LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via the function bit_utf8_to_TU at bits.c.

Hello, I was testing my fuzzer and found two bugs in dwg2SVG.

**environment**

ubuntu 20.04, GCC 9.4.0, libredwg latest commit 9df4ec3

compile with

    ./autogen.sh && ./configure --disable-shared && make -j$(nproc)
    

##BUG1

    ./dwg2SVG ../pocs/poc0.bit_utf8_to_TU
    =================================================================
    ==19712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000dc at pc 0x5603ca37f05a bp 0x7fff049b1c90 sp 0x7fff049b1c80
    WRITE of size 2 at 0x6020000000dc thread T0
        #0 0x5603ca37f059 in bit_utf8_to_TU /libredwg/src/bits.c:2883
        #1 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22059
        #2 0x5603cae6faab in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x5603ca7744de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x5603ca8fe1ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x5603cacaa3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x5603cacf559c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x5603cac76a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x5603ca362d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x5603ca35857c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7fc02854f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x5603ca358c1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x6020000000dc is located 0 bytes to the right of 12-byte region [0x6020000000d0,0x6020000000dc)
    allocated by thread T0 here:
        #0 0x7fc028979a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x5603ca37e83a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:2883 in bit_utf8_to_TU
    Shadow bytes around the buggy address:
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
    =>0x0c047fff8010: fa fa 02 fa fa fa 01 fa fa fa 00[04]fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19712==ABORTING
    

##BUG2

    ./dwg2SVG ../pocs/poc1.bit_wcs2nlen
    ==19713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000097a at pc 0x55781f6dd09d bp 0x7ffc201cb2e0 sp 0x7ffc201cb2d0
    READ of size 2 at 0x60400000097a thread T0
        #0 0x55781f6dd09c in bit_wcs2nlen /libredwg/src/bits.c:1834
        #1 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22060
        #2 0x5578201d2abb in dwg_is_valid_tag /libredwg/src/dwg_api.c:22048
        #3 0x55781fad74de in dwg_decode_ATTRIB_private /libredwg/src/dwg.spec:204
        #4 0x55781fc611ec in dwg_decode_ATTRIB /libredwg/src/dwg.spec:187
        #5 0x55782000d3a2 in decode_preR13_entities /libredwg/src/decode.c:6520
        #6 0x55782005859c in decode_preR13 /libredwg/src/decode_r11.c:719
        #7 0x55781ffd9a6a in dwg_decode /libredwg/src/decode.c:217
        #8 0x55781f6c5d77 in dwg_read_file /libredwg/src/dwg.c:261
        #9 0x55781f6bb57c in main /libredwg/programs/dwg2SVG.c:979
        #10 0x7faa3dcaf082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #11 0x55781f6bbc1d in _start (/validate/dwg2SVG/dwg2SVG+0x206c1d)
    
    0x60400000097a is located 0 bytes to the right of 42-byte region [0x604000000950,0x60400000097a)
    allocated by thread T0 here:
        #0 0x7faa3e0d9a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x55781f6e183a in bit_utf8_to_TU /libredwg/src/bits.c:2856
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /libredwg/src/bits.c:1834 in bit_wcs2nlen
    Shadow bytes around the buggy address:
      0x0c087fff80d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff80f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    =>0x0c087fff8120: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00[02]
      0x0c087fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==19713==ABORTING
    

**POC**

poc.zip

**Credit**

Han Zheng (Hexhive, NCNIPC of China)

CVE-2023-36272: [FUZZ] two bugs in dwg2SVG · Issue #681 · LibreDWG/libredwg

Red Hat Security Advisory 2023-3776-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: python39:3.9 and python39-devel:3.9 security update  
Advisory ID:       RHSA-2023:3776-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3776  
Issue date:        2023-06-22  
CVE Names:         CVE-2023-24329   
=====================================================================

1. Summary:

An update for the python39:3.9 and python39-devel:3.9 modules is now  
available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Python is an interpreted, interactive, object-oriented programming  
language, which includes modules, classes, exceptions, very high level  
dynamic data types and dynamic typing. Python supports interfaces to many  
system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: urllib.parse url blocklisting bypass (CVE-2023-24329)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2173917 - CVE-2023-24329 python: urllib.parse url blocklisting bypass

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
PyYAML-5.4.1-1.module+el8.5.0+10613+59a13ec4.src.rpm  
mod_wsgi-4.7.1-4.module+el8.4.0+9822+20bf1249.src.rpm  
numpy-1.19.4-3.module+el8.5.0+12204+54860423.src.rpm  
python-PyMySQL-0.10.1-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-cffi-1.14.3-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-chardet-3.0.4-19.module+el8.4.0+9822+20bf1249.src.rpm  
python-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-idna-2.10-3.module+el8.4.0+9822+20bf1249.src.rpm  
python-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c.src.rpm  
python-ply-3.11-10.module+el8.4.0+9822+20bf1249.src.rpm  
python-psutil-5.8.0-4.module+el8.4.0+9822+20bf1249.src.rpm  
python-psycopg2-2.8.6-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-pycparser-2.20-3.module+el8.4.0+9822+20bf1249.src.rpm  
python-pysocks-1.7.1-4.module+el8.4.0+9822+20bf1249.src.rpm  
python-requests-2.25.0-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-toml-0.10.1-5.module+el8.4.0+9822+20bf1249.src.rpm  
python-urllib3-1.25.10-4.module+el8.5.0+11712+ea2d2be1.src.rpm  
python-wheel-0.35.1-4.module+el8.5.0+12204+54860423.src.rpm  
python39-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.src.rpm  
python3x-pip-20.2.4-7.module+el8.6.0+13003+6bb2c488.src.rpm  
python3x-setuptools-50.3.2-4.module+el8.5.0+12204+54860423.src.rpm  
python3x-six-1.15.0-3.module+el8.4.0+9822+20bf1249.src.rpm  
scipy-1.5.4-3.module+el8.4.0+9822+20bf1249.src.rpm

aarch64:  
PyYAML-debugsource-5.4.1-1.module+el8.5.0+10613+59a13ec4.aarch64.rpm  
numpy-debugsource-1.19.4-3.module+el8.5.0+12204+54860423.aarch64.rpm  
python-cffi-debugsource-1.14.3-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python-cryptography-debugsource-3.3.1-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python-lxml-debugsource-4.6.5-1.module+el8.6.0+13933+9cf0c87c.aarch64.rpm  
python-psutil-debugsource-5.8.0-4.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python-psycopg2-debugsource-2.8.6-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-cffi-1.14.3-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-cffi-debuginfo-1.14.3-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-cryptography-debuginfo-3.3.1-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-debuginfo-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-debugsource-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-devel-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-idle-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-libs-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c.aarch64.rpm  
python39-lxml-debuginfo-4.6.5-1.module+el8.6.0+13933+9cf0c87c.aarch64.rpm  
python39-mod_wsgi-4.7.1-4.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-numpy-1.19.4-3.module+el8.5.0+12204+54860423.aarch64.rpm  
python39-numpy-debuginfo-1.19.4-3.module+el8.5.0+12204+54860423.aarch64.rpm  
python39-numpy-f2py-1.19.4-3.module+el8.5.0+12204+54860423.aarch64.rpm  
python39-psutil-5.8.0-4.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-psutil-debuginfo-5.8.0-4.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-psycopg2-2.8.6-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-psycopg2-debuginfo-2.8.6-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-psycopg2-doc-2.8.6-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-psycopg2-tests-2.8.6-2.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-pyyaml-5.4.1-1.module+el8.5.0+10613+59a13ec4.aarch64.rpm  
python39-pyyaml-debuginfo-5.4.1-1.module+el8.5.0+10613+59a13ec4.aarch64.rpm  
python39-scipy-1.5.4-3.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-scipy-debuginfo-1.5.4-3.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-test-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-tkinter-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
scipy-debugsource-1.5.4-3.module+el8.4.0+9822+20bf1249.aarch64.rpm

noarch:  
python39-PyMySQL-0.10.1-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-chardet-3.0.4-19.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-idna-2.10-3.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-numpy-doc-1.19.4-3.module+el8.5.0+12204+54860423.noarch.rpm  
python39-pip-20.2.4-7.module+el8.6.0+13003+6bb2c488.noarch.rpm  
python39-pip-wheel-20.2.4-7.module+el8.6.0+13003+6bb2c488.noarch.rpm  
python39-ply-3.11-10.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-pycparser-2.20-3.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-pysocks-1.7.1-4.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-requests-2.25.0-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-rpm-macros-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.noarch.rpm  
python39-setuptools-50.3.2-4.module+el8.5.0+12204+54860423.noarch.rpm  
python39-setuptools-wheel-50.3.2-4.module+el8.5.0+12204+54860423.noarch.rpm  
python39-six-1.15.0-3.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-toml-0.10.1-5.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-urllib3-1.25.10-4.module+el8.5.0+11712+ea2d2be1.noarch.rpm  
python39-wheel-0.35.1-4.module+el8.5.0+12204+54860423.noarch.rpm  
python39-wheel-wheel-0.35.1-4.module+el8.5.0+12204+54860423.noarch.rpm

ppc64le:  
PyYAML-debugsource-5.4.1-1.module+el8.5.0+10613+59a13ec4.ppc64le.rpm  
numpy-debugsource-1.19.4-3.module+el8.5.0+12204+54860423.ppc64le.rpm  
python-cffi-debugsource-1.14.3-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python-cryptography-debugsource-3.3.1-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python-lxml-debugsource-4.6.5-1.module+el8.6.0+13933+9cf0c87c.ppc64le.rpm  
python-psutil-debugsource-5.8.0-4.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python-psycopg2-debugsource-2.8.6-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-cffi-1.14.3-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-cffi-debuginfo-1.14.3-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-cryptography-debuginfo-3.3.1-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-debuginfo-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-debugsource-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-devel-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-idle-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-libs-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c.ppc64le.rpm  
python39-lxml-debuginfo-4.6.5-1.module+el8.6.0+13933+9cf0c87c.ppc64le.rpm  
python39-mod_wsgi-4.7.1-4.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-numpy-1.19.4-3.module+el8.5.0+12204+54860423.ppc64le.rpm  
python39-numpy-debuginfo-1.19.4-3.module+el8.5.0+12204+54860423.ppc64le.rpm  
python39-numpy-f2py-1.19.4-3.module+el8.5.0+12204+54860423.ppc64le.rpm  
python39-psutil-5.8.0-4.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-psutil-debuginfo-5.8.0-4.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-psycopg2-2.8.6-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-psycopg2-debuginfo-2.8.6-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-psycopg2-doc-2.8.6-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-psycopg2-tests-2.8.6-2.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-pyyaml-5.4.1-1.module+el8.5.0+10613+59a13ec4.ppc64le.rpm  
python39-pyyaml-debuginfo-5.4.1-1.module+el8.5.0+10613+59a13ec4.ppc64le.rpm  
python39-scipy-1.5.4-3.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-scipy-debuginfo-1.5.4-3.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-test-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-tkinter-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
scipy-debugsource-1.5.4-3.module+el8.4.0+9822+20bf1249.ppc64le.rpm

s390x:  
PyYAML-debugsource-5.4.1-1.module+el8.5.0+10613+59a13ec4.s390x.rpm  
numpy-debugsource-1.19.4-3.module+el8.5.0+12204+54860423.s390x.rpm  
python-cffi-debugsource-1.14.3-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python-cryptography-debugsource-3.3.1-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python-lxml-debugsource-4.6.5-1.module+el8.6.0+13933+9cf0c87c.s390x.rpm  
python-psutil-debugsource-5.8.0-4.module+el8.4.0+9822+20bf1249.s390x.rpm  
python-psycopg2-debugsource-2.8.6-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-cffi-1.14.3-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-cffi-debuginfo-1.14.3-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-cryptography-debuginfo-3.3.1-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-debuginfo-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-debugsource-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-devel-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-idle-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-libs-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c.s390x.rpm  
python39-lxml-debuginfo-4.6.5-1.module+el8.6.0+13933+9cf0c87c.s390x.rpm  
python39-mod_wsgi-4.7.1-4.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-numpy-1.19.4-3.module+el8.5.0+12204+54860423.s390x.rpm  
python39-numpy-debuginfo-1.19.4-3.module+el8.5.0+12204+54860423.s390x.rpm  
python39-numpy-f2py-1.19.4-3.module+el8.5.0+12204+54860423.s390x.rpm  
python39-psutil-5.8.0-4.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-psutil-debuginfo-5.8.0-4.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-psycopg2-2.8.6-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-psycopg2-debuginfo-2.8.6-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-psycopg2-doc-2.8.6-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-psycopg2-tests-2.8.6-2.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-pyyaml-5.4.1-1.module+el8.5.0+10613+59a13ec4.s390x.rpm  
python39-pyyaml-debuginfo-5.4.1-1.module+el8.5.0+10613+59a13ec4.s390x.rpm  
python39-scipy-1.5.4-3.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-scipy-debuginfo-1.5.4-3.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-test-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-tkinter-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
scipy-debugsource-1.5.4-3.module+el8.4.0+9822+20bf1249.s390x.rpm

x86_64:  
PyYAML-debugsource-5.4.1-1.module+el8.5.0+10613+59a13ec4.x86_64.rpm  
numpy-debugsource-1.19.4-3.module+el8.5.0+12204+54860423.x86_64.rpm  
python-cffi-debugsource-1.14.3-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python-cryptography-debugsource-3.3.1-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python-lxml-debugsource-4.6.5-1.module+el8.6.0+13933+9cf0c87c.x86_64.rpm  
python-psutil-debugsource-5.8.0-4.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python-psycopg2-debugsource-2.8.6-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-cffi-1.14.3-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-cffi-debuginfo-1.14.3-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-cryptography-debuginfo-3.3.1-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-debuginfo-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-debugsource-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-devel-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-idle-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-libs-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c.x86_64.rpm  
python39-lxml-debuginfo-4.6.5-1.module+el8.6.0+13933+9cf0c87c.x86_64.rpm  
python39-mod_wsgi-4.7.1-4.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-numpy-1.19.4-3.module+el8.5.0+12204+54860423.x86_64.rpm  
python39-numpy-debuginfo-1.19.4-3.module+el8.5.0+12204+54860423.x86_64.rpm  
python39-numpy-f2py-1.19.4-3.module+el8.5.0+12204+54860423.x86_64.rpm  
python39-psutil-5.8.0-4.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-psutil-debuginfo-5.8.0-4.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-psycopg2-2.8.6-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-psycopg2-debuginfo-2.8.6-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-psycopg2-doc-2.8.6-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-psycopg2-tests-2.8.6-2.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-pyyaml-5.4.1-1.module+el8.5.0+10613+59a13ec4.x86_64.rpm  
python39-pyyaml-debuginfo-5.4.1-1.module+el8.5.0+10613+59a13ec4.x86_64.rpm  
python39-scipy-1.5.4-3.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-scipy-debuginfo-1.5.4-3.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-test-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-tkinter-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
scipy-debugsource-1.5.4-3.module+el8.4.0+9822+20bf1249.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

Source:  
Cython-0.29.21-5.module+el8.4.0+9822+20bf1249.src.rpm  
pybind11-2.7.1-1.module+el8.6.0+12838+640e6226.src.rpm  
pytest-6.0.2-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-attrs-20.3.0-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-iniconfig-1.1.1-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-more-itertools-8.5.0-2.module+el8.4.0+9822+20bf1249.src.rpm  
python-packaging-20.4-4.module+el8.4.0+9822+20bf1249.src.rpm  
python-pluggy-0.13.1-3.module+el8.4.0+9822+20bf1249.src.rpm  
python-py-1.10.0-1.module+el8.4.0+9822+20bf1249.src.rpm  
python-wcwidth-0.2.5-3.module+el8.4.0+9822+20bf1249.src.rpm  
python3x-pyparsing-2.4.7-5.module+el8.4.0+9822+20bf1249.src.rpm

aarch64:  
Cython-debugsource-0.29.21-5.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-Cython-0.29.21-5.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-Cython-debuginfo-0.29.21-5.module+el8.4.0+9822+20bf1249.aarch64.rpm  
python39-debug-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.aarch64.rpm  
python39-pybind11-2.7.1-1.module+el8.6.0+12838+640e6226.aarch64.rpm  
python39-pybind11-devel-2.7.1-1.module+el8.6.0+12838+640e6226.aarch64.rpm

noarch:  
python39-attrs-20.3.0-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-iniconfig-1.1.1-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-more-itertools-8.5.0-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-packaging-20.4-4.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-pluggy-0.13.1-3.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-py-1.10.0-1.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-pyparsing-2.4.7-5.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-pytest-6.0.2-2.module+el8.4.0+9822+20bf1249.noarch.rpm  
python39-wcwidth-0.2.5-3.module+el8.4.0+9822+20bf1249.noarch.rpm

ppc64le:  
Cython-debugsource-0.29.21-5.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-Cython-0.29.21-5.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-Cython-debuginfo-0.29.21-5.module+el8.4.0+9822+20bf1249.ppc64le.rpm  
python39-debug-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.ppc64le.rpm  
python39-pybind11-2.7.1-1.module+el8.6.0+12838+640e6226.ppc64le.rpm  
python39-pybind11-devel-2.7.1-1.module+el8.6.0+12838+640e6226.ppc64le.rpm

s390x:  
Cython-debugsource-0.29.21-5.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-Cython-0.29.21-5.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-Cython-debuginfo-0.29.21-5.module+el8.4.0+9822+20bf1249.s390x.rpm  
python39-debug-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.s390x.rpm  
python39-pybind11-2.7.1-1.module+el8.6.0+12838+640e6226.s390x.rpm  
python39-pybind11-devel-2.7.1-1.module+el8.6.0+12838+640e6226.s390x.rpm

x86_64:  
Cython-debugsource-0.29.21-5.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-Cython-0.29.21-5.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-Cython-debuginfo-0.29.21-5.module+el8.4.0+9822+20bf1249.x86_64.rpm  
python39-debug-3.9.7-2.module+el8.6.0+19096+84e0c2a8.1.x86_64.rpm  
python39-pybind11-2.7.1-1.module+el8.6.0+12838+640e6226.x86_64.rpm  
python39-pybind11-devel-2.7.1-1.module+el8.6.0+12838+640e6226.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJRtt9zjgjWX9erEAQhFmhAAi3llMOus7frcukGGKVgl14m71Zc9Jd4H  
Y95ludcyM1/vG65fvgWOj5OK1ar3124AmhzyKYr+ScPUfYeXKrW+yROva9sOrXbJ  
9afGjsKvzmweu1re3IUhDCmZvxCiSXship0AuZ261HXbd/Q5ifAGcChd3USWlgeX  
XrcUyucYkG5+kTT9vQjPIitfHVxWIJfAEoT3teainNk0JoUwAyDMivwhp/5YDd9f  
xGSnASzS/8+USTECxw16Jhld2edXQzySjhXZOuPRKp6ZoPDKy2YYOPgiFL6fxYGk  
6+d5gKgHqBV2Q/m87aTPzyd5t6ez9u+X2o3N2v1GeV6HWWLKkxVqR6cKH6Ez/GAg  
ZF8B67We7C40iFeNBL5NA6wiVTt6e//KYmVYlhlYb6Rtly0z8pzYsNE6OamzuB8e  
561rxZJPgZXBMbI7OWH8wmDeJ7+R6ZpDfxskp+FNz7FTU6Fujbm/0XOCTNYYUPbp  
J+wXReOAoZhsb9/W9trxwVu8Pqe67WPGq7mXNDqD44ckaCsetYKPronkbl52DJqs  
+D3nPrPdpcf+++ZPaIcA4aQYnYCpM6H9R1qsvlQDBBt6sFY0BO82ZjWN5kCZ/yqD  
bciAnMDto2nkKkyB1oNHug9z41eMXp7NucdN2leExNSJ1e7Zx5zV+Wkk9IIYvU+y  
dCj4PJ1S71s=  
=2saI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3776-01

Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_ws_check_packet at /src/capture.c.

Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.

\==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8  
READ of size 4 at 0x60200001137a thread T1  
#0 0x49b786 in \_\_asan\_memcpy (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786)  
#1 0x4d5def in capture\_ws\_check\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9  
#2 0x4d177f in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9  
#3 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)  
#4 0x7fa068127f67 in pcap\_loop (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x11f67)  
#5 0x4cf5c9 in capture\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5  
#6 0x7fa0680f9608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8  
#7 0x7fa067ea4132 in \_\_clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

0x60200001137a is located 6 bytes to the right of 4-byte region \[0x602000011370,0x602000011374)  
allocated by thread T1 here:  
#0 0x49c3cd in \_\_interceptor\_malloc (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49c3cd)  
#1 0x4dc743 in packet\_set\_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27  
#2 0x4d4bd5 in capture\_packet\_reasm\_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9  
#3 0x4d1722 in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21  
#4 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:  
#0 0x486a8c in pthread\_create (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x486a8c)  
#1 0x4d712c in capture\_launch\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13  
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9  
#3 0x7fa067da9082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa  
\=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04\[fa\]  
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==909699==ABORTING

**Command To Reproduce the bug:**

./sngrep -N -I $crash\_seed  
The URL of crash\_seed is crash\_seed

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   ndisasm: 1.6.0

Many Thanks.

CVE-2023-36192: heap-buffer-overflow on capture.c:923:9 · Issue #438 · irontec/sngrep

Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the ambiguity_error component at /src/clp.c.

Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.

**Command To Reproduce the bug:**

./gifsicle --loopcount=-

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   gifsicle 1.93

**ASAN Report**

\=================================================================  
\==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8  
READ of size 1 at 0x60300000005a thread T0  
#0 0x4dd2b3 in ambiguity\_error /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62  
#1 0x4d17b1 in parse\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1216:9  
#2 0x4d949e in Clp\_Next /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1967:6  
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1533:15  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#5 0x41d4cd in \_start (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x41d4cd)

0x60300000005a is located 2 bytes to the right of 24-byte region \[0x603000000040,0x603000000058)  
allocated by thread T0 here:  
#0 0x499c7d in \_\_interceptor\_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x499c7d)  
#1 0x4d4a20 in finish\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1230:50  
#2 0x4d47fc in Clp\_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1332:9  
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1461:3  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62 in ambiguity\_error  
Shadow bytes around the buggy address:  
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00\[fa\]fa fa 00 00  
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa  
0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==956047==ABORTING

Many Thanks.  
cheng meng da

CVE-2023-36193: heap-buffer-overflow in ambiguity_error · Issue #191 · kohler/gifsicle

FLVMeta v1.2.1 was discovered to contain a buffer overflow via the xml_on_metadata_tag_only function at dump_xml.c.

**Memory allocation failure in xml\_on\_metadata\_tag\_only() at dump\_xml.c:271**

Memory allocation failure in the flvmeta at function xml\_on\_metadata\_tag\_only in dump\_xml.c:271.

**Environment**

Ubuntu 18.04, 64 bit  
FLVMeta 1.2.1

**Steps to reproduce**

1.  download file

    wget https://github.com/noirotm/flvmeta/archive/refs/tags/v1.2.1.tar.gz
    tar -zxvf v1.2.1.tar.gz
    

2.  compile libming with ASAN

    cd flvmeta-1.2.1
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -Wno-error" cmake -DCMAKE_C_COMPILER=wllvm -DCMAKE_CXX_COMPILER=wllvm++ -B obj-bc -G"Unix Makefiles" 
    cd obj-bc
    make
    
    cd src
    extract-bc flvmeta
    clang -fsanitize=address flvmeta.bc -o flvmeta_asan
    

3.  command for reproducing the error

Download poc:  
flvmeta\_memory-allocation-failure\_dumpxml271.zip

**ASAN report**

    root@a71b82b5d288:~/dataset/flvmeta-1.2.1/obj-bc/src# ./flvmeta_asan flvmeta_memory-allocation-failure_dumpxml271 
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==30124==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000489d7b bp 0x7fff17e62cb0 sp 0x7fff17e62440 T0)
    ==30124==The signal is caused by a READ memory access.
    ==30124==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x489d7b in __interceptor_strcmp.part.298 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444
        #1 0x4fe908 in xml_on_metadata_tag_only /root/dataset/flvmeta-1.2.1/src/dump_xml.c:271:14
        #2 0x502563 in flv_parse /root/dataset/flvmeta-1.2.1/src/flv.c:506:26
        #3 0x4fd491 in dump_metadata /root/dataset/flvmeta-1.2.1/src/dump.c:160:14
        #4 0x502855 in main /root/dataset/flvmeta-1.2.1/src/flvmeta.c:385:50
        #5 0x7f8aa5304c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41b819 in _start (/root/dataset/flvmeta-1.2.1/obj-bc/src/flvmeta_asan+0x41b819)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444 in __interceptor_strcmp.part.298
    ==30124==ABORTING

CVE-2023-36243: Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 · Issue #19 · noirotm/flvmeta

libming listswf 0.4.7 was discovered to contain a buffer overflow in the parseSWF_DEFINEFONTINFO() function at parser.c.

**Allocation size overflow in parseSWF\_DEFINEFONTINFO() at parser.c:1948**

Allocation size overflow in the listswf at function parseSWF\_DEFINEFONTINFO in parser.c:1948.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.7

**Steps to reproduce**

1.  download file

    git clone https://github.com/libming/libming.git libming-ming-0_4_7
    

2.  compile libming with ASAN

    cd libming-ming-0_4_7
    git checkout 5aa3470
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc listswf
    clang -fsanitize=address -lz -lm listswf.bc -o listswf_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-7\_listswf\_allocation-size-overflow\_parser1948.zip

**ASAN report**

    root@a71b82b5d288:~/dataset/libming-ming-0_4_7/obj-bc/bin# ./listswf_asan libming_0-4-7_listswf_allocation-size-overflow_parser1948.swf 
    header indicates a filesize of 6350 but filesize is 296
    File version: 10
    File size: 296
    Frame size: (0,0)x(0,0)
    Frame rate: 237.609375 / sec.
    Total frames: 31640
    =================================================================
    ==29667==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffed6 (0x6d8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ade60 in malloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x50fefd in parseSWF_DEFINEFONTINFO /root/dataset/libming-ming-0_4_7/util/parser.c:1948:34
        #2 0x4fefda in blockParse /root/dataset/libming-ming-0_4_7/util/blocktypes.c:145:14
        #3 0x4fceb2 in readMovie /root/dataset/libming-ming-0_4_7/util/main.c:265:11
        #4 0x4fca7d in main /root/dataset/libming-ming-0_4_7/util/main.c:350:2
        #5 0x7fa41cb57c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==29667==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==29667==ABORTING

CVE-2023-36239: Allocation size overflow in parseSWF_DEFINEFONTINFO() at parser.c:1948 · Issue #273 · libming/libming

An issue in the GDKfree component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes in GDKfree after executing SQL statements through mclient.

**To Reproduce**

1.  Use mclient to connect MonetDB server;
2.  Try to execute the following SQL statements **multiple times**. Sometimes they will crash the server. (On my machine, the server crashes after repeating executing these SQLs with at most 4 times)

DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f280338000b (gsignal+0xcb)
    #1 0x7f280335f859 (abort+0x12b)
    #2 0x7f28033ca26e (__fsetlocking+0x42e)
    #3 0x7f28033d22fc (pthread_attr_setschedparam+0x54c)
    #4 0x7f28033d3f6d (pthread_attr_setschedparam+0x21bd)
    #5 0x7f280414f765 (GDKfree+0x25)
    #6 0x7f280377af7b (destroy_delta+0x7b)
    #7 0x7f280377576d (destroy_col+0x2d)
    #8 0x7f2803745345 (column_destroy+0x45)
    #9 0x7f2803761ec2 (list_destroy2+0xa2)
    #10 0x7f2803760d14 (ol_destroy+0x34)
    #11 0x7f2803745450 (table_destroy+0x90)
    #12 0x7f280375ec17 (objectversion_destroy+0x77)
    #13 0x7f280375eb4f (os_destroy+0xcf)
    #14 0x7f2803750cdc (schema_destroy+0x7c)
    #15 0x7f280375ec17 (objectversion_destroy+0x77)
    #16 0x7f280376065d (objectversion_destroy_recursive+0x3d)
    #17 0x7f2803760345 (tc_gc_objectversion+0x75)
    #18 0x7f280374a307 (store_pending_changes+0x307)
    #19 0x7f280374ea87 (sql_trans_commit+0x567)
    #20 0x7f2803759353 (sql_trans_end+0x83)
    #21 0x7f280379c10c (mvc_commit+0x4fc)
    #22 0x7f280369d564 (SQLengine_+0x284)
    #23 0x7f280369c343 (SQLengine+0x23)
    #24 0x7f2803a2b6cf (runScenario+0x4f)
    #25 0x7f2803a2c16c (MSscheduleClient+0x68c)
    #26 0x7f2803ad3c2b (doChallenge+0xfb)
    #27 0x7f2804152ba0 (THRstarter+0x100)
    #28 0x7f28041c2cc4 (thread_starter+0x34)
    #29 0x7f2803537609 (start_thread+0xd9)
    #30 0x7f280345c133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

If the crash cannot be reproduced easily, please tell me. I will try to provide the whole steps to trigger the crash as possible.

Could **not** reproduce the crash with MonetDB 5 server v11.45.17 (Sep2022-SP3).  
We will add a test case to see if any memory leaks are detected.

I write a bash script to reproduce. It use the docker image of MonetDB v11.45.17 (Sep2022-SP3). Maybe it can help to reproduce the crash.

#!/bin/bash

######################################################
#\# Build the image of MonetDB and start a container.  
######################################################
docker pull monetdb/monetdb:Sep2022-SP3
docker run -e MDB\_DB\_ADMIN\_PASS=monetdb -d -p 50000:50000 --name monetdb monetdb/monetdb:Sep2022-SP3
docker container restart monetdb

echo -e "user=monetdb\\npassword=monetdb" | docker exec -i monetdb tee /root/.monetdb

echo "Waiting the monetdb server to start..."
while ! docker exec monetdb mclient monetdb \> /dev/null 2> /dev/null
do
    echo -n "."
done

docker exec monetdb dnf install procps-ng -y

#################################################
#\# Get current PID of the mserver5 process. 
#\# as the mserver5 will be restart automatically 
#\# after crashing in the docker container,
#\# we check a crash by comparing the PIDs.
#################################################
echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
docker exec monetdb pidof mserver5
echo -ne "\\033\[0m"
oldPid=$(docker exec monetdb pidof mserver5)

#\# Loop the SQL test cases.
for (( i\=0; i<200; ++i ))
do

echo -n "."

echo "DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
SET SCHEMA test;
CREATE TABLE src (src\_c1\_pkey INT, c1 VARCHAR(100));
START TRANSACTION;
DELETE   FROM src;
ALTER TABLE src DROP src\_c1\_pkey;
INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10);
COMMIT;
SET SCHEMA sys;
DROP SCHEMA test CASCADE;
CREATE SCHEMA test;
" | docker exec -i monetdb mclient monetdb 2>&1 | grep --color=always "unexpected end of file\\|Challenge string is not valid, it is empty" && break

done

#############################################
#\# Check whether some errors occurred.
#############################################
if ! docker exec monetdb mclient monetdb
then
    echo "The server or client seems unavailable".
else
    echo -ne "Check PID of mserver5: \\033\[0;32m\\033\[1m"
    docker exec monetdb pidof mserver5
    echo -ne "\\033\[0m"
    nowPid=$(docker exec monetdb pidof mserver5)
    
    if (( nowPid != oldPid ))
    then
        echo "Different PIDs. Maybe a crash occurred?"
    else
        echo "Everything seems ok... Maybe not a bug."
    fi
fi

CVE-2023-36371: MonetDB server 11.46.0 crashes in `GDKfree` · Issue #7385 · MonetDB/MonetDB

An issue in the list_append component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server 11.46.0 crashes at list_append after executing SQL statements through mclient.

**To Reproduce**

create table t1(c1 int auto\_increment primary key NOT NULL);
create trigger i1 after insert on t1 for each row insert into t1 values(NULL);
insert into t1 values(NULL);

**Expected behavior**  
This crash is strange. From the backtrace as follows, we can know that the crash is caused by infinite recursion.

However, if we change the first statement into create table t1(c1 int);, the MonetDB will return the message Query too complex: running out of stack space when executing the third stmt. So, MonetDB handles out of stack space, but it does not work with some special table definitions?

What's more, the definition of the table contains the NOT NULL constraint, which should fail the third stmt. If we remove the create trigger statement, MonetDB will return the message INSERT INTO: NOT NULL constraint violated for column t1.c1 when executing the insert stmt. But with the create trigger stmt, it crashes instead.

Anyway, I think the expected behavior is to return the error message Query too complex: running out of stack space or INSERT INTO: NOT NULL constraint violated for column t1.c1, instead of crashing straightly.

**Backtrace**

    #0 0x7f0c3760dbda (list_append+0x1a)
    #1 0x7f0c376669c6 (rel_insert+0x196)
    #2 0x7f0c3766abb3 (rel_updates+0x1ce3)
    #3 0x7f0c376c6c11 (sequential_block+0x121)
    #4 0x7f0c376c52dc (rel_psm+0x131c)
    #5 0x7f0c37653091 (rel_semantic+0x91)
    #6 0x7f0c37652e6a (rel_parse+0x19a)
    #7 0x7f0c37563102 (sql_insert_triggers+0x232)
    #8 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #9 0x7f0c37554539 (subrel_bin+0xd69)
    #10 0x7f0c3755f218 (exp_bin+0x29e8)
    #11 0x7f0c37558567 (subrel_bin+0x4d97)
    #12 0x7f0c37563162 (sql_insert_triggers+0x292)
    #13 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #14 0x7f0c37554539 (subrel_bin+0xd69)
    #15 0x7f0c3755f218 (exp_bin+0x29e8)
    #16 0x7f0c37558567 (subrel_bin+0x4d97)
    #17 0x7f0c37563162 (sql_insert_triggers+0x292)
    ...
    #7407 0x7f0c37563162 (sql_insert_triggers+0x292)
    #7408 0x7f0c3755bb5e (rel2bin_insert+0x148e)
    #7409 0x7f0c37554539 (subrel_bin+0xd69)
    #7410 0x7f0c3755373b (output_rel_bin+0x6b)
    #7411 0x7f0c3757f9d9 (backend_dumpstmt+0x199)
    #7412 0x7f0c3754a367 (SQLparser+0x5d7)
    #7413 0x7f0c3754987b (SQLengine_+0x59b)
    #7414 0x7f0c37548343 (SQLengine+0x23)
    #7415 0x7f0c378d76cf (runScenario+0x4f)
    #7416 0x7f0c378d816c (MSscheduleClient+0x68c)
    #7417 0x7f0c3797fc2b (doChallenge+0xfb)
    #7418 0x7f0c37ffeba0 (THRstarter+0x100)
    #7419 0x7f0c3806ecc4 (thread_starter+0x34)
    #7420 0x7f0c373e3609 (start_thread+0xd9)
    #7421 0x7f0c37308133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

**Issue labeling**  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36369: MonetDB server 11.46.0 crashes at `list_append` · Issue #7383 · MonetDB/MonetDB

An issue in the cs_bind_ubat component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

**Describe the bug**  
MonetDB server crashes at cs_bind_ubat after executing SQL statements through ODBC.

**To Reproduce**

CREATE TABLE t2 (c1 int, t1 int, c2 int);
INSERT INTO t2 VALUES(127,255,1),(127,1,2),(\-128,0,3),(\-128,2,4),(\-1,NULL,5);
INSERT INTO t2 VALUES(200,126,1),(250,\-127,2);
INSERT INTO t2 VALUES (\-128,0,1),(\-1,1,1),(\-2,2,2),(\-3,3,3),(\-4,4,4),(\-5,5,5),(\-6,6,6),(0,0,7),(1,1,8),(2,NULL,9),(3,NULL,10),(127,255,11);
DELETE FROM t2 WHERE c1 IN (\-2, 0);
START TRANSACTION;
UPDATE t2 SET c2 \= c2 + 100;
UPDATE t2 SET c2 \= c2 + 100;

**Expected behavior**  
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.

**Backtrace**

    #0 0x7f6388374871 (cs_bind_ubat+0x151)
    #1 0x7f6388373483 (bind_ubat+0x43)
    #2 0x7f638836d860 (bind_updates+0xe0)
    #3 0x7f63882854ce (mvc_bind_wrap+0x28e)
    #4 0x7f6388614c63 (runMALsequence+0x763)
    #5 0x7f63886185d4 (DFLOWworker+0x2c4)
    #6 0x7f6388d4fba0 (THRstarter+0x100)
    #7 0x7f6388dbfcc4 (thread_starter+0x34)
    #8 0x7f6388134609 (start_thread+0xd9)
    #9 0x7f6388059133 (clone+0x43)
    

**Software versions**

*   MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
*   MonetDB ODBC version: 11.46.0
*   OS and version: ubuntu 20.04
*   Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang++-12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo

\*\*Issue labeling \*\*  
bug

**Additional context**  
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.

CVE-2023-36368: MonetDB server 11.46.0 crashes at cs_bind_ubat · Issue #7379 · MonetDB/MonetDB

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
    poc: Warning, Nonstandard tile width 1, convert file.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
    _TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFAdvanceDirectory: Error fetching directory count.
    Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
    Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
    Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
    Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    =================================================================
    ==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
    READ of size 1 at 0x6330000188ec thread T0
        #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
        #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
        #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
    allocated by thread T0 here:
        #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
        #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
        #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
    Shadow bytes around the buggy address:
      0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1821995==ABORTING

**poc**

poc

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits()  at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

Tag

#c++