LibreDWG v0.12.4.4643 was discovered to contain a heap buffer overflow via the function decode_preR13_section_hdr at decode_r11.c.

**System info**  
Ubuntu x86\_64, clang 10.0  
version: 0.12.4.4643, last commit 93c2512

**Command line**  
./dwg2dxf poc

**Poc**  
poc: poc

**AddressSanitizer output**  
\==4080011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000000428 at pc 0x000000480860 bp 0x7ffddb1de850 sp 0x7ffddb1de008  
WRITE of size 63 at 0x618000000428 thread T0  
#0 0x48085f in strncpy /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_interceptors.cpp:483:5  
#1 0x1123350 in decode\_preR13\_section\_hdr /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:139:3  
#2 0x111d7e1 in decode\_preR13 /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:762:7  
#3 0x4fb4b6 in dwg\_decode /home/SVF-tools/example/libredwg-2/src/decode.c:211:17  
#4 0x4c6dcc in dwg\_read\_file /home/SVF-tools/example/libredwg-2/src/dwg.c:254:11  
#5 0x4c4a40 in main /home/SVF-tools/example/libredwg-2/programs/dwg2dxf.c:258:15  
#6 0x7f7873298c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#7 0x41b649 in \_start (/home/SVF-tools/example/libredwg-2/fuzz/dwg2dxf.ci+0x41b649)

0x618000000428 is located 24 bytes inside of 442820362-byte region \[0x618000000410,0x61801a64eb1a)  
\==4080011==AddressSanitizer CHECK failed: /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_descriptions.cpp:175 "((id)) != (0)" (0x0, 0x0)  
#0 0x49bf3e in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_rtl.cpp:73:5  
#1 0x4b045f in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /home/brian/src/final/llvm-project/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cpp:78:5  
#2 0x4245db in \_\_asan::HeapAddressDescription::Print() const /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_descriptions.cpp  
#3 0x427425 in \_\_asan::ErrorGeneric::Print() /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_errors.cpp:591:20  
#4 0x497ba8 in \_\_asan::ScopedInErrorReport::~ScopedInErrorReport() /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_report.cpp:141:50  
#5 0x4997dd in \_\_asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_report.cpp:474:1  
#6 0x480881 in strncpy /home/brian/src/final/llvm-project/compiler-rt/lib/asan/asan\_interceptors.cpp:483:5  
#7 0x1123350 in decode\_preR13\_section\_hdr /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:139:3  
#8 0x111d7e1 in decode\_preR13 /home/SVF-tools/example/libredwg-2/src/decode\_r11.c:762:7  
#9 0x4fb4b6 in dwg\_decode /home/SVF-tools/example/libredwg-2/src/decode.c:211:17  
#10 0x4c6dcc in dwg\_read\_file /home/SVF-tools/example/libredwg-2/src/dwg.c:254:11  
#11 0x4c4a40 in main /home/SVF-tools/example/libredwg-2/programs/dwg2dxf.c:258:15  
#12 0x7f7873298c86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310  
#13 0x41b649 in \_start (/home/SVF-tools/example/libredwg-2/fuzz/dwg2dxf.ci+0x41b649)

CVE-2022-45332: heap-buffer-overflow exists in the function decode_preR13_section_hdr in decode_r11.c · Issue #524 · LibreDWG/libredwg

GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.

**Description**

Heap use after free in Q\_IsTypeOn at gpac/src/bifs/unquantize.c:175:12

**System info**

Ubuntu 20.04 lts

**Version info**

MP4Box - GPAC version 2.1-DEV-rev478-g696e6f868-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --enable-debug
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_FAAD GPAC\_HAS\_MAD GPAC\_HAS\_LIBA52 GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_THEORA GPAC\_HAS\_VORBIS GPAC\_HAS\_XVID GPAC\_HAS\_LINUX\_DVB

**compile**

./configure --enable-sanitizer --enable-debug
make

**crash command****POC**

POC-uaf

**Crash output**

/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box -bt poc

\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
MPEG-4 BIFS Scene Parsing
=================================================================
==1578219==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000001ad4 at pc 0x7f8194636c1d bp 0x7fff91f55420 sp 0x7fff91f55418
READ of size 4 at 0x610000001ad4 thread T0
    #0 0x7f8194636c1c in Q\_IsTypeOn /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12
    #1 0x7f8194643390 in gf\_bifs\_dec\_unquant\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:398:7
    #2 0x7f81945890e1 in gf\_bifs\_dec\_sf\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:84:7
    #3 0x7f8194597e3f in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:327:8
    #4 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #5 0x7f819459df3a in gf\_bifs\_dec\_node\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:626:7
    #6 0x7f81945965a8 in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:928:7
    #7 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #8 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #9 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #10 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #11 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #12 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #13 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #14 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #15 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #16 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #17 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #18 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #19 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #20 0x42ac5d in \_start (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x42ac5d)

0x610000001ad4 is located 148 bytes inside of 192-byte region \[0x610000001a40,0x610000001b00)
freed by thread T0 here:
    #0 0x4a5c52 in free (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5c52)
    #1 0x7f8193259324 in gf\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:165:2
    #2 0x7f819378d74a in gf\_node\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1622:2
    #3 0x7f81938a38fc in QuantizationParameter\_Del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:11981:2
    #4 0x7f81938962b1 in gf\_sg\_mpeg4\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:37743:3
    #5 0x7f8193774108 in gf\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1904:59
    #6 0x7f8193763dc2 in gf\_node\_unregister /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:763:3
    #7 0x7f8193772a1c in gf\_node\_try\_destroy /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:669:9
    #8 0x7f81937ce9cc in gf\_sg\_command\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/commands.c:72:7
    #9 0x7f81945ca742 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:990:5
    #10 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #11 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #12 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #13 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #14 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #15 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #16 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4a5ebd in malloc (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5ebd)
    #1 0x7f8193259214 in gf\_malloc /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:150:9
    #2 0x7f819381fc84 in QuantizationParameter\_Create /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:12496:2
    #3 0x7f819388ffa6 in gf\_sg\_mpeg4\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:36871:10
    #4 0x7f8193796799 in gf\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1996:51
    #5 0x7f8194595f4a in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:900:15
    #6 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #7 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #8 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #9 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #10 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #11 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #12 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #13 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #14 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #15 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #16 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #17 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #18 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn
Shadow bytes around the buggy address:
  0x0c207fff8300: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8320: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8340: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
\=>0x0c207fff8350: fd fd fd fd fd fd fd fd fd fd\[fd\]fd fd fd fd fd
  0x0c207fff8360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1578219\==ABORTING

**Occurrences:**

gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn

**Impact**

can cause a program to crash, use unexpected values, or execute code.

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-45343: Heap use after free in Q_IsTypeOn at gpac/src/bifs/unquantize.c · Issue #2315 · gpac/gpac

Ubuntu Security Notice 5747-1 - It was discovered that Bind incorrectly handled large query name when using lightweight resolver protocol. A remote attacker could use this issue to consume resources, leading to a denial of service. It was discovered that Bind incorrectly handled large zone data size received via AXFR response. A remote authenticated attacker could use this issue to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS.

    =========================================================================Ubuntu Security Notice USN-5747-1November 29, 2022bind9 vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Bind.Software Description:- bind9: Internet Domain Name ServerDetails:It was discovered that Bind incorrectly handled large query name when usinglightweight resolver protocol. A remote attacker could use this issue toconsume resources, leading to a denial of service. (CVE-2016-2775)It was discovered that Bind incorrectly handled large zone data sizereceived via AXFR response. A remote authenticated attacker could use thisissue to consume resources, leading to a denial of service. This issue onlyaffected Ubuntu 16.04 LTS. (CVE-2016-6170)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  bind9                           1:9.10.3.dfsg.P4-8ubuntu1.19+esm5  lwresd                          1:9.10.3.dfsg.P4-8ubuntu1.19+esm5Ubuntu 14.04 ESM:  bind9                           1:9.9.5.dfsg-3ubuntu0.19+esm9  lwresd                          1:9.9.5.dfsg-3ubuntu0.19+esm9In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5747-1  CVE-2016-2775, CVE-2016-6170

Ubuntu Security Notice USN-5747-1

Ubuntu Security Notice 5746-1 - Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5746-1November 28, 2022harfbuzz vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:HarfBuzz could be made to crash if it received specially craftedinput.Software Description:- harfbuzz: OpenType text shaping engineDetails:Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handledcertain inputs. A remote attacker could possibly use this issue to causea denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libharfbuzz-bin                 1.0.1-1ubuntu0.1+esm1   libharfbuzz0b                   1.0.1-1ubuntu0.1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5746-1   CVE-2015-9274

Ubuntu Security Notice USN-5746-1

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a memory leak via the function dimC_box_read at isomedia/box_code_3gpp.c.

**Description**

Memory Leak in dimC\_box\_read at isomedia/box\_code\_3gpp.c:1060

**System info**

ubuntu 20.04 lts

version info:

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev460-g9d963dc62-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DI
    

**compile**

./configure --enable-sanitizer  
make

**crash command:**

./MP4Box -bt poc\_ml

poc :  
https://github.com/Janette88/test\_pocs/blob/main/poc\_ml

Here is output by ASAN:

    [ISOBMFF] AV1ConfigurationBox: read only 4 bytes (expected 16).
    [iso file] Box "av1C" (start 20) has 12 extra bytes
    [isom] not enough bytes in box dimC: 0 left, reading 1 (file isomedia/box_code_3gpp.c, line 1082)
    [iso file] Read Box "dimC" (start 44) failed (Invalid IsoMedia File) - skipping
    Error opening file /home/fuzz/test/poc_ml: Invalid IsoMedia File
    
    =================================================================
    ==71539==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 2566 byte(s) in 1 object(s) allocated from:
        #0 0x7fe8c635f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fe8c2ef8d39 in dimC_box_read isomedia/box_code_3gpp.c:1060
        #2 0x7fe8c2fb75c3 in gf_isom_box_read isomedia/box_funcs.c:1866
        #3 0x7fe8c2fb75c3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fe8c2fb8a15 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #5 0x7fe8c2fe1a8c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
        #6 0x7fe8c2fe7ca1 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #7 0x7fe8c2fe7ca1 in gf_isom_open_file isomedia/isom_intern.c:988
        #8 0x55c56a3e9139 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6209
        #9 0x7fe8c0558082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: 2566 byte(s) leaked in 1 allocation(s).
    

**code location:**

    GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
    {
    	u32 i, msize;
    	GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
    
    	ISOM_DECREASE_SIZE(p, 3);
    	p->profile = gf_bs_read_u8(bs);
    	p->level = gf_bs_read_u8(bs);
    	p->pathComponents = gf_bs_read_int(bs, 4);
    	p->fullRequestHost = gf_bs_read_int(bs, 1);
    	p->streamType = gf_bs_read_int(bs, 1);
    	p->containsRedundant = gf_bs_read_int(bs, 2);
    
    	char *str = gf_malloc(sizeof(char)*(p->size+1));       //line 1060   here p->size+1 = 2566
    	if (!str) return GF_OUT_OF_MEM;
    	msize = (u32) p->size;
    	str[msize] = 0;
    	i=0;
    	str[0]=0;
    	while (i < msize) {
    		ISOM_DECREASE_SIZE(p, 1);
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	if (i == msize) {
    		gf_free(str);
    		return GF_ISOM_INVALID_FILE;
    	}
    
    	p->textEncoding = gf_strdup(str);
    
    	i=0;
    	str[0]=0;
    	while (i < msize) {
    		ISOM_DECREASE_SIZE(p, 1);            //line :1082 not enough bytes in box dimC: 0 left, reading 1 
    
    		str[i] = gf_bs_read_u8(bs);
    		if (!str[i]) break;
    		i++;
    	}
    	if (i == msize) {
    		gf_free(str);
    		return GF_ISOM_INVALID_FILE;
    	}
    
    	p->contentEncoding = gf_strdup(str);
    	gf_free(str);
    	if (!p->textEncoding || !p->contentEncoding)
    		return GF_OUT_OF_MEM;
    	return GF_OK;
    }
    

ps: The issue could be verified using the poc in issue 2294 and 2296. The patch of issue 2294 and 2296 was not perfect because it still existed memory leak risk .

ref:  
#2294  
#2296

CVE-2022-45204: Memory Leak in dimC_box_read at isomedia/box_code_3gpp.c:1060 · Issue #2307 · gpac/gpac

Ubuntu Security Notice 5745-1 - Florian Weimer discovered that shadow was not properly copying and removing user directory trees, which could lead to a race condition. A local attacker could possibly use this issue to setup a symlink attack and alter or remove directories without authorization.

==========================================================================  
Ubuntu Security Notice USN-5745-1  
November 28, 2022

shadow vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

shadow could be made to overwrite files.

Software Description:  
- shadow: system login tools

Details:

Florian Weimer discovered that shadow was not properly copying and removing  
user directory trees, which could lead to a race condition. A local attacker  
could possibly use this issue to setup a symlink attack and alter or remove  
directories without authorization.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libsubid4                       1:4.11.1+dfsg1-2ubuntu1.1  
   login                           1:4.11.1+dfsg1-2ubuntu1.1  
   passwd                          1:4.11.1+dfsg1-2ubuntu1.1  
   uidmap                          1:4.11.1+dfsg1-2ubuntu1.1

Ubuntu 22.04 LTS:  
   login                           1:4.8.1-2ubuntu2.1  
   passwd                          1:4.8.1-2ubuntu2.1  
   uidmap                          1:4.8.1-2ubuntu2.1

Ubuntu 20.04 LTS:  
   login                           1:4.8.1-1ubuntu5.20.04.3  
   passwd                          1:4.8.1-1ubuntu5.20.04.3  
   uidmap                          1:4.8.1-1ubuntu5.20.04.3

Ubuntu 18.04 LTS:  
   login                           1:4.5-1ubuntu2.4  
   passwd                          1:4.5-1ubuntu2.4  
   uidmap                          1:4.5-1ubuntu2.4

Ubuntu 16.04 ESM:  
   login                           1:4.2-3.1ubuntu5.5+esm2  
   passwd                          1:4.2-3.1ubuntu5.5+esm2  
   uidmap                          1:4.2-3.1ubuntu5.5+esm2

Ubuntu 14.04 ESM:  
   login                           1:4.1.5.1-1ubuntu9.5+esm2  
   passwd                          1:4.1.5.1-1ubuntu9.5+esm2  
   uidmap                          1:4.1.5.1-1ubuntu9.5+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5745-1  
   CVE-2013-4235

Package Information:  
https://launchpad.net/ubuntu/+source/shadow/1:4.11.1+dfsg1-2ubuntu1.1  
   https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-2ubuntu2.1  
https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu5.20.04.3  
   https://launchpad.net/ubuntu/+source/shadow/1:4.5-1ubuntu2.4

Ubuntu Security Notice USN-5745-1

Ubuntu Security Notice 5744-1 - It was discovered that libICE was using a weak mechanism to generate the session cookies. A local attacker could possibly use this issue to perform a privilege escalation attack.

    =========================================================================Ubuntu Security Notice USN-5744-1November 28, 2022libice vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:Weak session cookies generated using libICE could allow sensitiveinformation to be exposed.Software Description:- libice: X11 Inter-Client Exchange library (development headers)Details:It was discovered that libICE was using a weak mechanism to generate thesession cookies. A local attacker could possibly use this issue to performa privilege escalation attack.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:  libice-dev                      2:1.0.9-2ubuntu0.18.04.1  libice6                         2:1.0.9-2ubuntu0.18.04.1Ubuntu 16.04 ESM:  libice-dev                      2:1.0.9-1ubuntu0.16.04.1+esm1  libice6                         2:1.0.9-1ubuntu0.16.04.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5744-1  CVE-2017-2626Package Information:  https://launchpad.net/ubuntu/+source/libice/2:1.0.9-2ubuntu0.18.04.1

Ubuntu Security Notice USN-5744-1

Ubuntu Security Notice 5743-1 - It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

    ==========================================================================Ubuntu Security Notice USN-5743-1November 24, 2022tiff vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:LibTIFF could be made to crash or run programs as your login if itopened a specially crafted file.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF incorrectly handled certain malformedimages. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-tools                   4.0.6-1ubuntu0.8+esm8   libtiff5                         4.0.6-1ubuntu0.8+esm8In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5743-1   CVE-2022-3970

Ubuntu Security Notice USN-5743-1

Ubuntu Security Notice 5742-1 - It was discovered that JBIG-KIT incorrectly handled decoding certain large image files. If a user or automated system using JBIG-KIT were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5742-1  
November 24, 2022

jbigkit vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

JBIG-KIT could be made to crash if it opened a specially crafted file.

Software Description:  
- jbigkit: JBIG1 data compression library

Details:

It was discovered that JBIG-KIT incorrectly handled decoding certain large  
image files. If a user or automated system using JBIG-KIT were tricked into  
opening a specially crafted file, an attacker could possibly use this issue  
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   jbigkit-bin                     2.1-3.1ubuntu0.22.10.1  
   libjbig0                        2.1-3.1ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.22.04.1  
   libjbig0                        2.1-3.1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.20.04.1  
   libjbig0                        2.1-3.1ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
   jbigkit-bin                     2.1-3.1ubuntu0.18.04.1  
   libjbig0                        2.1-3.1ubuntu0.18.04.1

Ubuntu 16.04 ESM:  
   jbigkit-bin                     2.1-3.1ubuntu0.1~esm1  
   libjbig0                        2.1-3.1ubuntu0.1~esm1

Ubuntu 14.04 ESM:  
   jbigkit-bin                     2.0-2ubuntu4.1+esm1  
   libjbig0                        2.0-2ubuntu4.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5742-1  
   CVE-2017-9937

Package Information:  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.10.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.22.04.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.20.04.1  
https://launchpad.net/ubuntu/+source/jbigkit/2.1-3.1ubuntu0.18.04.1

Ubuntu Security Notice USN-5742-1

Ubuntu Security Notice 5741-1 - It was discovered that Exim incorrectly handled certain regular expressions. An attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5741-1  
November 24, 2022

exim4 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Exim could be made to crash or run programs if it processed specially  
crafted regular expressions.

Software Description:  
- exim4: Exim is a mail transport agent

Details:

It was discovered that Exim incorrectly handled certain regular  
expressions. An attacker could use this issue to cause Exim to crash,  
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   exim4-base                      4.96-3ubuntu1.1  
   exim4-daemon-heavy              4.96-3ubuntu1.1  
   exim4-daemon-light              4.96-3ubuntu1.1

Ubuntu 22.04 LTS:  
   exim4-base                      4.95-4ubuntu2.2  
   exim4-daemon-heavy              4.95-4ubuntu2.2  
   exim4-daemon-light              4.95-4ubuntu2.2

Ubuntu 20.04 LTS:  
   exim4-base                      4.93-13ubuntu1.7  
   exim4-daemon-heavy              4.93-13ubuntu1.7  
   exim4-daemon-light              4.93-13ubuntu1.7

Ubuntu 18.04 LTS:  
   exim4-base                      4.90.1-1ubuntu1.10  
   exim4-daemon-heavy              4.90.1-1ubuntu1.10  
   exim4-daemon-light              4.90.1-1ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5741-1  
   CVE-2022-3559

Package Information:  
   https://launchpad.net/ubuntu/+source/exim4/4.96-3ubuntu1.1  
   https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.2  
   https://launchpad.net/ubuntu/+source/exim4/4.93-13ubuntu1.7  
   https://launchpad.net/ubuntu/+source/exim4/4.90.1-1ubuntu1.10

Tag

#ubuntu