A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.

Hi, there.

A Heap-buffer-overflow problem was discovered in wasm::WasmBinaryBuilder::visitBlock(wasm::Block\*) function in simple\_ast.h in /src/wasm/wasm-binary.cpp, as distributed in Binaryen 1.38.26. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error.  
POC.zip

git log

    commit 153ba18ba99dc4dcef29a61e1e586af3df8d921d (HEAD -> master, tag: version_65, origin/master, origin/HEAD)
    Author: Alon Zakai <alonzakai@gmail.com>
    Date:   Mon Jan 28 11:32:19 2019 -0800
    
        Handle EM_ASM/EM_JS in LLVM wasm backend O0 output (#1888)
    
        See emscripten-core/emscripten#7928 - we have been optimizing all wasms until now, and noticed this when the wasm object file path did not do so. When not optimizing, our methods of handling EM_ASM and EM_JS fail since the patterns are different.
    
        Specifically, for EM_ASM we hunt for emscripten_asm_const(X, where X is a constant, but without opts it may be a get of a local. For EM_JS, the function body may not just contain a const, but a block with a set of the const and a return of a get later.
    
        This adds logic to track gets and sets in basic blocks, which is sufficient to handle this.
    

The ASAN dumps the stack trace as follows:

    =================================================================
    ==10623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000456 at pc 0x55961cae7862 bp 0x7ffd73795210 sp 0x7ffd73795200
    READ of size 1 at 0x60e000000456 thread T0
        #0 0x55961cae7861 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) /binaryen/src/wasm/wasm-binary.cpp:1805
        #1 0x55961cad63bc in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1687
        #2 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #3 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #4 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #5 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #6 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #7 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #8 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #9 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #10 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #11 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #12 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #13 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #14 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #15 0x55961caed21f in wasm::WasmBinaryBuilder::readFunctions() /binaryen/src/wasm/wasm-binary.cpp:1129
        #16 0x55961caf597f in wasm::WasmBinaryBuilder::read() /binaryen/src/wasm/wasm-binary.cpp:678
        #17 0x55961cba18f7 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:52
        #18 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #19 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #20 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #21 0x55961c77ec39 in _start (/binaryen/build/bin/wasm-opt+0x1c5c39)
    
    0x60e000000456 is located 0 bytes to the right of 150-byte region [0x60e0000003c0,0x60e000000456)
    allocated by thread T0 here:
        #0 0x7fce2a302458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
        #1 0x55961df084ef in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x55961df084ef in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/include/c++/7/bits/stl_vector.h:172
        #4 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_create_storage(unsigned long) /usr/include/c++/7/bits/stl_vector.h:187
        #5 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_Vector_base(unsigned long, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:138
        #6 0x55961df084ef in std::vector<char, std::allocator<char> >::vector(unsigned long, char const&, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:297
        #7 0x55961df084ef in std::vector<char, std::allocator<char> > wasm::read_file<std::vector<char, std::allocator<char> > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, wasm::Flags::BinaryOption, wasm::Flags::DebugOption) /binaryen/src/support/file.cpp:42
        #8 0x55961cb9fbf2 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:44
        #9 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #10 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #11 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /binaryen/src/wasm/wasm-binary.cpp:1805 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*)
    Shadow bytes around the buggy address:
      0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8050: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==10623==ABORTING

CVE-2020-18378: Heap-buffer-overflow in /src/wasm/wasm-binary.cpp in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26 · Issue #1900 · WebAssembly/binaryen

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Heap buffer overflow vulnerability in FilePOSIX::read in File.cpp in audiofile 0.3.6 may cause denial-of-service via a crafted wav file, this bug can be triggered by the executable sfconvert.

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.  
poc.zip

$uname -a  
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86\_64 GNU/Linux

**$./sfconvert poc.wav output format wave  
asan:**

\==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38  
WRITE of size 2 at 0x61a00001f708 thread T0  
#0 0x7f64fd42ee54 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x45e54)  
#1 0x7f64fd14b8cb in FilePOSIX::read(void\*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126  
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353  
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375  
#4 0x7f64fd14ee93 in \_AFfilehandle::readS16(short\*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397  
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289  
#6 0x7f64fd171751 in WAVEFile::readInit(\_AFfilesetup\*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733  
#7 0x7f64fd18067e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356  
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#10 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#11 0x401568 in \_start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region \[0x61a00001f280,0x61a00001f708)  
allocated by thread T0 here:  
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x7f64fd14c4f1 in \_AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80  
#2 0x7f64fd18042e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337  
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#5 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??  
Shadow bytes around the buggy address:  
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c347fffbee0: 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==90086==ABORTING

CVE-2020-18781: one heap buffer overflow in FilePOSIX::read in File.cpp · Issue #56 · mpruett/audiofile

Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file.

CVE-2020-18831

Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.

poc

**0x00 Introduction**

In exempi 2.5.0, I found a heap-based buffer over-read bug in function ID3\_Support::ID3v2Frame::getFrameValue, the ASAN report is as below.

    liwc@ubuntu:~/exempi-master_asan/exempi$ ./exempi -x poc
    processing file poc
    dump_xmp for file poc
    =================================================================
    ==79549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed1 at pc 0x0000004be2ae bp 0x7fffc062ec30 sp 0x7fffc062ec20
    READ of size 4 at 0x60200000eed1 thread T0
        #0 0x4be2ad in GetUns32BE ../../../source/EndianUtils.hpp:152
        #1 0x4c2256 in ID3_Support::ID3v2Frame::getFrameValue(unsigned char, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:702
        #2 0x4de2a0 in MP3_MetaHandler::ProcessXMP() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:334
        #3 0x48aafd in XMPFiles::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, char const**, unsigned int*, XMP_PacketInfo*) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1471
        #4 0x47fac8 in WXMPFiles_GetXMP_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:331
        #5 0x41e353 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, XMP_PacketInfo*) (/home/liwc/exempi-master_asan/exempi/exempi+0x41e353)
        #6 0x40c0f1 in xmp_files_get_new_xmp /home/liwc/exempi-master/exempi/exempi.cpp:346
        #7 0x408d07 in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:244
        #8 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #9 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #10 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #11 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #12 0x407a58 in _start (/home/liwc/exempi-master_asan/exempi/exempi+0x407a58)
    
    0x60200000eed3 is located 0 bytes to the right of 3-byte region [0x60200000eed0,0x60200000eed3)
    allocated by thread T0 here:
        #0 0x7f7b7c53b712 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99712)
        #1 0x4c10c6 in ID3_Support::ID3v2Frame::read(XMP_IO*, unsigned char) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:579
        #2 0x4dd4ae in MP3_MetaHandler::CacheFileData() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:220
        #3 0x48874f in DoOpenFile /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1076
        #4 0x488f8a in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1179
        #5 0x47e415 in WXMPFiles_OpenFile_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:233
        #6 0x41dab4 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/home/liwc/exempi-master_asan/exempi/exempi+0x41dab4)
        #7 0x40bd79 in xmp_files_open_new /home/liwc/exempi-master/exempi/exempi.cpp:294
        #8 0x408ccb in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:242
        #9 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #10 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #11 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #12 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../source/EndianUtils.hpp:152 GetUns32BE
    Shadow bytes around the buggy address:
      0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
      0x0c047fff9dc0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
    =>0x0c047fff9dd0: fa fa 01 fa fa fa 04 fa fa fa[03]fa fa fa 03 fa
      0x0c047fff9de0: fa fa 00 04 fa fa 05 fa fa fa 00 04 fa fa fd fd
      0x0c047fff9df0: fa fa 00 05 fa fa fd fa fa fa 05 fa fa fa 00 00
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==79549==ABORTING

**0x01 Analysis**

I debugged the poc with gdb so that I found the key of this issue.

    bool ID3v2Frame::getFrameValue ( XMP_Uns8 /*majorVersion*/, XMP_Uns32 logicalID, std::string* utf8string )
    {
    
    	XMP_Assert ( (this->content != 0) && (this->contentSize >= 0) && (this->contentSize < 20*1024*1024) );
    
    	if ( this->contentSize == 0 ) {
    		utf8string->erase();
    		return true; // ...it is "of interest", even if empty contents.
    	}
    
    	XMP_Int32 pos = 0;
    	XMP_Uns8 encByte = 0;
    	// WCOP does not have an encoding byte, for all others: use [0] as EncByte, advance pos
    	if ( logicalID != 0x57434F50 ) { // pos1
    		encByte = this->content[0];
    		pos++;
    	}
    
    	// mode specific forks, COMM or USLT
    	bool commMode = ( (logicalID == 0x434F4D4D) || (logicalID == 0x55534C54) );
    
    	switch ( encByte ) { // pos2
    
    		case 0: //ISO-8859-1, 0-terminated
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    
    			char* localPtr  = &this->content[pos];
    			size_t localLen = this->contentSize - pos;
    			ReconcileUtils::Latin1ToUTF8 ( localPtr, localLen, utf8string );
    			break;
    
    		}
    
    		case 1: // Unicode, v2.4: UTF-16 (undetermined Endianess), with BOM, terminated 0x00 00
    		case 2: // UTF-16BE without BOM, terminated 0x00 00
    		{
    			...
    		}
    
    		case 3: // UTF-8 unicode, terminated \0
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    		
    			if ( (GetUns32BE ( &this->content[pos]) & 0xFFFFFF00 ) == 0xEFBBBF00 ) { // pos3
    				pos += 3;	// swallow any BOM, just in case
    			}
    
    			utf8string->assign ( &this->content[pos], (this->contentSize - pos) );
    			break;
    		}
    
    		default:
    			XMP_Throw ( "unknown text encoding", kXMPErr_BadFileFormat ); //COULDDO assume latin-1 or utf-8 as best-effort
    			break;
    
    	}
    
    	return true;
    
    }	// ID3v2Frame::getFrameValue

At pos1, the logicalID did not equal 0x57434f50，so the if branch was satisfied and pos would incremented. Now the encByte was 0x3, the case 3 of switch statement at pos2 was satisfied. We noticed the size of heap buffer this->content was only 3 bytes and it started from 0x60200000eed0.

     →  655	 	if ( logicalID != 0x57434F50 ) {
        656	 		encByte = this->content[0];
        657	 		pos++;
        658	 	}
        659	 
        660	 	// mode specific forks, COMM or USLT
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "exempi", stopped, reason: SINGLE STEP
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    ...
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    gef➤  p logicalID 
    $1 = 0x54504f53
    gef➤  p this->content
    $2 = 0x60200000eed0 "\003\062\061"
    

Then it called the inline function GetUns32BE in EndianUtils.hpp:150 at pos3, and GetUns32BE read 4 bytes from the given addr. At this call site the given addr was 0x60200000eed1, so a 2-bytes heap-based buffer over-read happened.

We can patch this issue by check the length of this->content firstly.

**0x02 Reproduce**

    OS:Ubuntu 16.04 x86_64
    export CFLAGS="-fsanitize=address -ggdb"
    export CXXFLAGS="-fsanitize=address -ggdb"
    export LDFLAGS="-fsanitize=address -ggdb"
    sudo apt install libboost-dev
    sudo apt install libboost-test-dev
    ./autogen.sh
    ./configure --disable-shared
    make
    
    ./exampi/exempi -x POC -o out

**0x03 Discoverer**

WenChao Li of VARAS@IIE

CVE-2020-18651: A heap-based buffer over-read was found in ID3_Support.cpp (#13) · Issues · libopenraw / exempi · GitLab

An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service.

POC:  
zip\_poc.zip

There exisits one invalid memroy access issue in zzip\_disk\_entry\_to\_file\_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. This bug can be triggered by the executable unzzip-mem.

$ unzzip-mem $poc

**ASAN:SIGSEGV**

\==8254==ERROR: AddressSanitizer: SEGV on unknown address 0x1772507f (pc 0xb772ff16 sp 0xbfce6a10 bp 0x0101db82 T0)  
#0 0xb772ff15 in zzip\_disk\_entry\_to\_file\_header /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272  
#1 0xb77390d8 in zzip\_mem\_entry\_new /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:201  
#2 0xb77390d8 in zzip\_mem\_disk\_load /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:160  
#3 0xb77386c7 in zzip\_mem\_disk\_open /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/memdisk.c:94  
#4 0x80ce02e in unzzip\_cat /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:72  
#5 0x80d0fae in unzzip\_extract /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzipcat-mem.c:143  
#6 0x80cd5f0 in main /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/bins/../../bins/unzzip.c:187  
#7 0xb74d7af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)  
#8 0x80caa74 in \_start (/home/rookie/asan/zziplib-master/build/bin/unzzip-mem+0x80caa74)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/rookie/asan/zziplib-master/i686-pc-linux-gnu/zzip/../../zzip/mmapped.c:272 zzip\_disk\_entry\_to\_file\_header  
\==8254==ABORTING

CVE-2020-18770: one invalid memroy access issue in zzip_disk_entry_to_file_header in mmapped.c · Issue #69 · gdraheim/zziplib

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-19187: fuzzpoc/infotocap_poc3.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVE-2020-19185: fuzzpoc/infotocap_poc1.md at master · zjuchenyuan/fuzzpoc

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVE-2020-19186: fuzzpoc/infotocap_poc2.md at master · zjuchenyuan/fuzzpoc

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

We now give each path building operation a budget of 100 signature verifications.

The original `webpki` crate is also affected.

This was previously reported in the original crate <https://github.com/briansmith/webpki/issues/69> and re-reported to us recently.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-fh2r-99q2-6mmg

**rustls-webpki: CPU denial of service in certificate path building**

High severity GitHub Reviewed Published Aug 22, 2023 to the GitHub Advisory Database • Updated Aug 22, 2023

**Package**

cargo rustls-webpki (Rust)

**Affected versions**

< 0.100.2

\>= 0.101.0, < 0.101.4

**Patched versions**

0.100.2

0.101.4

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

We now give each path building operation a budget of 100 signature verifications.

The original webpki crate is also affected.

This was previously reported in the original crate briansmith/webpki#69 and re-reported to us recently.

**References**

*   rustls/webpki@4ea0523
*   rustls/webpki@dcad240
*   https://rustsec.org/advisories/RUSTSEC-2023-0053.html

Published to the GitHub Advisory Database

Aug 22, 2023

Last updated

Aug 22, 2023

Tag

#dos