/isom\_intern.c:206
#16 0x000000000051c48c in gf\_isom\_parse\_movie\_boxes (progressive\_mode=GF\_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom\_intern.c:194
#17 gf\_isom\_open\_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF\_IPMPX\_WatermarkingInit", OpenMode=0, tmp\_dir=0x0) at isomedia/isom\_intern.c:615
#18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#19 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe348) at ../csu/libc-start.c:291
#20 0x000000000040eba9 in \_start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20161: AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 · Issue #1320 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex-2  
For POC-new-gf\_isom\_box\_parse\_ex  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex-2  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex  
ASAN info:

\==25783\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000df80 is located 0 bytes to the right of 48-byte region \[0x60400000df50,0x60400000df80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9bf0:\[fa\]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25783==ABORTING

For POC-new-gf\_isom\_box\_parse\_ex-2

ASAN info：  
==25917\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000e000 is located 0 bytes to the right of 48-byte region \[0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25917==ABORTING

Edit

**This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d**

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_odf\_avc\_cfg\_write\_bs

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
(gdb) bt
#0  0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
#1  0x000000000055b1ff in gf\_odf\_avc\_cfg\_write ()
#2  0x00000000004f9ba1 in AVC\_RewriteESDescriptorEx ()
#3  0x00000000006cf2a8 in video\_sample\_entry\_Read ()
#4  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#5  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#6  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#7  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#8  0x00000000006d09d0 in stbl\_Read ()
#9  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#10 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#11 0x00000000006ce02b in minf\_Read ()
#12 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#13 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#14 0x00000000006cd2f0 in mdia\_Read ()
#15 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#16 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#17 0x00000000006d351d in trak\_Read ()
#18 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#19 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#20 0x00000000006ce545 in moov\_Read ()
#21 0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#22 0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#23 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#24 0x000000000051c48c in gf\_isom\_open\_file ()
#25 0x000000000041c082 in mp4boxMain ()
#26 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#27 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==25871\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0)
    #0 0x797a2a in gf\_odf\_avc\_cfg\_write\_bs odf/descriptors.c:567
    #1 0x79821e in gf\_odf\_avc\_cfg\_write odf/descriptors.c:631
    #2 0x68b393 in AVC\_RewriteESDescriptorEx isomedia/avc\_ext.c:1063
    #3 0xaddd66 in video\_sample\_entry\_Read isomedia/box\_code\_base.c:4408
    #4 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #5 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #6 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #7 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #8 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #9 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #10 0xae19df in stbl\_Read isomedia/box\_code\_base.c:5381
    #11 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #12 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #13 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #14 0xadb4fe in minf\_Read isomedia/box\_code\_base.c:3500
    #15 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #16 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #17 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #18 0xad96ef in mdia\_Read isomedia/box\_code\_base.c:3021
    #19 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #20 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #21 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #22 0xae8ad8 in trak\_Read isomedia/box\_code\_base.c:7129
    #23 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #24 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #25 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #26 0xadc064 in moov\_Read isomedia/box\_code\_base.c:3745
    #27 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #28 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #29 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #30 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #31 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #32 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #34 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf\_odf\_avc\_cfg\_write\_bs
==25871==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20163: AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 · Issue #1335 · gpac/gpac

In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.

There is a heap-buffer-overflow in function ImportRLEPixels of coders/miff.c whick can be reproduced as below.  
gm convert ./heap-buffer-overflow\_ImportRLEPixels /dev/null

\=================================================================
==27431==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fed1 at pc 0x00000071ab86 bp 0x7ffcc60ecb20 sp 0x7ffcc60ecb10
WRITE of size 1 at 0x61500000fed1 thread T0
    #0 0x71ab85 in ImportRLEPixels coders/miff.c:428
    #1 0x729d09 in ReadMIFFImage coders/miff.c:1850
    #2 0x477730 in ReadImage magick/constitute.c:1607
    #3 0x421598 in ConvertImageCommand magick/command.c:4365
    #4 0x436b0d in MagickCommand magick/command.c:8889
    #5 0x45f2ca in GMCommandSingle magick/command.c:17434
    #6 0x45f516 in GMCommand magick/command.c:17487
    #7 0x40cc65 in main utilities/gm.c:61
    #8 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x40cb78 in \_start (/home/graphicsmagick-code/utilities/gm+0x40cb78)

0x61500000fed1 is located 0 bytes to the right of 465-byte region \[0x61500000fd00,0x61500000fed1)
allocated by thread T0 here:
    #0 0x7f5e5228b602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4df677 in MagickRealloc magick/memory.c:494
    #2 0x501826 in OpenCache magick/pixel\_cache.c:2497
    #3 0x507f01 in ModifyCache magick/pixel\_cache.c:4584
    #4 0x4fb19e in SetCacheNexus magick/pixel\_cache.c:922
    #5 0x508d90 in SetCacheViewPixels magick/pixel\_cache.c:4881
    #6 0x508e6a in SetImagePixels magick/pixel\_cache.c:4947
    #7 0x7298da in ReadMIFFImage coders/miff.c:1831
    #8 0x477730 in ReadImage magick/constitute.c:1607
    #9 0x421598 in ConvertImageCommand magick/command.c:4365
    #10 0x436b0d in MagickCommand magick/command.c:8889
    #11 0x45f2ca in GMCommandSingle magick/command.c:17434
    #12 0x45f516 in GMCommand magick/command.c:17487
    #13 0x40cc65 in main utilities/gm.c:61
    #14 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/miff.c:428 ImportRLEPixels
Shadow bytes around the buggy address:
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27431==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190423 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64-pc-linux-gnu

Configured using the command:
  ./configure  'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

CVE-2019-19951: GraphicsMagick / Bugs / #608 heap-buffer-overflow in ImportRLEPixels of coders/miff.c

In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.

/home/graphicsmagick/utilities/gm convert ./heap\-buffer\-overflow\-READ\-0x08417e7a.webp ./test.pct
\==9938\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568
READ of size 1 at 0xf12147ff thread T0
    #0 0x8417e79 in EncodeImage coders/pict.c:1067
    #1 0x8421228 in WritePICTImage coders/pict.c:2408
    #2 0x80c6919 in WriteImage magick/constitute.c:2245
    #3 0x80c728f in WriteImages magick/constitute.c:2404
    #4 0x8072623 in ConvertImageCommand magick/command.c:6135
    #5 0x807ea51 in MagickCommand magick/command.c:8880
    #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #7 0x80abc86 in GMCommand magick/command.c:17465
    #8 0x80511ea in main utilities/gm.c:61
    #9 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)
    #10 0x80510f0  (/home/graphicsmagick/utilities/gm+0x80510f0)

0xf12147ff is located 1 bytes to the left of 65536\-byte region \[0xf1214800,0xf1224800)
allocated by thread T0 here:
    #0 0xf72bbdee in malloc (/usr/lib/i386\-linux\-gnu/libasan.so.2+0x96dee)
    #1 0x8132492 in MagickMalloc magick/memory.c:174
    #2 0x841f32a in WritePICTImage coders/pict.c:2126
    #3 0x80c6919 in WriteImage magick/constitute.c:2245
    #4 0x80c728f in WriteImages magick/constitute.c:2404
    #5 0x8072623 in ConvertImageCommand magick/command.c:6135
    #6 0x807ea51 in MagickCommand magick/command.c:8880
    #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #8 0x80abc86 in GMCommand magick/command.c:17465
    #9 0x80511ea in main utilities/gm.c:61
    #10 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap\-buffer\-overflow coders/pict.c:1067 EncodeImage
Shadow bytes around the buggy address:
  0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==9938\==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot\-20191208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002\-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (\> 32 bit)   yes
  Large Memory (\> 32 bit)  no
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG\-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64\-pc\-linux\-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '\--enable-shared=no'

Final Build Parameters:
  CC       \= gcc
  CFLAGS   \= \-fopenmp \-g \-fsanitize\=address \-Wall \-pthread
  CPPFLAGS \= \-I/usr/include/freetype2 \-I/usr/include/libxml2
  CXX      \= g++
  CXXFLAGS \= \-pthread
  LDFLAGS  \= 
  LIBS     \= \-ljbig \-lwebp \-lwebpmux \-llcms2 \-ltiff \-lfreetype \-ljasper \-ljpeg \-lpng12 \-lwmflite \-lXext \-lSM \-lICE \-lX11 \-llzma \-lbz2 \-lxml2 \-lz \-lm \-lpthread

CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c

HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core before 8.7.7 allows out-of-bounds access, as demonstrated by mishandling of an array copy during parsing of ICal data.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2019-19907: Kopano

ATasm 1.06 has a stack-based buffer overflow in the to_comma() function in asm.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#8 Stack-based buffer overflow in the to\_comma() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the to\_comma() function, in asm.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==15033\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffec9190ef0 at pc 0x0000004ce38e bp 0x7ffec9190e30 sp 0x7ffec9190e28
WRITE of size 1 at 0x7ffec9190ef0 thread T0
    #0 0x4ce38d in to\_comma /home/fcambus/atasm/src/asm.c:1126:11
    #1 0x4ce38d in do\_xbyte /home/fcambus/atasm/src/asm.c:1346:9
    #2 0x4cfe17 in proc\_sym /home/fcambus/atasm/src/asm.c:1553:7
    #3 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f32f46441e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffec9190ef0 is located in stack of thread T0 at offset 176 in frame
    #0 0x4cc7af in do\_xbyte /home/fcambus/atasm/src/asm.c:1299

  This frame has 2 object(s):
    \[32, 64) 'buf.i' (line 736)
    \[96, 176) 'buf' (line 1301) <== Memory access at offset 176 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/asm.c:1126:11 in to\_comma
Shadow bytes around the buggy address:
  0x10005922a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
\=>0x10005922a1d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00\[f3\]f3
  0x10005922a1e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a200: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x10005922a210: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10005922a220: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==15033\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19785: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the parse_expr() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#9 Stack-based buffer overflow in the parse\_expr() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the parse\_expr() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==29838\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fff079a8b00 at pc 0x0000004e0478 bp 0x7fff079a8a70 sp 0x7fff079a8a68
WRITE of size 1 at 0x7fff079a8b00 thread T0
    #0 0x4e0477 in parse\_expr /home/fcambus/atasm/src/setparse.c:83:13
    #1 0x4e236d in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:319:5
    #2 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #3 0x4d3deb in proc\_sym /home/fcambus/atasm/src/asm.c:1678:14
    #4 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #5 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #6 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #7 0x7fad7a5101e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #8 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7fff079a8b00 is located in stack of thread T0 at offset 128 in frame
    #0 0x4dfd9f in parse\_expr /home/fcambus/atasm/src/setparse.c:71

  This frame has 2 object(s):
    \[32, 36) 'v' (line 72)
    \[48, 128) 'expr' (line 73) <== Memory access at offset 128 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:83:13 in parse\_expr
Shadow bytes around the buggy address:
  0x100060f2d110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d150: f1 f1 f1 f1 04 f2 00 00 00 00 00 00 00 00 00 00
\=>0x100060f2d160:\[f3\]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d170: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x100060f2d180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100060f2d190: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100060f2d1a0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100060f2d1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==29838\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19786: ATasm: 6502 cross-assembler / Bugs

ATasm 1.06 has a stack-based buffer overflow in the get_signed_expression() function in setparse.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#10 Stack-based buffer overflow in the get\_signed\_expression() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the get\_signed\_expression() function, in setparse.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==10633\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffe5c1b3480 at pc 0x0000004e27ea bp 0x7ffe5c1b3210 sp 0x7ffe5c1b3208
WRITE of size 1 at 0x7ffe5c1b3480 thread T0
    #0 0x4e27e9 in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:179:14
    #1 0x4e08a5 in get\_expression /home/fcambus/atasm/src/setparse.c:154:27
    #2 0x4c8de1 in add\_label /home/fcambus/atasm/src/asm.c
    #3 0x4d5563 in do\_cmd /home/fcambus/atasm/src/asm.c:1934:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f1cbb2811e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffe5c1b3480 is located in stack of thread T0 at offset 608 in frame
    #0 0x4e08bf in get\_signed\_expression /home/fcambus/atasm/src/setparse.c:157

  This frame has 4 object(s):
    \[32, 288) 'err.i' (line 136)
    \[352, 608) 'buf' (line 158) <== Memory access at offset 608 overflows this variable
    \[672, 928) 'work' (line 158)
    \[992, 1005) 'math' (line 162)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/setparse.c:179:14 in get\_signed\_expression
Shadow bytes around the buggy address:
  0x10004b82e640: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e650: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10004b82e660: f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10004b82e690:\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10004b82e6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6b0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004b82e6c0: 00 05 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b82e6e0: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==10633\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2019-19787: ATasm: 6502 cross-assembler / Bugs

HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() function in string.c (when called from render_contents in ps-pdf.cxx) via a crafted HTML document.

Hi,

While fuzzing htmldoc with Honggfuzz, I found a stack-based buffer overflow in the hd\_strlcpy() function, in string.c.

Attaching a reproducer (gzipped so GitHub accepts it): test01.html.gz

Issue can be reproduced by running:

    htmldoc test01.html -f test01.ps
    

    =================================================================
    ==27915==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffefa66f0df at pc 0x000000494c40 bp 0x7ffefa66f070 sp 0x7ffefa66e838
    WRITE of size 3 at 0x7ffefa66f0df thread T0
        #0 0x494c3f in __asan_memcpy (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f)
        #1 0x556aa5 in hd_strlcpy /home/fcambus/htmldoc-1.9.7/htmldoc/string.c:191:3
        #2 0x509ee3 in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3765:5
        #3 0x4f3cfb in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3853:13
        #4 0x4f3f6c in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx
        #5 0x4e4fce in pspdf_export /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:860:5
        #6 0x4d17bb in main /home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc.cxx:1276:3
        #7 0x7f68626141e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
        #8 0x41d84d in _start (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x41d84d)
    
    Address 0x7ffefa66f0df is located in stack of thread T0 at offset 63 in frame
        #0 0x5084be in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3563
    
      This frame has 2 object(s):
        [32, 44) 'rgb' (line 3564)
        [64, 1088) 'number' (line 3570) <== Memory access at offset 63 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10005f4c5dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10005f4c5e10: 00 00 00 00 f1 f1 f1 f1 00 04 f2[f2]00 00 00 00
      0x10005f4c5e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005f4c5e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==27915==ABORTING

Tag

#c++