A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_fileio_check function, which could cause a Denial of Service.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -par 1=4:3 POC13
    

POC13.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x5555555db320 --> 0x5dfd555e1548 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0x8a8000032c4 
    RDI: 0x5dfd555e1548 
    RBP: 0x5dfd555e1548 
    RSP: 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>:	test   eax,eax)
    RIP: 0x7ffff77718e2 (<gf_fileio_check+50>:	mov    edx,DWORD PTR [rdi])
    R8 : 0x5555555e0e80 --> 0x7ffff76a11e0 --> 0x7ffff76a11d0 --> 0x7ffff76a11c0 --> 0x7ffff76a11b0 --> 0x7ffff76a11a0 (--> ...)
    R9 : 0x0 
    R10: 0x7ffff76d4625 ("gf_bs_write_long_int")
    R11: 0x7ffff77747d0 (<gf_bs_write_long_int>:	endbr64)
    R12: 0x8a8000032c4 
    R13: 0x0 
    R14: 0x7fffffff84b0 --> 0x0 
    R15: 0x7fffffff8010 --> 0x5555555c7060 --> 0x0
    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff77718db <gf_fileio_check+43>:	je     0x7ffff77718f8 <gf_fileio_check+72>
       0x7ffff77718dd <gf_fileio_check+45>:	test   rdi,rdi
       0x7ffff77718e0 <gf_fileio_check+48>:	je     0x7ffff77718f8 <gf_fileio_check+72>
    => 0x7ffff77718e2 <gf_fileio_check+50>:	mov    edx,DWORD PTR [rdi]
       0x7ffff77718e4 <gf_fileio_check+52>:	test   edx,edx
       0x7ffff77718e6 <gf_fileio_check+54>:	jne    0x7ffff77718f8 <gf_fileio_check+72>
       0x7ffff77718e8 <gf_fileio_check+56>:	xor    eax,eax
       0x7ffff77718ea <gf_fileio_check+58>:	cmp    QWORD PTR [rdi+0x8],rdi
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>:	test   eax,eax)
    0008| 0x7fffffff7fb0 --> 0x8a8000032c4 
    0016| 0x7fffffff7fb8 --> 0x0 
    0024| 0x7fffffff7fc0 --> 0x7fffffff84a0 --> 0x8a8 
    0032| 0x7fffffff7fc8 --> 0x7ffff77767f4 (<gf_bs_seek+452>:	mov    QWORD PTR [rbx+0x18],rbp)
    0040| 0x7fffffff7fd0 --> 0x5555555daa30 --> 0x0 
    0048| 0x7fffffff7fd8 --> 0x5555555db320 --> 0x5dfd555e1548 
    0056| 0x7fffffff7fe0 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff777227c in gf_fseek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff77767f4 in gf_bs_seek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff7910c98 in inplace_shift_mdat () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #4  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #7  0x000055555557bd12 in mp4boxMain ()
    #8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x4, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at ../csu/libc-start.c:308
    #9  0x000055555556d45e in _start ()

CVE-2021-46049: Untrusted pointer dereference in gf_fileio_check() · Issue #2013 · gpac/gpac

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the Media_IsSelfContained function, which could cause a Denial of Service. .

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -hint POC11
    

POC11.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x5569555dfdc4 
    RBX: 0x1 
    RCX: 0x5555555e18c0 --> 0x3712 
    RDX: 0x4015 
    RSI: 0x1 
    RDI: 0x5555555e2840 --> 0x146d646975 
    RBP: 0x5555555e2840 --> 0x146d646975 
    RSP: 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
    RIP: 0x7ffff79286ca (<Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30])
    R8 : 0x5555555e18c0 --> 0x3712 
    R9 : 0x7fffffff7f00 --> 0x2 
    R10: 0x7ffff76d927a ("gf_isom_box_size")
    R11: 0x7ffff76a0be0 --> 0x5555555e8770 --> 0x5555555e18d4 --> 0x640204c700000000 
    R12: 0x14 
    R13: 0x5555555e05c0 --> 0x73747363 ('csts')
    R14: 0x5555555e8740 --> 0x636f3648 ('H6oc')
    R15: 0x1
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff79286c3 <Media_IsSelfContained+19>:	push   rbx
       0x7ffff79286c4 <Media_IsSelfContained+20>:	mov    rax,QWORD PTR [rdi+0x40]
       0x7ffff79286c8 <Media_IsSelfContained+24>:	mov    ebx,esi
    => 0x7ffff79286ca <Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30]
       0x7ffff79286ce <Media_IsSelfContained+30>:	mov    r12,QWORD PTR [rax+0x48]
       0x7ffff79286d2 <Media_IsSelfContained+34>:	test   esi,esi
       0x7ffff79286d4 <Media_IsSelfContained+36>:	je     0x7ffff7928780 <Media_IsSelfContained+208>
       0x7ffff79286da <Media_IsSelfContained+42>:	test   r12,r12
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
    0008| 0x7fffffff7f78 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
    0016| 0x7fffffff7f80 --> 0x14 
    0024| 0x7fffffff7f88 --> 0x7ffff790ffcb (<shift_chunk_offsets.part.0+75>:	test   eax,eax)
    0032| 0x7fffffff7f90 --> 0x5555555e2840 --> 0x146d646975 
    0040| 0x7fffffff7f98 --> 0x5555555e05c0 --> 0x73747363 ('csts')
    0048| 0x7fffffff7fa0 --> 0x0 
    0056| 0x7fffffff7fa8 --> 0x7fffffff7ff0 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff790ffcb in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #4  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #7  0x000055555557bd12 in mp4boxMain ()
    #8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308
    #9  0x000055555556d45e in _start ()

CVE-2021-46051: Untrusted pointer dereference in Media_IsSelfContained () · Issue #2011 · gpac/gpac

A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::WasmBinaryBuilder::readFunctions.

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff4416040 (0x00007ffff4416040)
    RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff9970 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff9970 --> 0x0 
    RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff9970 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7b29060 ("/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp")
    R13: 0x8d4 
    R14: 0x7ffff7b2b8e0 ("exceptionTargetNames.empty()")
    R15: 0x615000006200 --> 0x60300001aba0 --> 0x30246c6562616c ('label$0')
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff4460189 <__GI_raise+201>:	syscall 
    => 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
       0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff9970 --> 0x0 
    0008| 0x7fffffff9978 --> 0x4cb020 (<free>:	push   rbp)
    0016| 0x7fffffff9980 --> 0xfbad8000 --> 0x0 
    0024| 0x7fffffff9988 --> 0x612000000340 --> 0x74706f2d63000001 
    0032| 0x7fffffff9990 --> 0x6120000003a5 ("Builder::readFunctions(): Assertion `exceptionTargetNames.empty()' failed.\n")
    0040| 0x7fffffff9998 --> 0x612000000340 --> 0x74706f2d63000001 
    0048| 0x7fffffff99a0 --> 0x612000000340 --> 0x74706f2d63000001 
    0056| 0x7fffffff99a8 --> 0x6120000003f0 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff443f859 in __GI_abort () at abort.c:79
    #2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7b2b8e0 <str> "exceptionTargetNames.empty()", 
        file=0x7ffff7b29060 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp", line=0x8d4, function=<optimized out>) at assert.c:92
    #3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff7b2b8e0 <str> "exceptionTargetNames.empty()", file=0x7ffff7b29060 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp", 
        line=0x8d4, function=0x7ffff7b2b840 <__PRETTY_FUNCTION__._ZN4wasm17WasmBinaryBuilder13readFunctionsEv> "void wasm::WasmBinaryBuilder::readFunctions()") at assert.c:101
    #4  0x00007ffff6ea794d in wasm::WasmBinaryBuilder::readFunctions (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2260
    #5  0x00007ffff6e988a2 in wasm::WasmBinaryBuilder::read (this=0x7fffffffa6e0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1426
    #6  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
    #7  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
    #8  0x00007ffff7047e1c in wasm::ModuleReader::read (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:97
    #9  0x00000000006ae0ff in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-opt.cpp:249
    #10 0x00007ffff44410b3 in __libc_start_main (main=0x6a6b70 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe318) at ../csu/libc-start.c:308
    #11 0x0000000000452bde in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74

CVE-2021-46048: A abort failure in wasm::WasmBinaryBuilder::readFunctions · Issue #4412 · WebAssembly/binaryen

A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_size function, which could cause a Denial of Service (context-dependent).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -hint POC8
    

POC8.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    [ REGISTERS ]
     RAX  0x5b47555e0072
     RBX  0x5b47555e0072
     RCX  0x0
     RDX  0x0
     RDI  0x5b47555e0072
     RSI  0x2
     R8   0x0
     R9   0x7fffffff7f80 ◂— 0x2
     R10  0x7ffff76d4546 ◂— 'gf_list_insert'
     R11  0x7ffff7773a80 (gf_list_insert) ◂— endbr64 
     R12  0x5555555db580 —▸ 0x5555555e2740 —▸ 0x5555555db330 ◂— 0x6d766864 /* 'dhvm' */
     R13  0x5555555e2600 ◂— 0x6d6f6f76 /* 'voom' */
     R14  0x6
     R15  0x0
     RBP  0x2
     RSP  0x7fffffff7f80 ◂— 0x2
     RIP  0x7ffff78fa0da (gf_isom_box_size+10) ◂— mov    rax, qword ptr [rdi + 0x10]
    [ DISASM ]
     ► 0x7ffff78fa0da <gf_isom_box_size+10>    mov    rax, qword ptr [rdi + 0x10]
       0x7ffff78fa0de <gf_isom_box_size+14>    mov    rbp, rdi
       0x7ffff78fa0e1 <gf_isom_box_size+17>    mov    edx, dword ptr [rax + 0x58]
       0x7ffff78fa0e4 <gf_isom_box_size+20>    test   edx, edx
       0x7ffff78fa0e6 <gf_isom_box_size+22>    je     gf_isom_box_size+40                <gf_isom_box_size+40>
        ↓
       0x7ffff78fa0f8 <gf_isom_box_size+40>    cmp    dword ptr [rdi], 0x75756964
       0x7ffff78fa0fe <gf_isom_box_size+46>    mov    qword ptr [rdi + 8], 8
       0x7ffff78fa106 <gf_isom_box_size+54>    mov    edx, 0xc
       0x7ffff78fa10b <gf_isom_box_size+59>    jne    gf_isom_box_size+74                <gf_isom_box_size+74>
        ↓
       0x7ffff78fa11a <gf_isom_box_size+74>    cmp    byte ptr [rax + 0x3c], 0
       0x7ffff78fa11e <gf_isom_box_size+78>    je     gf_isom_box_size+84                <gf_isom_box_size+84>
    [ STACK ]
    00:0000│ r9 rsp 0x7fffffff7f80 ◂— 0x2
    01:0008│        0x7fffffff7f88 —▸ 0x7ffff78fa19a (gf_isom_box_array_size+74) ◂— mov    r15d, eax
    02:0010│        0x7fffffff7f90 ◂— 0x400000000
    03:0018│        0x7fffffff7f98 —▸ 0x5555555da950 ◂— 0x0
    04:0020│        0x7fffffff7fa0 —▸ 0x5555555df7a0 —▸ 0x5555555e61c0 ◂— 0xfbad2480
    05:0028│        0x7fffffff7fa8 ◂— 0x0
    06:0030│        0x7fffffff7fb0 —▸ 0x7fffffff8480 ◂— 0x5f2
    07:0038│        0x7fffffff7fb8 —▸ 0x7fffffff8490 ◂— 0x0
    [ BACKTRACE ]
     ► f 0   0x7ffff78fa0da gf_isom_box_size+10
       f 1   0x7ffff78fa19a gf_isom_box_array_size+74
       f 2   0x7ffff7910e8d inplace_shift_mdat+813
       f 3   0x7ffff791549c WriteToFile+3884
       f 4   0x7ffff7906432 gf_isom_write+370
       f 5   0x7ffff79064b8 gf_isom_close+24
       f 6   0x55555557bd12 mp4boxMain+7410
       f 7   0x7ffff74dc0b3 __libc_start_main+243
    
    pwndbg> bt
    #0  0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff78fa19a in gf_isom_box_array_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff7910e8d in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #4  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #5  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #6  0x000055555557bd12 in mp4boxMain ()
    #7  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #8  0x000055555556d45e in _start ()

CVE-2021-46046: Untrusted pointer dereference in gf_isom_box_size ()  · Issue #2005 · gpac/gpac

GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial of service (context-dependent).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -hint POC10
    

POC10.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff697e740 (0x00007ffff697e740)
    RCX: 0x7ffff74fb18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff8060 --> 0x0 
    RDI: 0x2 
    RBP: 0x7fffffff83b0 --> 0x7ffff76a0b80 --> 0x0 
    RSP: 0x7fffffff8060 --> 0x0 
    RIP: 0x7ffff74fb18b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff8060 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7fffffff82d0 --> 0x5555555eafa0 --> 0x7374626c ('lbts')
    R13: 0x10 
    R14: 0x7ffff7ffb000 --> 0x6565726600001000 
    R15: 0x1
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff74fb17f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff74fb184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff74fb189 <__GI_raise+201>:	syscall 
    => 0x7ffff74fb18b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff74fb193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff74fb19c <__GI_raise+220>:	jne    0x7ffff74fb1c4 <__GI_raise+260>
       0x7ffff74fb19e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff74fb1a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8060 --> 0x0 
    0008| 0x7fffffff8068 --> 0x0 
    0016| 0x7fffffff8070 --> 0x5555555e7d50 --> 0x5555555eaa30 --> 0x100010000000006 
    0024| 0x7fffffff8078 --> 0xf6015b1303ad4900 
    0032| 0x7fffffff8080 --> 0x5 
    0040| 0x7fffffff8088 --> 0x5555555e83e0 --> 0x5555555ebe10 --> 0x5555555ebbb0 --> 0x0 
    0048| 0x7fffffff8090 --> 0x7fffffff81e0 --> 0x0 
    0056| 0x7fffffff8098 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff74da859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75453ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff766f285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff754d47c in malloc_printerr (str=str@entry=0x7ffff7671600 "free(): invalid next size (fast)") at malloc.c:5347
    #4  0x00007ffff754ed2c in _int_free (av=0x7ffff76a0b80 <main_arena>, p=0x5555555e1640, have_lock=0x0) at malloc.c:4249
    #5  0x00007ffff78cc82b in stco_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff78f8b6c in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #7  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #8  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #9  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #10 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #11 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #12 0x00007ffff78f9bc7 in gf_isom_box_array_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #13 0x00007ffff79031b7 in gf_isom_delete_movie () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #14 0x00007ffff79064c3 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #15 0x000055555557bd12 in mp4boxMain ()
    #16 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #17 0x000055555556d45e in _start ()
    gdb-peda$

CVE-2021-46045: Abort failed in MP4Box · Issue #2007 · gpac/gpac

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. A denial of service (resource consumption) can be accomplished by searching for a very long key in a Language Name Search.

**

/w/api.php?action=languagesearch denial of service (CVE-2021-46149)

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

While browsing Language team dashboard in Logstash, I came across a bunch of timeouts from the language search API:

/w/api.php?action=languagesearch&format=json&origin=\*&search=teuoyuepuuoiuuuuouuuiqpitouppotuouqtropuuyuyroopepupyotutqiuiuuuooqquypyouopptoiooupipyoouououuptyppuouuouytpeuouuuoiuoriupuouppuquupoiyrpuooypuupuopootpoieppppyrutpptptpiuqerppyuqrpupwoeuppuopouuoupuuuoouupuopupptuupootouuouuqouoeouuurpoowuquooyuuytppepriiuttupuetopuutuppuoppupoupuopouiuopupppuuteupiuuyuputiyootorqyoueeuuuuyptpuuuuyioiyuteupuypuoropqupuuorpputopouuuuttoiputyootooooyuuyuoqupytuoqpoooootuouuuoiouyppuwouyououuptrotuuupetyiiueuuoyuqyrquiouuqtuuouiyouoiupuoopeqtoueoeuopuuproouuoyupupouuttuuurutopuopotuuyuuyprpyureoieopuppouooooooyutyoouuiyqypyuruutiuouuutywuutuuuuiiuuropyuutuyuiuiuyupurioruypupiioitpppuqruyoooyopuouuiouuueuyiuppuuptppouuuepuyttuquuppuotuyutuoupppriupuquputuetypupooouueupuuporuouupurupueoupyiyurpuyuuooyytuuouyuupuouoqpupyuuoeioqoyuyuoupupupooopuyuoyuupouuppoooppoiipueuuruiouurouyupupouuouupqoyruqiuouoqtwteuoouupuuppuoqyuepopoupuueououurupuprppoptoupyuqepuouqttepioyuuuuurputoopttppyiyioiyuoriuuootuupuuyppuuuyyupoyiuuuuupuuouuquppiuyuyypeppptppipioutoieupytuwuuutoupuopuirtuuuuuoouuutoptpiuuuuiotyuuiutuuuoupopioitpurpopouputpuuoippuuyopitptouuuopiorutoitopputuqyuptiotipopouuooeiuuuouttuoiuuqppoottqioouuouuyipueuuouppruuprupewuiypuporoqupuyiiopoouuoputuoeyuoyyoppououutuwrooetuyoyyuouupiuuuuuuuruyutoiiuquypouopuuioyiuouituoppootyytuqypoupuiuuuuoupyoyuptooeuupuuuquuuuqiuprpuyiuuuuopottuppppiptuqypupypuopuwiuutpytuuyoouupuquouuyuoyuputyqrupuooutouuupuptuiiruqupoutpooupuopuprtuooouupuoooipipupoopruupuyppuequouryuuoptoouoouuowuouyuouuupoyeyrouoouuouuuoupuqupiupioupoptupuououououueueyoyoeuutepuypppouuuupiouuperpupuyuuytuouooqttuoutuppouuoiuutooopoeoootuquuuptrtoueepuyuouyuuitppiottupyeruppyooueuqqurqooituutupyuuuipyoouyuuyuutpryyouquooyuuuuptutuupppptqeutioqtotuyuqipuoyuyyquutwpuuuuqoupyooopouippoyutoupttprptripiurooopiuipootopeupyuuryueuuppuuuuuuoptppiuupiouuoupprpyorytiyopttuippptitortpooyeuooyppuuoiutuuyouuppuruuouuuputpiuuuupouuuuuyppiuiyuuuuyiuiupruupuuouyruoutuouoyuuueipoouuuuuuppppptitituuittuewpouiipppupyoytuiuioyuuuyopuyuruputruyuuuqyypuyoyuuyuopyuorupuoyuruuuppytpppiuuutuotoytuiquwpitytuuooopyoupeuuuyuuuuieyteippouuooutpuyoyuyupuiutpuuppuutytutputurptupuurptoyuuoputuuoquopoupyouutoupuioutuuuuuuopuuypueouiuuopuppyuuyyoetouurppuouuyupuuupuytoqupupuuytypopuitoyuupoouyuypyuuiryoeptououupouuiuopuuuiyopupyuruquppyupuuuuoupoupuuquiouriuuputppuiyuutuuyppiroouuoouoipuuoputuptioprpututouiuueopppuuqpypuupotuuutyoupuuptpuupyyouuwurutpotuytuuotipuuupueouopqppeotuurueippuurptpoyupuuoyeiiuuurouqippwoppurutuuuupututipiuuuouupououpqpipiopuyoupyuuuirpoupyuututrueouryuputqiuyyouttiutoeuuopuuuutqpouoyptuupotueyuuopptqouuuuiutieuoipttpoouuprouotwtuuuiyqeuuuotupiutuyruuyyyyouiruittuouuuyppoyyupeupuupuotuuppppuuoiuuouuooyruuuuuuuprtpttuuppuuupiuutiutooppuoyouopiuttropyuypouyyqoipupoupuuoqutpouuiqrrouuupptpupoppoyuyuuorutrpuyypuyopouuupuuoquuuuuutyopuupuouyeueotyupuuuieuuuyooiyuruoiupyiqpupuptyuypuryppoyuruuoorpooyuuuotpuuuuuiiiuutytupppoyopyuurupuyyupupppwuouipuyuyytwroioiuueyopyutoopupuepipououpttououoquupitrwuppupupuyoyouyputopuioioupptuouyeuouuouoiituutproupoppuupuyupuuupuipoyuoruypipuuuuoiouuiouorooyuououtouuuowuiootuutyuuqupuupyppyouyrquoqyqputouuoitooyriuruupywtouuiutuouuuttipyypouuputuuopetouoeiuuuurrqopuppyuyuuupiuoutopppppuypupututuutouypopyepuoooiupitytpptupyqirtuoruuwpuoooououeoruyouwuuqoupuuritutuuipuppuupitppppppirouypuoiuoqoopuuouuuuuuttuypuuoppputituutootpuupyuptyiotoooutqyupuuuuouitouwpotyuoiuyutptpoeoipuuuyruoouuioutuuippuoupptuupyuypoputyyuptupuyoyuuouypypopowoprpoppuprppuputopppupyypuupooeruyiouyopuyuuptuttuiquptyuupotopiuouuottouotpuuoutopqouuouopupoiypyoqouuyupoyppyopiquuippiuyyoitoiuuutyuuoqypwyppooopuouooiopppopuuyruytupopprroupirqtiotuuquowuuqtituiiqpouuppyuu&formatversion=2

from /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(97)
#0 /srv/mediawiki/php-1.38.0-wmf.4/vendor/wikimedia/request-timeout/src/Detail/ExcimerTimerWrapper.php(72): Wikimedia\\RequestTimeout\\Detail\\ExcimerTimerWrapper->onTimeout(integer)
#1 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(187): Wikimedia\\RequestTimeout\\Detail\\ExcimerTimerWrapper->Wikimedia\\RequestTimeout\\Detail\\{closure}(integer)
#2 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(179): LanguageNameSearch::levenshteinDistance(string, string)
#3 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(103): LanguageNameSearch::levenshteinDistance(string, string)
#4 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/data/LanguageNameSearch.php(70): LanguageNameSearch::matchNames(string, string, integer)
#5 /srv/mediawiki/php-1.38.0-wmf.4/extensions/UniversalLanguageSelector/includes/api/ApiLanguageSearch.php(29): LanguageNameSearch::search(string, integer, string)
#6 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(1878): ApiLanguageSearch->execute()
#7 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(857): ApiMain->executeAction()
#8 /srv/mediawiki/php-1.38.0-wmf.4/includes/api/ApiMain.php(828): ApiMain->executeActionWithErrorHandling()
#9 /srv/mediawiki/php-1.38.0-wmf.4/api.php(90): ApiMain->execute()
#10 /srv/mediawiki/php-1.38.0-wmf.4/api.php(45): wfApiMain()
#11 /srv/mediawiki/w/api.php(3): require(string)
#12 {main}

More specifically, there were 1757 such requests on viwiki on 2021-10-17, which was clearly intentional dos attempt.

Author Affiliation

WMF Product

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

Doing some quick stats, longest language name is 154 bytes or 76 "mb\_strlen" characters long. But it's questionable whether doing a typo match at that long search query is useful. I propose we skip fuzzy search when mb\_strlen value is longer than say 25, or at most 76 if we want to avoid any user impact.

Comment Actions

The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

It should also be backported to supported release branches, I think.

Comment Actions

> The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.

Well, we're probably close enough to the train cut that the gerrit patch can just go along with that and roll out this week. The commit message was fairly benign, so the only hint that this is a security issue is the linked private bug and the patch itself. ULS isn't bundled so there's no issue with the upcoming security release there, as this would just be included within the supplemental announcement, which often includes several already-public security issues. Anyhow, the Security-Team will chat about this today during our clinic and see if we have any additional guidance to provide.

> It should also be backported to supported release branches, I think.

Yes, it should. The Security-Team can start those picks.

Reedy closed this task as Resolved.Dec 10 2021, 8:20 PM

mmartorana renamed this task from /w/api.php?action=languagesearch denial of service to /w/api.php?action=languagesearch denial of service (CVE-2021-46149).Mon, Jan 10, 5:03 PM

Comment Actions

> The patch was made publicly by mistake. Hopefully the impact is limited, though, looking at Logstash I do not see it being actively exploited. The patch will ride this week's train and will included in our next MLEB release this week.
> 
> It should also be backported to supported release branches, I think.

In other words: If people are either using MLEB 2021.10, 2021.11 or preferably 2021.12 they are cool?!

Comment Actions

Cool, thanks for confirming. Thanks also for the tip. Never noticed this one.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-46149: ⚓ T293749 /w/api.php?action=languagesearch denial of service (CVE-2021-46149)

A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*).

**Version:**

**command:**

POC8.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff4416040 (0x00007ffff4416040)
    RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffb890 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffffb890 --> 0x0 
    RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffb890 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff799dc40 ("/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h")
    R13: 0x31 ('1')
    R14: 0x7ffff799dc00 ("type.isSignature()")
    R15: 0xfffff700 --> 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff4460189 <__GI_raise+201>:	syscall 
    => 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
       0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffb890 --> 0x0 
    0008| 0x7fffffffb898 --> 0x49bba0 (<free>:	push   rbp)
    0016| 0x7fffffffb8a0 --> 0x7ffffbad8000 
    0024| 0x7fffffffb8a8 --> 0x6120000001c0 --> 0x7369642d69000001 
    0032| 0x7fffffffb8b0 --> 0x612000000225 ("on> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *): Assertion `type.isSignature()' failed.\n")
    0040| 0x7fffffffb8b8 --> 0x6120000001c0 --> 0x7369642d69000001 
    0048| 0x7fffffffb8c0 --> 0x6120000001c0 --> 0x7369642d69000001 
    0056| 0x7fffffffb8c8 --> 0x6120000002b3 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff443f859 in __GI_abort () at abort.c:79
    #2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff799dc00 <str> "type.isSignature()", 
        file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, function=<optimized out>) at assert.c:92
    #3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff799dc00 <str> "type.isSignature()", file=0x7ffff799dc40 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h", line=0x31, 
        function=0x7ffff799dca0 <__PRETTY_FUNCTION__._ZN4wasm7Builder12makeFunctionENS_4NameENS_8HeapTypeEOSt6vectorINS_4TypeESaIS4_EEPNS_10ExpressionE> "static std::unique_ptr<Function> wasm::Builder::makeFunction(wasm::Name, wasm::HeapType, std::vector<Type> &&, wasm::Expression *)") at assert.c:101
    #4  0x00007ffff51417c4 in wasm::Builder::makeFunction (name=..., type=..., vars=..., body=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm-builder.h:49
    #5  0x00007ffff6ea172f in wasm::WasmBinaryBuilder::readImports (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2059
    #6  0x00007ffff6e9967e in wasm::WasmBinaryBuilder::read (this=0x7fffffffcce0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1417
    #7  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
    #8  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
    #9  0x00000000004cf7ca in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-dis.cpp:65
    #10 0x00007ffff44410b3 in __libc_start_main (main=0x4cdef0 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
    #11 0x000000000042375e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74

CVE-2021-46055: A abort failure in wasm::Builder::makeFunction · Issue #4413 · WebAssembly/binaryen

**Version:**

**command:**

    ./bin/wasm-ctor-eval POC5
    

POC5.zip

**Result**

**bt**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6d47fc0 (0x00007ffff6d47fc0)
    RCX: 0x7ffff6ee118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffcbe0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff7056588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffffcbe0 --> 0x0 
    RIP: 0x7ffff6ee118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffcbe0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7e4e3d8 ("/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp")
    R13: 0x1964 
    R14: 0x7ffff7e4f588 ("curr->target != DELEGATE_CALLER_TARGET")
    R15: 0x5555555f7030 --> 0x30246c6562616c ('label$0')
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6ee117f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6ee1184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6ee1189 <__GI_raise+201>:	syscall 
    => 0x7ffff6ee118b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6ee1193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6ee119c <__GI_raise+220>:	jne    0x7ffff6ee11c4 <__GI_raise+260>
       0x7ffff6ee119e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6ee11a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffcbe0 --> 0x0 
    0008| 0x7fffffffcbe8 --> 0x7ffff6f38850 (<__GI___libc_free>:	endbr64)
    0016| 0x7fffffffcbf0 --> 0x7ffffbad8000 
    0024| 0x7fffffffcbf8 --> 0x5555555e7920 --> 0x0 
    0032| 0x7fffffffcc00 --> 0x5555555e7985 ("inaryBuilder::visitRethrow(wasm::Rethrow*): Assertion `curr->target != DELEGATE_CALLER_TARGET' failed.\n")
    0040| 0x7fffffffcc08 --> 0x5555555e7920 --> 0x0 
    0048| 0x7fffffffcc10 --> 0x5555555e7920 --> 0x0 
    0056| 0x7fffffffcc18 --> 0x5555555e79ec --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ 
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff6ec0859 in __GI_abort () at abort.c:79
    #2  0x00007ffff6ec0729 in __assert_fail_base (fmt=0x7ffff7056588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7e4f588 "curr->target != DELEGATE_CALLER_TARGET", 
        file=0x7ffff7e4e3d8 "/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp", line=0x1964, function=<optimized out>) at assert.c:92
    #3  0x00007ffff6ed1f36 in __GI___assert_fail (assertion=0x7ffff7e4f588 "curr->target != DELEGATE_CALLER_TARGET", file=0x7ffff7e4e3d8 "/home/zxq/CVE_testing/source/binaryen/src/wasm/wasm-binary.cpp", 
        line=0x1964, function=0x7ffff7e4f548 "void wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*)") at assert.c:101
    #4  0x00007ffff7c09ca1 in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c0b48c in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c0c17e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c0ff90 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #8  0x00007ffff7c109bb in wasm::WasmBinaryBuilder::readFunctions() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #9  0x00007ffff7c11f52 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #10 0x00007ffff7c3dec6 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #11 0x00007ffff7c3e6cc in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #12 0x00007ffff7c3eda1 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/source/binaryen/build/bin/../lib/libbinaryen.so
    #13 0x000055555556943e in main ()
    #14 0x00007ffff6ec20b3 in __libc_start_main (main=0x5555555688c0 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
        at ../csu/libc-start.c:308
    #15 0x0000555555569e5e in _start ()

CVE-2021-46054: A abort failure in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*) · Issue #4410 · WebAssembly/binaryen

A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

**Description**

Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim\_regexec\_multi () at regexp.c:2896

**Proof of Concept**

    ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!
    

\[POC1\]\[https://drive.google.com/file/d/1VOS93VSakO96z2rnvId\_WDYRM9KAEIgC/view?usp=sharing\]

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x14 
    RBX: 0x7fffffff8520 --> 0x9 ('\t')
    RCX: 0x14 
    RDX: 0x2 
    RSI: 0x10007fff7000 --> 0x0 
    RDI: 0x7fffffff87e0 --> 0x0 
    RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
    RSP: 0x7fffffff8420 --> 0x41b58ab3 
    RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
    R8 : 0x625000002900 --> 0x3e8 
    R9 : 0x625000005100 --> 0x9 ('\t')
    R10: 0x4 
    R11: 0x0 
    R12: 0x0 
    R13: 0xffffffff0fc --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
       0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
       0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
    => 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
       0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
       0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
       0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
       0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8420 --> 0x41b58ab3 
    0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
    0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
    0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
    0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
    0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
    0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
    0056| 0x7fffffff8458 --> 0xfffffc4300000001 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    2896        if (rmp->regprog->re_in_use)
    gdb-peda$ bt
    #0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    #1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
    #2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
    #3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
    #4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
        is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
    #5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
        at scriptfile.c:985
    #6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
    #7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
    #8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
        cookie=0x0, flags=0xb) at ex_docmd.c:994
    #9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
        at ex_docmd.c:588
    #10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
    #11 0x0000000000f36873 in vim_main2 () at main.c:774
    #12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
    #13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
    #14 0x000000000041da9e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2021-46059: Untrusted Pointer Dereference in vim

A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 via the setcmd function at commands.c, which causes a denial of service.

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

\[POC1\](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]

RAX: 0x10 

RBX: 0x3 

RCX: 0x3 

RDX: 0x0 

RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff')

RDI: 0x555555577068 --> 0xa001c23 

RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 

RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

RIP: 0x55555555b7cd (<setcmd+701>: mov    BYTE PTR \[rdx\],al)

R8 : 0x555555577067 --> 0xa001c2310 

R9 : 0x0 

R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')

R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet')

R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')

R13: 0x7fffffffe380 --> 0x1 

R14: 0x0 

R15: 0x0

EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)

\[-------------------------------------code-------------------------------------\]

   0x55555555b7bf <setcmd+687>: cmove  eax,edx

   0x55555555b7c2 <setcmd+690>: nop    WORD PTR \[rax+rax\*1+0x0\]

   0x55555555b7c8 <setcmd+696>: mov    rdx,QWORD PTR \[r12+0x18\]

\=> 0x55555555b7cd <setcmd+701>: mov    BYTE PTR \[rdx\],al

   0x55555555b7cf <setcmd+703>: mov    rax,QWORD PTR \[r12+0x18\]

   0x55555555b7d4 <setcmd+708>: movzx  edi,BYTE PTR \[rax\]

   0x55555555b7d7 <setcmd+711>: call   0x55555555aed0 <control>

   0x55555555b7dc <setcmd+716>: mov    rdx,QWORD PTR \[r12\]

\[------------------------------------stack-------------------------------------\]

0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set')

0016| 0x7fffffffe1c0 --> 0x0 

0024| 0x7fffffffe1c8 --> 0x1 

0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 

0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test   eax,eax)

0048| 0x7fffffffe1e0 --> 0x0 

0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 

\[------------------------------------------------------------------------------\]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

1152       \*(ct->charp) = (cc\_t) value;

gdb-peda$ bt

#0  0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

#1  0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047

#2  0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426

#3  0x00007ffff7db60b3 in \_\_libc\_start\_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 

    rtld\_fini=<optimized out>, stack\_end=0x7fffffffe378) at ../csu/libc-start.c:308

#4  0x000055555555a01e in \_start () at main.c:426

Tag

#dos