Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.

We found a heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4).

**Command Input**

podofopdfinfo poc_file 

poc\_file is attached.

**Sanitizer Dump**

    ==3975233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000122f at pc 0x0000004ab677 bp 0x7ffc5060df20 sp 0x7ffc5060d6e8
    READ of size 32 at 0x60300000122f thread T0
        #0 0x4ab676 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x64570f in PoDoFo::PdfEncryptRC4::PdfEncryptRC4(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, int, PoDoFo::PdfEncryptAlgorithm, int, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1132:5
        #2 0x638356 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:556:43
        #3 0x79b3a8 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x798f13 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x71c42e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x71dcdd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x71d8eb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4e1be9 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
        #9 0x4e06b7 in main /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
        #10 0x7f5ed7b54082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x43106d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofopdfinfo+0x43106d)
    
    0x60300000122f is located 0 bytes to the right of 31-byte region [0x603000001210,0x60300000122f)
    allocated by thread T0 here:
        #0 0x4dd3dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7f5ed800487f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x87564a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
        #3 0x868d29 in PoDoFo::InputStream::Read(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/InputStream.cpp:53:12
        #4 0x7e319a in readHexString(PoDoFo::InputStreamDevice&, PoDoFo::charbuff_t<void>&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfTokenizer.cpp:801:16
    LLVMSymbolizer: error reading file: No such file or directory
        #5 0x7ffc50612342  ([stack]+0x20342)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff81f0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8200: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
      0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8220: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
      0x0c067fff8230: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fa
    =>0x0c067fff8240: fa fa 00 00 00[07]fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8250: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8260: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
      0x0c067fff8270: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8280: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8290: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3975233==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31568: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4) · Issue #72 · podofo/podofo

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfDictionary::findKeyParent.

CVE-2023-31556: [podofo-0.10.0]Stack-Overflow · Issue #66 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readPageLabelTree2(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31554: A stack-overflow in pdfimages xpdf4.04

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfObject::DelayedLoad.

When using podofopdfinfo to parse a PDF file, a SIGSEGV error occurs. By debugging with gdb, it was found that the error occurred at line 163 in podofo-0.10.0/src/podofo/main/PdfObject.cpp:

if (m\_IsDelayedLoadDone)

When checking the value of m\_IsDelayedLoadDone with "p" command, it was found that the value was 0x31. As a boolean value, it should only be assigned either 0 or 1, but not any other numbers. Previously, PoDoFo::PdfObject::DelayedLoad was also called and executed normally, but calling this function in the getString() function would result in a failure. The specific gdb bt stack trace is as follows.

**Command Input**

podofopdfinfo poc\_file

poc\_file are attached.

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

poc\_file.zip

CVE-2023-31555: [podofo-0.10.0]a SIGSEGV error occurs · Issue #67 · podofo/podofo

Uncontrolled search path in some Intel(R) oneAPI Toolkit and component software installers before version 4.3.0.251 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® oneAPI Toolkit and Component Software Installers Advisory**

**Summary: **

A potential security vulnerability in some Intel® oneAPI Toolkit and component software installers may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2023-22355

Description: Uncontrolled search path in some Intel(R) oneAPI Toolkit and component software installers before version 4.3.0.251 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Advisor for oneAPI before version 2023.0.

Intel® CPU Runtime for OpenCL™ Applications before version 2023.0.

Intel® Distribution for Python\* programming language before version 2023.0.

Intel® DPC++ Compatibility Tool before version 2023.0.

Intel® Embree Ray Tracing Kernel Library before version 2023.0.

Intel® Fortran Compiler before version 2023.0.

Intel® Implicit SPMD Program Compiler before version 1.18.1.

Intel® Inspector for oneAPI before version 2023.0.

Intel® Integrated Performance Primitives before version 2021.7.

Intel® IPP Cryptography before version 2021.6.3.

Intel® MPI Library before version 2021.8.

Intel® oneAPI Base Toolkit before version 2023.0.

Intel® oneAPI Data Analytics Library before version 2023.0.

Intel® oneAPI Deep Neural Network Library before version 2023.0.

Intel® oneAPI DPC++/C++ Compiler before version 2023.0.

Intel® oneAPI DPC++ Library (oneDPL) before version 2022.0.

Intel® oneAPI HPC Toolkit before version 2023.0.

Intel® oneAPI IoT Toolkit before version 2023.0.

Intel® oneAPI Math Kernel Library before version 2023.0.

Intel® oneAPI Rendering Toolkit before version 2023.0.

Intel® oneAPI Threading Building Blocks before version 2021.8.

Intel® oneAPI Video Processing Library before version 2023.0.

Intel® Open Image Denoise before version 1.4.3.

Intel® Open Volume Kernel Library before version 2023.0.

Intel® OSPRay before version 2023.0.

Intel® OSPRay Studio before version 2023.0.

Intel® Trace Analyzer and Collector before version 2021.8.0.

Intel® VTune™ Profiler for oneAPI before version 2023.0.

**Recommendations:**

Intel recommends updating Intel® oneAPI Toolkits to version 2023.0.0 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html

Intel recommends updating any installed Intel® oneAPI standalone component software to the latest versions.

Updates are available for download at these locations:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html

**Acknowledgements:**

The following issues was found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-22355: INTEL-SA-00819

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.
Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.
The Romanian cybersecurity firm said it first detected the

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed **DownEx**.

Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.

The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.

The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.

The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file.

Opening the attachment leads to the extraction of two files, including a decoy document that's displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background.

The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not unknown, it's said to be a backdoor to establish persistence.

The attacks are also notable for employing a variety of custom tools for carrying out post-exploitation activities. This includes -

*   Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network,
*   A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
*   A C++-based malware (diagsvc.exe aka DownEx) that's chiefly designed to exfiltrate files to the C2 server

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Two other variants of DownEx have also been earthed, the first of which executes an intermediate VBScript to harvest and transmit the files in the form of a ZIP archive.

The other version, which is downloaded via a VBE script (slmgr.vbe) from a remote server, eschews C++ for VBScript, but retains the same functionality as the former.

"This is a fileless attack – the DownEx script is executed in memory and never touches the disk," Bitdefender said. "This attack highlights the sophistication of a modern cyberattack. Cybercriminals are finding new methods for making their attacks more reliable."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Sophisticated DownEx Malware Campaign Targeting Central Asian Governments

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the newVar_N in util/decompile.c.

Heap buffer overflow in the latest version of libming at function newVar\_N in util/decompile.c:654.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_heap-buffer-overflow\_decompile654.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_heap-buffer-overflow_decompile654.swf 
    header indicates a filesize of 0 but filesize is 166
    <?php
    $m = new SWFMovie(0);
    
    ming_setscale(1.0);
    $m->setRate(0.000000);
    $m->setDimension(0, 1);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(0);
    
    /* SWF_DOACTION */
        16:SWFACTION_FSCOMMAND2
      Can't get int for type: 10
    =================================================================
    ==60490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x000000439494 bp 0x7ffd310a9d90 sp 0x7ffd310a9540
    READ of size 1025 at 0x619000001880 thread T0
        #0 0x439493 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
        #1 0x5022e5 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:654:11
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
    allocated by thread T0 here:
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x502330 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:657:18
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
    Shadow bytes around the buggy address:
      0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==60490==ABORTING

CVE-2023-30083: Heap buffer overflow in newVar_N() at decompile.c:654 · Issue #266 · libming/libming

An issue found in libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the stackVal function in util/decompile.c.

Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf 
    header indicates a filesize of 4278191411 but filesize is 166
    <?php
    $m = new SWFMovie();
    
    ming_setscale(1.0);
    
    /* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */
    
    $m->setRate(64.855469);
    $m->setDimension(66, 327);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(7440);
     Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.
    
    /* SWF_PROTECT */
    $m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf޼�0]x�\r�������\)���
                                                                                                ��Qp(#}�m�\_");
     Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.
    
    /* SWF_SETBACKGROUNDCOLOR */
    $m->setBackground(0x2f, 0xed, 0xd1);
     Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.
    
    /* SWF_DEFINETEXT */
    $character24412 = new SWFText(1);
    $character24412->setFont($f392);
    $character24412->setHeight(30910);
    $character24412->setColor(0x79, 0x9d, 0xb2);
    $character24412->moveTo(0, -15327);
    $character24412->addString("X");
    Failed to find branch target!!!
    Looking for: -28887
    
     Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.
    
    /* SWF_DOACTION */
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
    ==60499==The signal is caused by a READ memory access.
        #0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
        #1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
        #2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
        #3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
    ==60499==ABORTING

CVE-2023-30084: Invalid memory read in stackVal() at decompile.c:1238 · Issue #268 · libming/libming

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the cws2fws function in util/decompile.c.

Allocation size overflow in the latest version of libming at function cws2fws in util/main.c:111.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_allocation-size-overflow\_main111.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_allocation-size-overflow_main111.swf 
    =================================================================
    ==60493==ERROR: AddressSanitizer: requested allocation size 0xffffffffff000533 (0xffffffffff001538 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x4f9334 in cws2fws /root/compiler1804/libming-ming-0_4_8/util/main.c:111:15
        #2 0x4f99dd in readMovieHeader /root/compiler1804/libming-ming-0_4_8/util/main.c:198:18
        #3 0x4f97ee in main /root/compiler1804/libming-ming-0_4_8/util/main.c:346:5
        #4 0x7f6a64b67c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==60493==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164 in realloc
    ==60493==ABORTING

CVE-2023-30085: Allocation size overflow in cws2fws() at main.c:111 · Issue #267 · libming/libming

Sngrep v1.6.0 was discovered to contain a stack buffer overflow via the function packet_set_payload at /src/packet.c.

How to trigger  
Compile the program with AddressSanitizer  
Run command $ ./sngrep -N -R -I $PoC  
Details  
ASAN report  
$./sngrep -N -R -I $PoC

    Dialog count: 0=================================================================
    ==974123==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fda5fffe9a0 at pc 0x00000049b787 bp 0x7fda5fff98d0 sp 0x7fda5fff9098
    READ of size 57344 at 0x7fda5fffe9a0 thread T1
        #0 0x49b786 in __asan_memcpy (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786)
        #1 0x4dc7f1 in packet_set_payload /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:147:9
        #2 0x4d1697 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:430:9
        #3 0x7fda61bad466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
        #4 0x7fda61b9bf67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
        #5 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
        #6 0x7fda61b6d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #7 0x7fda61918132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    Address 0x7fda5fffe9a0 is located in stack of thread T1 at offset 20512 in frame
        #0 0x4d067f in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:321
    
      This frame has 3 object(s):
        [32, 20512) 'data' (line 333)
        [20768, 20772) 'size_capture' (line 337) <== Memory access at offset 20512 partially underflows this variable
        [20784, 20788) 'size_payload' (line 339) <== Memory access at offset 20512 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T1 created by T0 here:
        #0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
        #1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
        #2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
        #3 0x7fda6181d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0ffbcbff7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ffbcbff7d30: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x0ffbcbff7d40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x0ffbcbff7d50: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
      0x0ffbcbff7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ffbcbff7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==974123==ABORTING

Tag

#c++