tifig v0.2.2 was discovered to contain a heap-buffer overflow via __asan_memmove at /asan/asan_interceptors_memintrinsics.cpp.

Hi, by testing this repo, i found something unusual.

**crash sample**

id0\_heap\_buffer\_overflow\_in \_\_asan\_memmove.zip

**command to reproduce**

./tifig -p -v [sample file] /dev/null

**crash detail**

    ==29736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000d4687 at pc 0x0000004b4535 bp 0x7ffc7c0154e0 sp 0x7ffc7c014c90
    READ of size 2891617427 at 0x6110000d4687 thread T0
        #0 0x4b4534 in __asan_memmove /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30
        #1 0x5b3d50 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:368:6
        #2 0x5b3d50 in unsigned char* std::__copy_move_a<false, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:385:14
        #3 0x5b3d50 in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:422:18
        #4 0x5b3d50 in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:454:15
        #5 0x5b3d50 in unsigned char* std::__uninitialized_copy<true>::__uninit_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:101:18
        #6 0x5b3d50 in unsigned char* std::uninitialized_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:131:14
        #7 0x5b3d50 in unsigned char* std::__uninitialized_copy_a<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, unsigned char>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, std::allocator<unsigned char>&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:289:14
        #8 0x5b3d50 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:682:11
        #9 0x67e24d in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1411:4
        #10 0x67e24d in __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1132:4
        #11 0x67e24d in BitStream::read8BitsArray(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned int) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:269:10
        #12 0x5f4b66 in HevcImageFileReader::getHevcItemData(std::vector<unsigned char, std::allocator<unsigned char> > const&, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1584:19
        #13 0x5ee77b in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:508:13
        #14 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #15 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #16 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #17 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #18 0x7fd207d3ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #19 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    0x6110000d4687 is located 0 bytes to the right of 199-byte region [0x6110000d45c0,0x6110000d4687)
    allocated by thread T0 here:
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x678295 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x678295 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:187:33
        #5 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:138:9
        #6 0x678295 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:9
        #7 0x678295 in BitStream::BitStream(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:28:5
        #8 0x6110000d4546  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30 in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c2280012880: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c22800128a0: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
      0x0c22800128b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c22800128c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c22800128d0:[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==29736==ABORTING

CVE-2022-36150: Heap buffer overflow  · Issue #68 · monostream/tifig

tifig v0.2.2 was discovered to contain a segmentation violation via std::vector<unsigned int, std::allocator<unsigned int> >::size() const at /bits/stl_vector.h.

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==74081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000006c2382 bp 0x000000000038 sp 0x7ffe63ff83a0 T0)
    ==74081==The signal is caused by a READ memory access.
    ==74081==Hint: address points to the zero page.
        #0 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h
        #1 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::vector(std::vector<unsigned int, std::allocator<unsigned int> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:19
        #2 0x6c2382 in SingleItemTypeReferenceBox::getToItemIds() const /home/bupt/Desktop/tifig/lib/heif/Srcs/common/itemreferencebox.cpp:84:12
        #3 0x5efc25 in HevcImageFileReader::readItem(MetaBox const&, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:2028:47
        #4 0x5ee016 in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:475:13
        #5 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #6 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #7 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7f3180c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h in std::vector<unsigned int, std::allocator<unsigned int> >::size() const
    ==74081==ABORTING

CVE-2022-36153: SEGV in this repo · Issue #71 · monostream/tifig

tifig v0.2.2 was discovered to contain a memory leak via operator new[](unsigned long) at /asan/asan_new_delete.cpp.

**crash sample**

id0\_memory\_leakF9.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74044==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7fbe4f6c3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s).
    
    

\### crash sample

id27\_memory\_leak\_F7.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74125==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 17301504 byte(s) in 22 object(s) allocated from:
        #0 0x4b4e50 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x501db8 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:107:31
    
    Direct leak of 1145232 byte(s) in 88 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    Direct leak of 5632 byte(s) in 22 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x501d15 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:87:30
    
    Direct leak of 1936 byte(s) in 22 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
        #2 0x5b8b48 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<RgbData>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<RgbData (*)(std::vector<unsigned char, std::allocator<unsigned char> >), std::vector<unsigned char, std::allocator<unsigned char> > > >, RgbData> >::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
        #3 0x5b86b5 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #4 0x5b86b5 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/future:561:27
        #5 0x7f14648c6906 in __pthread_once_slow /build/glibc-CVJwZb/glibc-2.27/nptl/pthread_once.c:116
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7f1460d4cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 9347778 byte(s) in 572 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    SUMMARY: AddressSanitizer: 27802092 byte(s) leaked in 727 allocation(s).

CVE-2022-36152: Issues in this repor about memory leak · Issue #72 · monostream/tifig

tifig v0.2.2 was discovered to contain a resource allocation issue via operator new(unsigned long) at asan_new_delete.cpp.

**carsh sample**

id41\_allocation\_too\_big.zip

**command to reproduce**

../tifig -v -p [crash sample ] /dev/null

**crash detail**

    ==74167==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffffff (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    [hevc @ 0x61a000000080] PPS id out of range: 0
    [hevc @ 0x61a000000080] Error parsing NAL unit #0.
    Error sending packet to HEVC decoder: Invalid data found when processing input
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x5b3b01 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x5b3b01 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x5b3b01 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x5b3b01 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:673:29
    
    ==74167==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99 in operator new(unsigned long)
    ==74167==ABORTING

CVE-2022-36155: Issue about resources allocate · Issue #73 · monostream/tifig

PNGDec commit 8abf6be was discovered to contain a FPE via SaveBMP at /linux/main.cpp.

hi, i found something unusual in this repo, are they new bugs ?  
To reproduce the crash please use command: ./png_demo @@ /dev/null (replace @@ to the sample's path)

**FPE****crash sample**

id0-FPE-sample1.zip

**crash info**

    AddressSanitizer:DEADLYSIGNAL
    ==22761==ERROR: AddressSanitizer: FPE on unknown address 0x0000004f4665 (pc 0x0000004f4665 bp 0x7fffaf2c27f0 sp 0x7fffaf2c19e0 T0)
        #0 0x4f4665 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:56:21
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7f42d9d84c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/PNGdec/linux/main.cpp:56:21 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    ==22761==ABORTING
    

**heap-buffer-overflow****crash sample No.1**

id1-heap-buffer-overflow-sample1.zip

**crash info of sample No.1**

    ==22802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x00000043b61c bp 0x7ffefb2a1690 sp 0x7ffefb2a0e40
    READ of size 40 at 0x602000000011 thread T0
        #0 0x43b61b in __interceptor_fwrite.part.57 /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x4f491a in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:89:13
        #2 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #3 0x7f0ed9adfc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #4 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22802==ABORTING
    

**crash sample No.2**

id2-heap-buffer-overflow-sample2.zip

**crash info of sample No.2**

    ==22853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220000017b0 at pc 0x0000004ad554 bp 0x7ffc9c610730 sp 0x7ffc9c60fee0
    WRITE of size 132 at 0x6220000017b0 thread T0
        #0 0x4ad553 in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x4fc310 in DecodePNG(png_image_tag*, void*, int) /home/bupt/Desktop/PNGdec/linux/../src/png.inl:801:33
        #2 0x4fc310 in PNG::decode(void*, int) /home/bupt/Desktop/PNGdec/linux/../src/PNGdec.cpp:194:12
        #3 0x4f5207 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:129:18
        #4 0x7f6fa7b19c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x6220000017b0 is located 0 bytes to the right of 5808-byte region [0x622000000100,0x6220000017b0)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c447fff82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c447fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c447fff82f0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
      0x0c447fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c447fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22853==ABORTING
    

**crash sample No.3**

id8-heap-buffer-overflow-sample3.zip

**crash info of sample No.3**

    ==23090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fad078fceb2 at pc 0x0000004f4e69 bp 0x7ffe0c9898b0 sp 0x7ffe0c9898a8
    READ of size 1 at 0x7fad078fceb2 thread T0
        #0 0x4f4e68 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:84:24
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7fad0ae1dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x7fad078fceb2 is located 2 bytes to the right of 2013271728-byte region [0x7fac8f8fb800,0x7fad078fceb0)
    allocated by thread T0 here:
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/PNGdec/linux/main.cpp:84:24 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    Shadow bytes around the buggy address:
      0x0ff620f17980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f17990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff620f179c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff620f179d0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
      0x0ff620f179e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f179f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff620f17a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==23090==ABORTING
    

**stack-buffer-overflow****crash sample No.1**

id12-stack-buffer-overflow-sample1.zip

**crash info of sample No.1**

    ==26778==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0d703c40 at pc 0x0000004f4e82 bp 0x7ffc0d702f90 sp 0x7ffc0d702f88
    WRITE of size 1 at 0x7ffc0d703c40 thread T0
        #0 0x4f4e81 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:84:48
        #1 0x4f5311 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:144:9
        #2 0x7fd91072ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #3 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    Address 0x7ffc0d703c40 is located in stack of thread T0 at offset 3232 in frame
        #0 0x4f425f in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int) /home/bupt/Desktop/PNGdec/linux/main.cpp:26
    
      This frame has 2 object(s):
        [32, 1056) 'ucTemp' (line 31)
        [1184, 3232) 'ucTemp76' (line 80) <== Memory access at offset 3232 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/bupt/Desktop/PNGdec/linux/main.cpp:84:48 in SaveBMP(char*, unsigned char*, unsigned char*, int, int, int)
    Shadow bytes around the buggy address:
      0x100001ad8730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad8770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100001ad8780: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x100001ad8790: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x100001ad87a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001ad87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26778==ABORTING
    
    

**global-buffer-overflow****crash sample**

id13-global-buffer-overflow-sample1.zip

**crash info of the sample**

    ==26922==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000101b510 at pc 0x00000051493d bp 0x7ffe4b62fc20 sp 0x7ffe4b62fc18
    WRITE of size 1 at 0x00000101b510 thread T0
        #0 0x51493c in inflate_fast /home/bupt/Desktop/PNGdec/linux/../src/inffast.c:275:36
        #1 0x5180f8 in inflate /home/bupt/Desktop/PNGdec/linux/../src/inflate.c:1055:17
        #2 0x4f74e0 in DecodePNG(png_image_tag*, void*, int) /home/bupt/Desktop/PNGdec/linux/../src/png.inl:783:31
        #3 0x4f74e0 in PNG::decode(void*, int) /home/bupt/Desktop/PNGdec/linux/../src/PNGdec.cpp:194:12
        #4 0x4f5207 in main /home/bupt/Desktop/PNGdec/linux/main.cpp:129:18
        #5 0x7f5825c48c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c129 in _start (/home/bupt/Desktop/PNGdec/linux/png_demo+0x41c129)
    
    0x00000101b510 is located 0 bytes to the right of global variable 'png' defined in 'main.cpp:10:5' (0x100f8a0) of size 48240
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/PNGdec/linux/../src/inffast.c:275:36 in inflate_fast
    Shadow bytes around the buggy address:
      0x0000801fb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000801fb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0000801fb6a0: 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0000801fb6f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==26922==ABORTING
    

**memory allocation problem****crash sample No.1**

id5-memory-allocation-problem-sample1.zip

**crash info of sample No.1**

    ==22984==ERROR: AddressSanitizer: requested allocation size 0xffffffff837c16b0 (0xffffffff837c26b0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae6f0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x4f51ec in main /home/bupt/Desktop/PNGdec/linux/main.cpp:128:34
    
    ==22984==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==22984==ABORTING

CVE-2022-35013: BUGS FOUND · Issue #10 · bitbank2/PNGdec

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Win32.Ransom.BlueSkyVulnerability: Arbitrary Code ExecutionDescription: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: BlueSkyType: PE32MD5: 961fa85207cdc4ef86a076bbff07a409Vuln ID: MVID-2022-0632Disclosure: 08/13/2022PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERMExploit/PoC:1) Compile the following C code as "CRYPTSP.dll" 32-bit2) Place the DLL in same directory as the vuln BlueSky ransomware3) Run malware#include "windows.h"//By malvuln - August 2022//Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409//gcc -c CRYPTSP.c -m32//gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.Ransom.BlueSky MVID-2022-0632 Code Execution

Gentoo Linux Security Advisory 202208-21 - A heap-based buffer overflow in libeml might allow attackers to execute arbitrary code. Versions less than 1.4.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libebml: Heap buffer overflow vulnerability  
     Date: August 14, 2022  
     Bugs: #772272  
       ID: 202208-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A heap-based buffer overflow in libeml might allow attackers to execute  
arbitrary code.

Background  
=========  
libebml is a C++ library to parse EBML files.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libebml           < 1.4.2                      >= 1.4.2

Description  
==========  
On 32bit builds of libebml, the length of a string is miscalculated,  
potentially leading to an exploitable heap overflow.

Impact  
=====  
An attacker able to provide arbitrary input to libebml could achieve arbitrary code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
Users of libebml on 32 bit architectures should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libebml-1.4.2"

References  
=========  
[ 1 ] CVE-2021-3405  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3405

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-21

There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.

**step to reproduce**

export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8  
./w3m $POC

**Environment**

*   Ubuntu 22.04 (docker image)
*   w3m latest commit c515ea8
*   gcc 11.2.0

**ASan log**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
    ==1795279==The signal is caused by a WRITE memory access.
    ==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
        #0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
        #1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
        #2 0x563981110094 in loadSomething /validate/w3m/file.c:230
        #3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
        #4 0x5639810ab87d in main /validate/w3m/main.c:1053
        #5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
    ==1795279==ABORTING
    

**Credit**

Han Zheng  
NCNIPC of China  
Hexhive

**POC**

poc0.zip

Copy link

Contributor

****rkta** commented Aug 9, 2022**

On Sun, Aug 07, 2022 at 04:27:40AM -0700, Han Zheng wrote: Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer. ## step to reproduce export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8 ./w3m $POC

Can't reproduce on Debian with the 'poc0' from the attached zip file.

Sorry, I write the wrong command, the command is ./w3m -dump $POC.

Copy link

Author

****kdsjZh** commented Aug 9, 2022 •**

if it didn't work, could you try docker ubuntu 22.04 image with following command? Or you could give me the debian version you use

    apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
    git clone https://github.com/tats/w3m && pushd w3m
    export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
    ./w3m -dump $PATH_TO_POC
    
    

I try again and it works for me.

Copy link

Contributor

****rkta** commented Aug 9, 2022**

On Tue, Aug 09, 2022 at 07:55:19AM -0700, Han Zheng wrote: if it didn't work,

Can not reproduce with '-dump' either.

could you try ubuntu 22.04 image with following command?

I currently don't have time to setup a VM, maybe at the weekend, sorry.

Or you could give me the debian version you use

Debian stable

\`\`\` apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 ./w3m -dump $PATH\_TO\_POC \`\`\` I try again and it works for me.

Can you reduce the input file? Does it also reproduce with only the first half or the second half?

Copy link

Author

****kdsjZh** commented Aug 9, 2022 •**

I try debian stable in docker image and it still works.

> I currently don't have time to setup a VM, maybe at the weekend, sorry.

I mean you can install docker in your debian and copy following command :

    docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash
    ## now step into the container
    apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
    git clone https://github.com/tats/w3m && pushd w3m
    export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
    wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip
    ./w3m -dump ./poc0
    
    

Pls told me if it's still not available. I could try to reduce the input file later. But I guess it's environment's fault.

Copy link

Contributor

****rkta** commented Aug 10, 2022**

On Tue, Aug 09, 2022 at 08:36:15AM -0700, Han Zheng wrote: I try debian stable in docker image and it still works.

I wonder if Docker plays a role here.

\> I currently don't have time to setup a VM, maybe at the weekend, sorry. I mean install docker in your debian and copy following command : \`\`\` docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash ## now step into the container apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip ./w3m -dump ./poc0 \`\`\` Pls told me if it's still not available.

Yes, can reproduce this way.

I could try to reduce the input file later.

Works: head -c 9215 poc0 | ./w3m -dump Does not work: tail -c 9215 poc0 | ./w3m -dump head -c 9216 poc0 | tail -c 9215 | ./w3m -dump

Copy link

Author

****kdsjZh** commented Aug 10, 2022 •**

I guess it's not docker. I try to reproduce it in my psychical Desktop (ubuntu 21.10) and success with following command

    ./w3m -dump crashes/id\:000001\,sig\:11\,src\:000876\,time\:8063946\,execs\:818201\,op\:MOpt_core_havoc\,rep\:8
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3904622==ERROR: AddressSanitizer: SEGV on unknown address 0x7f186ce09ffe (pc 0x55c246d22787 bp 0x7f186ce09ffe sp 0x7ffe334beb20 T0)
    ==3904622==The signal is caused by a WRITE memory access.
        #0 0x55c246d22787 in checkType /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441
        #1 0x55c246ce65c2 in loadBuffer /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:7717
        #2 0x55c246d0c074 in loadSomething /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:230
        #3 0x55c246d0c074 in loadGeneralFile /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:2286
        #4 0x55c246ca785d in main /home/kdsj/workspace/benchmarks/reproduce/w3m/main.c:1053
        #5 0x7f186fc77fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7f186fc7807c in __libc_start_main_impl ../csu/libc-start.c:409
        #7 0x55c246cab264 in _start (/home/kdsj/workspace/benchmarks/reproduce/w3m/w3m+0xb3264)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441 in checkType
    ==3904622==ABORTING
    

but when try to rename it to poc0, it failed

    ./w3m -dump crashes/poc0
            ???????????p???�???*��?&?*?p???�???     �???????????????????���???????
    

Although I check again and make sure they're the same crash with same hash....  
I guess the name is to be blamed? or there might be some random factor?

CVE-2022-38223: [BUG] out of bound write in checkType, etc.c:441 · Issue #242 · tats/w3m

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

**What version of Go are you using (go version)?**

$ go version
go version go1.17.6 darwin/amd64

**Does this issue reproduce with the latest release?**

Yes

**What operating system and processor architecture are you using (go env)?**go env Output  

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin\_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO\_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO\_CFLAGS="-g -O2"
CGO\_CPPFLAGS=""
CGO\_CXXFLAGS="-g -O2"
CGO\_FFLAGS="-g -O2"
CGO\_LDFLAGS="-g -O2"
PKG\_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86\_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx\_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE\_X86\_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1
**What did you do?**

Run https://go.dev/play/p/-iOX1cXown9 ie Float0.GobDecode([]byte{0x1, 0x0, 0x0, 0x0})

**What did you expect to see?**

The program finishing and printing somme Hello, without having allocated too much space

**What did you see instead?**

    panic: runtime error: index out of range [3] with length 2
    
    goroutine 1 [running]:
    encoding/binary.bigEndian.Uint32(...)
    	/usr/local/go-faketime/src/encoding/binary/binary.go:112
    math/big.(*Float).GobDecode(0x60?, {0xc000070f34?, 0xc00006a000?, 0x0?})
    	/usr/local/go-faketime/src/math/big/floatmarsh.go:83 +0x23d
    main.main()
    	/tmp/sandbox1173043807/prog.go:12 +0x56
    
    Program exited.
    

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz  
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49120

Tag

#c++