Bug#890086: ufraw-batch: stack buffer overflow while running ufraw-batch
Package: ufraw-batch Version: 0.22-2 Severity: important Tags: security stack buffer overflow running ufraw-batch with "--overwrite poc" option Running 'ufraw-batch --overwrite poc' with the attached file raises stack buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc *** stack smashing detected ***: ufraw-batch terminated Segmentation fault Below is debugging information about this bug 0. poc file : 0001 0001 0040 2020 0020 2020 4b41 .@ ... KA 0010: 492d 3033 3430 200f 4343 4343 4343 4343 I-0340 . 0020: 4343 4343 4343 4343 4343 [4141] 6565 CCAAee 1. Above two bytes [4141] was stored in the variable 'raw_width' in DCRaw::identify function at dcraw.cc 8871 } else if (!memcmp (head,"\0\001\0\001\0@",6)) { 8872 fseek (ifp, 6, SEEK_SET); 8873 fread (make, 1, 8, ifp); 8874 fread (model, 1, 8, ifp); 8875 fread (model2, 1, 16, ifp); 8876 data_offset = get2(); 8877 get2(); 8878 raw_width = get2(); // HERE 8879 raw_height = get2(); 8880 load_raw = nokia_load_raw; 8881 filters = 0x61616161; --gdb-- 8878 raw_width = get2(); (gdb) n 8879 raw_height = get2(); (gdb) p/x raw_width $21 = 0x4141 --- 2. And then it stored in the varaible 'width' in the same function 9008 desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0; 9009 if (!is_raw) goto notraw; 9010 9011 if (!height) height = raw_height; 9012 if (!width) width = raw_width; // HERE 9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */ 9014 { height = 2616; width = 3896; } 9015 if (height == 3136 && width == 4864) /* Pentax K20D and Samsung GX20 */ --gdb-- Breakpoint 9, DCRaw::identify (this=this@entry=0x748b2010) at dcraw.cc:9012 9012if (!width) width = raw_width; $24 = 0 (gdb) n 9013if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */ (gdb) p/x width $25 = 0x4141 3. This 'width' was used in the below loop in the function DCRaw::find_green at the same file. 8504 float CLASS find_green (int bps, int bite, int off0, int off1) 8505 { 8506 UINT64 bitbuf=0; 8507 int vbits, col, i, c; 8508 ushort img[2][2064]; 8509 double sum[]={0,0}; 8510 8511 FORC(2) { 8512 fseek (ifp, c ? off1:off0, SEEK_SET); 8513 for (vbits=col=0; col < width; col++) { // HERE(1), width was used 8514 for (vbits -= bps; vbits < 0; vbits += bite) { 8515 bitbuf <<= bite; 8516 for (i=0; i < bite; i+=8) 8517 bitbuf |= (unsigned) (fgetc(ifp) << i); 8518 } 8519 img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col is index of img buffer 8520 } 8521 } 8522 FORC(width-1) { 8523 sum[ c & 1] += ABS(img[0][c]-img[1][c+1]); 8524 sum[~c & 1] += ABS(img[1][c]-img[0][c+1]); 8525 } 8526 return 100 * log(sum[0]/sum[1]); 8527 } At HERE(2) because local variable 'col' increased until being same as variable 'width' which can be easily modified by input file and can have big enough value to overwrite local buffer img. = This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u1 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18 ii libtiff5 4.0.8-2+deb9u2 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw -- no debconf information poc Description: Binary data
Bug#890016: fig2dev: null dereference while running fig2dev
Package: fig2dev Version: 1:3.2.6a-6 Severity: important Tags: security null dereference running fig2dev with "-L pdf poc" option Running 'fig2dev -L pdf poc' with the attached file raises null dereference which may allow a remote attacker to cause denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/fig2dev/null$ ../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc incomplete spline object ASAN:DEADLYSIGNAL = ==16804==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x5557911b bp 0x6080bf20 sp 0x7fffd8d0 T0) #0 0x5557911a in free_splinestorage /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 #1 0x5557ad0d in read_splineobject /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:430 #2 0x5557bef7 in read_1_3_objects /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:102 #3 0x55581ad4 in readfp_fig /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:187 #4 0x5556eb70 in main /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412 #5 0x763762b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x5556f259 in _start (/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 in free_splinestorage ==16804==ABORTING -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-11+deb9u1 ii libpng16-16 1.6.28-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.20~dfsg-3.2+deb9u1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information 71 0 1 16 3 16 6 0 16 6 0 1 1 6 1=6
Bug#890015: fig2dev: global buffer overflow while running fig2dev
Package: fig2dev Version: 1:3.2.6a-6 Severity: important Tags: security global buffer overflow running fig2dev with "-L pdf poc" option Running 'fig2dev -L pdf poc' with the attached file raises global buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/fig2dev/global$ ../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc = ==16175==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55826e40 at pc 0x5557da29 bp 0x7fffdcd0 sp 0x7fffdcc8 READ of size 8 at 0x55826e40 thread T0 #0 0x5557da28 in save_comment /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 #1 0x5557da28 in get_line /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1404 #2 0x55581d52 in read_objects /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:325 #3 0x55581d52 in readfp_fig /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:185 #4 0x5556eb70 in main /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412 #5 0x763762b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x5556f259 in _start (/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259) 0x55826e40 is located 32 bytes to the left of global variable 'line_no' defined in 'read.c:88:13' (0x55826e60) of size 4 0x55826e40 is located 0 bytes to the right of global variable 'comments' defined in 'read.c:95:14' (0x55826b20) of size 800 SUMMARY: AddressSanitizer: global-buffer-overflow /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 in save_comment Shadow bytes around the buggy address: 0x0aab2aafcd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0aab2aafcdc0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9 0x0aab2aafcdd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafcdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aab2aafce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==16175==ABORTING -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-11+deb9u1 ii libpng16-16 1.6.28-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.20~dfsg-3.2+deb9u1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information poc Description: Binary data
Bug#889272: jhead: heap buffer overflow while running jhead
Package: jhead Version: 1:3.00-5 Severity: important Tags: security heap buffer overflow running jhead with "poc" option Running 'jhead poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/jhead/00013658$ ../../binary/jhead-3.00/jhead ./poc = ==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020efff at pc 0x55570af5 bp 0x7ffef920 sp 0x7ffef918 READ of size 1 at 0x6020efff thread T0 #0 0x55570af4 in Get32s exif.c:337 #1 0x55570af4 in Get32u exif.c:365 #2 0x55570af4 in process_EXIF exif.c:1021 #3 0x55568506 in ReadJpegSections jpgfile.c:287 #4 0x55568a05 in ReadJpegSections jpgfile.c:126 #5 0x55568a05 in ReadJpegFile jpgfile.c:375 #6 0x55564af3 in ProcessFile jhead.c:896 #7 0x55562608 in main jhead.c:1729 #8 0x767bb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #9 0x55563a19 in _start (/home/june/temp/report/binary/jhead-3.00/jhead+0xfa19) 0x6020efff is located 0 bytes to the right of 15-byte region [0x6020eff0,0x6020efff) allocated by thread T0 here: #0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x55567b36 in ReadJpegSections jpgfile.c:173 SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:337 in Get32s Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[07] 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==10024==ABORTING This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages jhead depends on: ii libc62.24-11+deb9u1 ii libjpeg-turbo-progs 1:1.5.1-2 jhead recommends no packages. Versions of packages jhead suggests: ii imagemagick 8:6.9.7.4+dfsg-11+deb9u4 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11+deb9u4 -- no debconf information
Bug#889270: advancecomp: heap buffer overflow while running advzip
Package: advancecomp Version: 2.0-1 Severity: important Tags: security heap buffer overflow running advzip with "-l poc" option Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/advzip/00030552$ ../../binary/advancecomp-2.0/advzip -l ./poc = ==9858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060effd at pc 0x76e9af7f bp 0x7fffd6c0 sp 0x7fffce70 READ of size 2020 at 0x6060effd thread T0 #0 0x76e9af7e (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e) #1 0x55579c2a in zip_entry::load_cent(unsigned char const*, unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:722 #2 0x5557b56f in zip::open() /home/june/temp/report/binary/advancecomp-2.0/zip.cc:867 #3 0x5556e7a6 in list_single(std::__cxx11::basic_stringconst&, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122 #4 0x5556f8b2 in list_all(int, char**, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261 #5 0x5557214c in process(int, char**) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613 #6 0x55572446 in main /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623 #7 0x760082b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #8 0x5556daf9 in _start (/home/june/temp/report/binary/advancecomp-2.0/advzip+0x19af9) 0x6060effd is located 0 bytes to the right of 61-byte region [0x6060efc0,0x6060effd) allocated by thread T0 here: #0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x55583a4a in data_alloc(unsigned int) /home/june/temp/report/binary/advancecomp-2.0/data.cc:51 #2 0x55573af2 in cent_read(_IO_FILE*, unsigned int, unsigned char*&, unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:113 #3 0x5557b3c5 in zip::open() /home/june/temp/report/binary/advancecomp-2.0/zip.cc:847 #4 0x5556e7a6 in list_single(std::__cxx11::basic_string const&, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122 #5 0x5556f8b2 in list_all(int, char**, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261 #6 0x5557214c in process(int, char**) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613 #7 0x55572446 in main /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623 #8 0x760082b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e) Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[05] 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==9858==ABORTING This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages advancecomp depends on: ii libc6 2.24-11+deb9u1 ii libgcc1
Bug#889224: gocr: heap buffer overflow while running gocr
Package: gocr Version: 0.49-2+b1 Severity: important Tags: security heap buffer overflow running gocr with "poc" option Running 'gocr poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/gocr/4223$ ../../binary/gocr-0.49/src/gocr poc = ==5380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140ffc1 at pc 0x5562c95f bp 0x7fff4da0 sp 0x7fff4d98 READ of size 1 at 0x6140ffc1 thread T0 #0 0x5562c95e in thresholding /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 #1 0x5558bf0c in pgm2asc /home/june/temp/report/binary/gocr-0.49/src/pgm2asc.c:2790 #2 0x5556a1d8 in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:368 #3 0x765972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #4 0x55568149 in _start (/home/june/temp/report/binary/gocr-0.49/src/gocr+0x14149) 0x6140ffc1 is located 0 bytes to the right of 385-byte region [0x6140fe40,0x6140ffc1) allocated by thread T0 here: #0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x55642c50 in readpgm /home/june/temp/report/binary/gocr-0.49/src/pnm.c:225 #2 0x55569e93 in read_picture /home/june/temp/report/binary/gocr-0.49/src/gocr.c:310 #3 0x5556a1ba in main /home/june/temp/report/binary/gocr-0.49/src/gocr.c:361 #4 0x765972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 in thresholding Shadow bytes around the buggy address: 0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff9ff0: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa 0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==5380==ABORTING This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gocr depends on: ii libc6 2.24-11+deb9u1 Versions of packages gocr recommends: ii bzip21.0.6-8.1 ii fig2dev [transfig] 1:3.2.6a-2+deb9u1 ii libjpeg-turbo-progs [libjpeg-progs] 1:1.5.1-2 ii netpbm 2:10.0-15.3+b2 ii transfig 1:3.2.6a-2+deb9u1 gocr suggests no packages. -- no debconf information poc Description: Binary data
Bug#883200: ffmpeg2theora: null pointer dereference while running ffmpege2theora
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: normal Tags: security null pointer dereference while running ffmpeg2theora Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow === (gdb) r poc Starting program: /home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] Lr-middle is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [wsd @ 0x61b00080] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-de...@ffmpeg.org) [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] reserved channel assignment [wsd @ 0x61b00080] emphasis is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [wsd @ 0x61b00080] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-de...@ffmpeg.org) [dsd_msbf @ 0x61900580] Channel layout '5 channels (FL+FR+BL+BR+FLC)' with 5 channels does not match specified number of channels 6: ignoring specified channel layout [wsd @ 0x61b00080] Estimating duration from bitrate, this may be inaccurate Input #0, wsd, from 'poc': Metadata: playback_time : 00:00:00:00 Duration: 00:00:00.00, bitrate: 118545 kb/s Stream #0:0: Audio: dsd_msbf, 198656 Hz, 6 channels, fltp, 9535 kb/s [dsd_msbf @ 0x61900080] Multiple frames in a packet. [dsd_msbf @ 0x61900080] get_buffer() failed Program received signal SIGSEGV, Segmentation fault. 0x555883a7 in oggmux_add_audio (info=0x557cd060 , buffer=0x61603380, samples=1, e_o_s=1) at src/theorautils.c:1254 1254 vorbis_buffer[k][i] = ((const float *)buffer[j])[i]; (gdb) bt #0 0x555883a7 in oggmux_add_audio (info=0x557cd060 , buffer=0x61603380, samples=1, e_o_s=1) at src/theorautils.c:1254 #1 0x555792c5 in ff2theora_output (this=0x61a00080) at src/ffmpeg2theora.c:1688 #2 0x55580ad9 in main (argc=2, argv=0x7fffe0c8) at src/ffmpeg2theora.c:3095 (gdb) x/i $rip => 0x555883a7: movss (%rsi),%xmm0 (gdb) i r rsi rsi0x0 0 (gdb) === This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec577:3.4-3 ii libavdevice57 7:3.4-3 ii libavfilter67:3.4-3 ii libavformat57 7:3.4-3 ii libavutil55 7:3.4-3 ii libc6 2.24-17 ii libkate10.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.4-3 ii libswresample2 7:3.4-3 ii libswscale4 7:3.4-3 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information poc Description: Binary data
Bug#883198: bs1770gain: use after free while running bs1770gain with "poc output" option
Package: bs1770gain Version: 0.4.12-2+b1 Severity: important Tags: security use after free while running bs1770gain with "poc output" option Running 'bs1770gain poc output' with the attached file raises use after free which may allow a remote attack to cause a denial-of-service attack or other unspecified impace with a crafted file I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/workspace/bugre/poc/bs1770gain/1$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output analyzing ... [1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), "ffsox_frame_reader.c" (41). Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" (92). Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68). = ==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000640 at pc 0x55582800 bp 0x7fffda60 sp 0x7fffda58 READ of size 8 at 0x61000640 thread T0 #0 0x555827ff in ffsox_packet_consumer_list_free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) #1 0x5559b91a in pbu_list_free_full (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a) #2 0x555773fe in ffsox_source_link_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe) #3 0x555762b5 in source_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5) #4 0x55570a2f in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f) #5 0x555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #6 0x5556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #7 0x744ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #8 0x555614e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9) 0x61000640 is located 0 bytes inside of 184-byte region [0x61000640,0x610006f8) freed by thread T0 here: #0 0x76eff8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x5557393b in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b) #2 0x5556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7) #3 0x555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #4 0x5556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #5 0x744ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) previously allocated by thread T0 here: #0 0x76effc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20) #1 0x55573841 in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841) #2 0x5556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7) #3 0x555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #4 0x5556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #5 0x744ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer: heap-use-after-free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) in ffsox_packet_consumer_list_free Shadow bytes around the buggy address: 0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa 0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa =>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope:
Bug#881145: sox: null pointer dereference while running play
Package: sox Version: 14.4.1-5+b2 Severity: normal Tags: security null pointer dereference while running play with "poc bass +3" option Running 'play poc bass +3' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow I sent this to debian security team before, but I didn't get any response. So I send this to public. --- june@yuweol:~/poc/play/crash1$ play poc bass +3 poc: File Size: 48Bit Rate: 0.00394 Encoding: WavPack Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 27:03:11.55 In:0.00% 00:00:00.00 [27:03:11.55] Out:0 [ | ]Clip:0 Segmentation fault --- Thread 1 "play" received signal SIGSEGV, Segmentation fault. 0x7fffed796f34 in WavpackUnpackSamples () from /usr/lib/x86_64-linux-gnu/libwavpack.so.1 (gdb) x/i $rip => 0x7fffed796f34: mov0x1e0(%rdi),%rax (gdb) i r rdi rdi0x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sox depends on: ii libc6 2.24-17 ii libgomp1 7.2.0-12 ii libsox-fmt-alsa 14.4.1-5+b2 ii libsox-fmt-ao 14.4.1-5+b2 ii libsox-fmt-base 14.4.1-5+b2 ii libsox-fmt-oss14.4.1-5+b2 ii libsox-fmt-pulse 14.4.1-5+b2 ii libsox2 14.4.1-5+b2 sox recommends no packages. Versions of packages sox suggests: ii libsox-fmt-all 14.4.1-5+b2 -- no debconf information wvpk
Bug#881144: fig2dev: out of bound read while running fig2dev with -L pic option
Package: fig2dev Version: 1:3.2.6a-4 Severity: important Tags: security out of bound read while running fig2dev with -L pic option Running 'fig2dev -L pic poc' with the attached file raises out of bound read bug which may allow a remote attack to cause a denial-of-service attack or information disclosure with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow === june@yuweol:~/poc/fig2dev/crash2$ fig2dev -L pic ./poc .PS .ps 11 Segmentation fault === Program received signal SIGSEGV, Segmentation fault. 0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194 194 if (PSmapwarn[t->font+1]) (gdb) p t->font $1 = 7111 (gdb) bt #0 0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194 #1 0x5558e282 in genpic_text (t=0x55810160) at genpic.c:443 #2 0x555615d2 in gendev_objects (dev=0x557ef200 , objects=0x7fffe0f0) at fig2dev.c:833 #3 main (argc=, argv=) at fig2dev.c:467 (gdb) x/i $rip => 0x55567960: mov(%rcx,%rdx,4),%ecx (gdb) i r rcx rdx rcx0x555c3f60 93824992690016 rdx0x43d11c8 7112 === This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-17 ii libpng16-16 1.6.34-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.22~dfsg-1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information poc Description: Binary data
Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz
Package: fig2dev Version: 1:3.2.6a-4 Severity: important Tags: security out of bound read while running fig2dev with -L tikz option Running 'fig2dev -L tikz poc' with the attached file raises out of bound read bug which may allow a remote attack to cause a denial-of-service attack or information disclosure with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow I sent this to debian security team before, but I didn't get any response. So I send this to public. === june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc \ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi \divide\dimen1 by 1 \ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi \divide\dimen3 by 5 \ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1 \else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi \tikzpicture[x=+\dimen1, y=+\dimen3] {\ifx\XFigu\undefined\catcode`\@11 \def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi} \XFigu-9223372036854775808sp % Uncomment to scale line thicknesses with the same % factor as width of the drawing. %\pgfextractx\XFigu{\pgfqpointxy{1}{1}} \ifdim\XFigu<0pt\XFigu-\XFigu\fi \clip(91,-1) rectangle (92,4); \tikzset{inner sep=+0pt, outer sep=+0pt} Segmentation fault [debugging] Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x77339d78 in _IO_vfprintf_internal (s=0x7768b600 <_IO_2_1_stdout_>, format=, ap=ap@entry=0x7fffde88) at vfprintf.c:1637 #2 0x77340157 in __fprintf (stream=, format=format@entry=0x555cc7e5 "\\normalfont%s ") at fprintf.c:32 #3 0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725 #4 gentikz_text (t=0x55810160) at gentikz.c:1769 #5 0x555618cd in gendev_objects (dev=0x557f8ec0 , objects=0x7fffdfa0) at fig2dev.c:833 #6 main (argc=, argv=) at fig2dev.c:467 (gdb) x/i $rip => 0x77371646: movdqu (%rax),%xmm4 (gdb) i r rax rax0x29292922 690563362 (gdb) f 3 #3 0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725 1725fprintf(tfp, "\\normalfont%s ", (gdb) p t->font $1 = -51 (gdb) p texfonts[-51] $3 = 0x29292922 with attached file, t->font can be set to negative value which causes this bug [fig2dev/dev/gentikz.c] 1724 else 1725 fprintf(tfp, "\\normalfont%s ", 1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]); === This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc62.24-17 ii libpng16-16 1.6.34-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.22~dfsg-1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig -- no debconf information 1 1 1 11 4-51 11 0 5 1 91 1 c
Bug#881141: gifsicle: out of bound read while running gifsicle
Package: gifsicle Version: 1.90-1 Severity: important Tags: security out of bound read while running gifsicle with "gifsicle --dither --use-col=bw poc -o output" option Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file raises out of bound read which may allow a remote attack to cause a denial-of-service attack or information disclosure with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output gifsicle:poc:#0: read error: unknown block type 114 at file offset 25 gifsicle:poc: read error: image corrupted, min_code_size too big gifsicle:poc: read error: image corrupted, code out of range (13 times) gifsicle:poc: read error: missing 82455 pixels of image data Segmentation fault --- Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x55790c50, all_new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0) at quantize.c:1149 1149if (kc_distance(>ks[e], ) < kd3->xradius[e]) (gdb) p/x old_cm->col[*data].pixel $83 = 0xdeadbeef (gdb) list 1144+ (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR; 1145use.a[k] = KC_CLAMPV(v); 1146} 1147 1148e = old_cm->col[*data].pixel; 1149if (kc_distance(>ks[e], ) < kd3->xradius[e]) 1150*new_data = e; 1151else 1152*new_data = kd3_closest_transformed(kd3, , NULL); 1153histogram[*new_data]++; * At 1148, e was set to 0xdeadbeef which was manipulated. * This value used to reference the array kd3->ks as an index at 1149 which cause * segmentation faule in this case (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at kcolor.h:110 110 int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1], (gdb) bt #0 0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at kcolor.h:110 #1 0x5556ca0e in colormap_image_floyd_steinberg (gfi=0x55790c50, all_new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0) at quantize.c:1149 #2 0x5556e19a in dither (gfi=0x55790c50, new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0, od=0x5578dbc0 ) at quantize.c:1488 #3 0x5556e83f in colormap_stream (gfs=0x55790330, new_cm=0x5578e890, od=0x5578dbc0 ) at quantize.c:1613 #4 0x5557bdd8 in do_colormap_change (gfs=0x55790330) at gifsicle.c:904 #5 0x5557c1db in merge_and_write_frames (outfile=0x7fffe52d "output", f1=0, f2=-1) at gifsicle.c:1030 #6 0x5557c54d in output_frames () at gifsicle.c:1105 #7 0x5557f212 in main (argc=6, argv=0x7fffe1e8) at gifsicle.c:2173 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gifsicle depends on: ii libc6 2.24-17 ii libx11-6 2:1.6.4-3 gifsicle recommends no packages. gifsicle suggests no packages. -- no debconf information poc Description: Binary data
Bug#881139: ffmpeg2theora: heap buffer overflow while running ffmpeg2theora
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: important Tags: security heap buffer overflow running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/ffmpeg2theora/crash7$ ffmpeg2theora poc [h263 @ 0x5642844b4840] Format h263 detected only with low score of 25, misdetection possible! [h263 @ 0x5642844b5d60] Independent Segment Decoding not supported Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 tbr, 1200k tbn, 599.40 tbc Pixel Aspect Ratio: 1.00/1 Frame Aspect Ratio: 0.02/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x5642844b5880] Independent Segment Decoding not supported [h263 @ 0x5642844b5880] warning: first frame is no keyframe [h263 @ 0x5642844b5880] illegal ac vlc code at 0x0 [h263 @ 0x5642844b5880] Error at MB: 0 [h263 @ 0x5642844b5880] concealing 327 DC, 327 AC, 327 MV errors in P frame [h263 @ 0x5642844b5880] warning: first frame is no keyframe [h263 @ 0x5642844b5880] illegal ac vlc code at 7x0 [h263 @ 0x5642844b5880] Error at MB: 7 [h263 @ 0x5642844b5880] concealing 396 DC, 396 AC, 396 MV errors in P frame Segmentation fault --- [h263 @ 0x61b00080] Format h263 detected only with low score of 25, misdetection possible! [h263 @ 0x61900580] Independent Segment Decoding not supported Input #0, h263, from '/home/june/poc/ffmpeg2theora/crash7/poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 tbr, 1200k tbn, 599.40 tbc Pixel Aspect Ratio: 1.00/1 Frame Aspect Ratio: 0.02/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x61900080] Independent Segment Decoding not supported [h263 @ 0x61900080] warning: first frame is no keyframe [h263 @ 0x61900080] illegal ac vlc code at 0x0 [h263 @ 0x61900080] Error at MB: 0 [h263 @ 0x61900080] concealing 327 DC, 327 AC, 327 MV errors in P frame [h263 @ 0x61900080] warning: first frame is no keyframe [h263 @ 0x61900080] illegal ac vlc code at 7x0 [h263 @ 0x61900080] Error at MB: 7 [h263 @ 0x61900080] concealing 396 DC, 396 AC, 396 MV errors in P frame = ==11538==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633a7980 at pc 0x7fb5ce7046c2 bp 0x7ffcb5580080 sp 0x7ffcb557f830 READ of size 40 at 0x633a7980 thread T0 #0 0x7fb5ce7046c1 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1) #1 0x7fb5ca6d9c8d in image_copy_plane libavutil/imgutils.c:317 #2 0x7fb5ca6d9c8d in image_copy libavutil/imgutils.c:379 #3 0x7fb5ca6d9c8d in av_image_copy libavutil/imgutils.c:398 #4 0x7fb5cb5879ee in av_picture_copy libavcodec/avpicture.c:78 #5 0x55d20da5cbbf in ff2theora_output src/ffmpeg2theora.c:1538 #6 0x55d20da65ad8 in main src/ffmpeg2theora.c:3095 #7 0x7fb5c9e182e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #8 0x55d20da4ee79 in _start (/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora+0x15e79) 0x633a7980 is located 337 bytes to the right of 110639-byte region [0x6338c800,0x633a782f) allocated by thread T0 here: #0 0x7fb5ce768758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758) #1 0x7fb5ca6de2b6 in av_malloc libavutil/mem.c:87 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1) Shadow bytes around the buggy address: 0x0c668000cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c668000cef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c668000cf00: 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa fa 0x0c668000cf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c668000cf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global
Bug#881138: ffmpeg2theora: use uninitialized stack value as a pointer while running ffmpeg2theora
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: important Tags: security use uninitialized stack value as a pointer while running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file uses uninitialized stack value as a pointer which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/ffmpeg2theora/crash3$ ffmpeg2theora poc [h263 @ 0x557eb7fb5840] Format h263 detected only with low score of 25, misdetection possible! Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc Pixel Aspect Ratio: 1.09/1 Frame Aspect Ratio: 1.33/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x557eb7fb6880] I cbpc damaged at 0 0 [h263 @ 0x557eb7fb6880] Error at MB: 0 [h263 @ 0x557eb7fb6880] concealing 99 DC, 99 AC, 99 MV errors in I frame 0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:00:00 Segmentation fault --- Starting program: /usr/bin/ffmpeg2theora poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [h263 @ 0x55811820] Format h263 detected only with low score of 25, misdetection possible! Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 1200k tbn, 29.97 tbc Breakpoint 1, 0x55563ab8 in ?? () (gdb) x/2x $rbp - 0x368 0x7fffca18: 0xf493f960 0x7fff - This is entry point of function,local variable $rbp - 0x368 is 0x7693f960. (gdb) c Continuing. Pixel Aspect Ratio: 1.09/1 Frame Aspect Ratio: 1.33/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x55812860] I cbpc damaged at 0 0 [h263 @ 0x55812860] Error at MB: 0 [h263 @ 0x55812860] concealing 99 DC, 99 AC, 99 MV errors in I frame 0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:01:55 Program received signal SIGSEGV, Segmentation fault. clear_context (s=0x7493f960) at libswresample/swresample.c:116 116 s->in_buffer_index= 0; - the value 7493f960 which is same as the above uninitialized value was passed to clear_context function as a parameter. (gdb) bt #0 clear_context (s=0x7493f960) at libswresample/swresample.c:116 #1 0x555648e6 in ?? () #2 0xc8da in main () (gdb) f 1 #1 0x555648e6 in ?? () (gdb) x/5i $rip-16 0x555648d6: mov-0x368(%rbp),%edi 0x555648dc: test %rdi,%rdi 0x555648df: je 0x555648e6 0x555648e1: callq 0xb650=> 0x555648e6: mov-0x38(%rbp),%rax (gdb) x/2x $rbp - 0x368 0x7fffca18: 0xf493f960 0x7fff - argument %rdi comes from -0x368(%rbp) which is same position when we check at the entry point of this function --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec577:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter67:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate10.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information poc Description: Binary data
Bug#881133: x264: out of bound read while running x264
Package: x264 Version: 2:0.148.2795+gitaaa9aa8-1 Severity: important Tags: security out of bound read while running x264 with "--crf 24 -o output.264 poc" option Running 'x264 --crf 24 -o output.264 poc' with the attached file raises out of bound read which may allow a remote attack to cause a denial-of-service attack or information disclosure with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/x264/crash1$ x264 --crf 24 -o output.264 poc Segmentation fault --- Breakpoint 1, Vgm_Emu_Impl::run_commands (this=0x557aafd0, end_time=2205) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:202 warning: Source file is more recent than executable. 202 pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L + (gdb) l 197 pos += size; 198 break; 199 } 200 201 case cmd_pcm_seek: 202 pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L + 203 pos [1] * 0x100L + pos [0]; 204 pos += 4; 205 break; 206 (gdb) x/s [0] 0x557b2d75: "DEAD\235\235\235\235T\302\\", '\302' , "TTT}\374\270\337U\020" * Here pcm_pos was calculated based on the value in pos buffer. * the values in pos buffer can be manipulated(In this case pos buffer starts with DEAD) (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, end_time=2205) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212 212 write_pcm( vgm_time, *pcm_pos++ ); (gdb) l 207 default: 208 int cmd = pos [-1]; 209 switch ( cmd & 0xF0 ) 210 { 211 case cmd_pcm_delay: 212 write_pcm( vgm_time, *pcm_pos++ ); 213 vgm_time += cmd & 0x0F; 214 break; 215 216 case cmd_short_delay: * Later this manipulated pcm_pos used at 212 line which raises segmentation fault in this case. (gdb) bt #0 0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, end_time=2205) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212 #1 0x77bbc2b8 in Vgm_Emu::run_clocks (this=0x557aafd0, time_io=@0x7fffcc34: 178977, msec=50) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:403 #2 0x77b7d047 in Classic_Emu::play_ (this=0x557aafd0, count=2048, out=0x557b1d10) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Classic_Emu.cpp:113 #3 0x77bbc31f in Vgm_Emu::play_ (this=0x557aafd0, count=2048, out=0x557b1d10) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:411 #4 0x77b8692b in Music_Emu::emu_play (this=0x557aafd0, count=2048, out=0x557b1d10) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:305 #5 0x77b86a4d in Music_Emu::fill_buf (this=0x557aafd0) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:327 #6 0x77b86ecc in Music_Emu::play (this=0x557aafd0, out_count=256, out=0x557da6c0) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:400 #7 0x77b82a1f in gme_play (me=0x557aafd0, n=256, p=0x557da6c0) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/gme.cpp:336 #8 0x767f2e1d in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #9 0x768d870a in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #10 0x768d937c in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #11 0x768db320 in avformat_find_stream_info () from /usr/lib/x86_64-linux-gnu/libavformat.so.57 #12 0x76b9a0af in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4 #13 0x76b9620a in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4 #14 0x76b9399c in FFMS_CreateIndexerWithDemuxer () from /usr/lib/x86_64-linux-gnu/libffms2.so.4 #15 0x5556b60a in ?? () #16 0xc93d in ?? () #17 0x7426c2e1 in __libc_start_main (main=0xa030, argc=6, argv=0x7fffe208, init=, fini=, rtld_fini=, stack_end=0x7fffe1f8) at ../csu/libc-start.c:291 #18 0xcb3a in ?? () --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#881132: bs1770gain: stack buffer overflow while running bs1770gain
Package: bs1770gain Version: 0.4.12-2 Severity: important Tags: security stack buffer overflow while running bs1770gain with "poc -o output" option Running 'bs1770gain poc -o output' with the attached file raises stack buffer overflow which may allow a remote attack to cause a denial-of-service attack or I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/bs1770gain/crash2$ bs1770gain poc -o output analyzing ... [1/1] "poc": Segmentation fault --- june@yuweol:~/poc/bs1770gain/crash2$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc -o output analyzing ... [1/1] "poc": = ==5034==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffded69470 at pc 0x55e89c1c8419 bp 0x7fffded693b0 sp 0x7fffded693a8 WRITE of size 8 at 0x7fffded69470 thread T0 #0 0x55e89c1c8418 in convert_fltp (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418) #1 0x55e89c1c99af in ffsox_frame_convert_sox (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2c9af) #2 0x55e89c1c1f29 in sox_reader_run (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x24f29) #3 0x55e89c1bd686 in ffsox_machine_run (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x20686) #4 0x55e89c1c19d3 in ffsox_sox_reader_read (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x249d3) #5 0x55e89c1c2577 in drain (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x25577) #6 0x7f2434b9db4d in sox_flow_effects (/usr/lib/x86_64-linux-gnu/libsox.so.2+0x28b4d) #7 0x55e89c1b98f2 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1c8f2) #8 0x55e89c1b19fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #9 0x55e89c1ae14e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #10 0x7f24347f82e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #11 0x55e89c1aa4e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9) Address 0x7fffded69470 is located in stack of thread T0 at offset 96 in frame #0 0x55e89c1c81df in convert_fltp (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b1df) This frame has 1 object(s): [32, 96) 'rp' <== Memory access at offset 96 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418) in convert_fltp Shadow bytes around the buggy address: 0x10007bda5230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007bda5240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007bda5250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007bda5260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007bda5270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007bda5280: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3 0x10007bda5290: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10007bda52a0: f1 f1 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 0x10007bda52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007bda52c0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f3 f3 0x10007bda52d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==5034==ABORTING --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via
Bug#881131: bs1770gain: divide by zero while running bs1770gain
Package: bs1770gain Version: 0.4.12-2 Severity: normal Tags: security divide by zero while running bs1770gain with "poc -o output" option Running 'bs1770gain poc -o output' with the attached file raises divide by zero exception which may allow a remote attack to cause a denial-of-service attack. I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/bs1770gain/crash1$ bs1770gain poc output analyzing ... [1/1] "poc": Floating point exception --- Program received signal SIGFPE, Arithmetic exception. 0x75858e6d in sox_flow_effects () from /usr/lib/x86_64-linux-gnu/libsox.so.2 (gdb) x/i $rip => 0x75858e6d: div%rcx (gdb) i r rcx rcx0x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bs1770gain depends on: ii libavcodec577:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libsox2 14.4.1-5+b2 ii libswresample2 7:3.3.4-2+b2 bs1770gain recommends no packages. bs1770gain suggests no packages. -- no debconf information poc Description: audio/flac
Bug#881130: vorbis-tools: use uninitialized local value as a pointer running oggenc
Package: vorbis-tools Version: 1.4.0-10+b1 Severity: important Tags: security bad free while running oggenc with "poc -o output" option Running 'oggenc poc -o output' with the attached file raises bad free(use uninitalized local value as a pointer) which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/oggenc/crash1$ oggenc poc -o output Opening with flac module: FLAC file reader Encoding "poc" to "output" at quality 3.00 *** Error in `oggenc': free(): invalid pointer: 0x7fff9a8ae710 *** === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f77a7e69bfb] /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f77a7e6ffc6] /lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f77a7e7080e] /usr/lib/x86_64-linux-gnu/libogg.so.0(oggpack_writeclear+0x12)[0x7f77a819ba32] /usr/lib/x86_64-linux-gnu/libvorbis.so.0(vorbis_analysis_headerout+0x467)[0x7f77a892a807] oggenc(+0x7aa7)[0x55cc5a9afaa7] oggenc(+0x3cf6)[0x55cc5a9abcf6] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f77a7e192e1] oggenc(+0x485a)[0x55cc5a9ac85a] === Memory map: 55cc5a9a8000-55cc5a9b9000 r-xp 08:01 2135134 /usr/bin/oggenc 55cc5abb8000-55cc5abb9000 r--p 0001 08:01 2135134 /usr/bin/oggenc 55cc5abb9000-55cc5abba000 rw-p 00011000 08:01 2135134 /usr/bin/oggenc 55cc5c25a000-55cc5c29c000 rw-p 00:00 0 [heap] 7f77a000-7f77a0021000 rw-p 00:00 0 7f77a0021000-7f77a400 ---p 00:00 0 7f77a7be2000-7f77a7bf8000 r-xp 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f77a7bf8000-7f77a7df7000 ---p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f77a7df7000-7f77a7df8000 r--p 00015000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f77a7df8000-7f77a7df9000 rw-p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f77a7df9000-7f77a7f8c000 r-xp 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f77a7f8c000-7f77a818c000 ---p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f77a818c000-7f77a819 r--p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f77a819-7f77a8192000 rw-p 00197000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f77a84a2000-7f77a86a1000 ---p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f77a86a1000-7f77a86a2000 r--p 00102000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f77a86a2000-7f77a86a3000 rw-p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f77a86a3000-7f77a8718000 r-xp 08:01 2106746 /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0 7f77a8718000-7f77a8918000 ---p 00075000 08:01 2106746 /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0 7f77a8918000-7f77a8919000 r--p 00075000 08:01 2106746 /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0 7f77a8919000-7f77a891a000 rw-p 00076000 08:01 2106746 /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0 7f77a891a000-7f77a8945000 r-xp 08:01 2106748 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8 7f77a8945000-7f77a8b44000 ---p 0002b000 08:01 2106748 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8 7f77a8b44000-7f77a8b45000 r--p 0002a000 08:01 2106748 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8 7f77a8b45000-7f77a8b46000 rw-p 0002b000 08:01 2106748 /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8 7f77a8b46000-7f77a8bd3000 r-xp 08:01 2106751 /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11 7f77a8bd3000-7f77a8dd2000 ---p 0008d000 08:01 2106751 /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11 7f77a8dd2000-7f77a8dee000 r--p 0008c000 08:01 2106751 /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11 7f77a8dee000-7f77a8def000 rw-p 000a8000 08:01 2106751 /usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11 7f77a8def000-7f77a8e12000 r-xp 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f77a8e5-7f77a8feb000 r--p 08:01 2116104 /usr/lib/locale/locale-archive 7f77a8feb000-7f77a8fef000 rw-p 00:00 0 7f77a900e000-7f77a9012000 rw-p 00:00 0 7f77a9012000-7f77a9013000 r--p 00023000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f77a9013000-7f77a9014000 rw-p 00024000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f77a9014000-7f77a9015000 rw-p 00:00 0 7fff9a89-7fff9a8b1000 rw-p 00:00 0
Bug#881123: ffmpeg2theora: null pointer dereference while running ffmpeg2theora
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: normal Tags: security null pointer dereference while running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/ffmpeg2theora/crash4$ ffmpeg2theora poc [aac @ 0x55a00e699840] Format aac detected only with low score of 1, misdetection possible! [aac @ 0x55a00e69abc0] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x55a00e69abc0] Assuming an incorrectly encoded 7.1 channel layout instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according to the specification instead. [aac @ 0x55a00e69abc0] Multiple frames in a packet. Input #0, aac, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Audio: aac (LC), 16000 Hz, 7.1, fltp [aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according to the specification instead. WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [aac @ 0x55a00e69a5e0] More than one AAC RDB per ADTS frame is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according to the specification instead. [aac @ 0x55a00e69a5e0] Multiple frames in a packet. [aac @ 0x55a00e69a5e0] Reserved bit set. [aac @ 0x55a00e69a5e0] Prediction is not allowed in AAC-LC. Segmentation fault --- Program received signal SIGSEGV, Segmentation fault. 0x55560ab1 in ?? () (gdb) bt #0 0x55560ab1 in ?? () #1 0x55564ab4 in ?? () #2 0xc8da in main () (gdb) x/i $rip => 0x55560ab1: movss (%r10,%r8,1),%xmm0 (gdb) i r r10 r8 r100x0 0 r8 0x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec577:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter67:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate10.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information poc Description: audio/hx-aac-adts
Bug#881122: ffmpeg2theora: null pointer dereference while running ffmpeg2theora
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: normal Tags: security null pointer dereference while running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/ffmpeg2theora/crash2$ ffmpeg2theora poc [adp @ 0x55fbce8ff840] Format adp detected only with low score of 1, misdetection possible! Input #0, adp, from 'poc': Duration: 00:00:00.00, start: 0.00, bitrate: 658 kb/s Stream #0:0: Audio: adpcm_dtk, 48000 Hz, stereo, s16p Segmentation fault --- Program received signal SIGSEGV, Segmentation fault. 0x74b98199 in av_samples_fill_arrays () from /usr/lib/x86_64-linux-gnu/libavutil.so.55 (gdb) bt #0 0x74b98199 in av_samples_fill_arrays () from /usr/lib/x86_64-linux-gnu/libavutil.so.55 #1 0x74b984d9 in av_samples_alloc () from /usr/lib/x86_64-linux-gnu/libavutil.so.55 #2 0x55565e7a in ?? () #3 0xc8da in main () (gdb) x/i $rip => 0x74b98199: mov%rbx,(%r12) (gdb) i r r12 r120x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec577:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter67:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate10.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information
Bug#881121: sox: null pointer dereference while running sox
Package: sox Version: 14.4.1-5+b2 Severity: normal Tags: security null pointer dereference while running sox with "poc.aiff output.aiff speed 1.027" option Running 'sox poc.aiff output.aiff speed 1.027' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/sox/crash1$ sox ./poc.aiff output.aiff speed 1.027 Segmentation fault --- Program received signal SIGSEGV, Segmentation fault. 0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2 (gdb) bt #0 0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2 #1 0x77b5cb17 in sox_read () from /usr/lib/x86_64-linux-gnu/libsox.so.2 #2 0xfc74 in ?? () #3 0x77b6cb4e in sox_flow_effects () from /usr/lib/x86_64-linux-gnu/libsox.so.2 #4 0x8e21 in ?? () #5 0x770772e1 in __libc_start_main (main=0x7980, argc=5, argv=0x7fffe268, init=, fini=, rtld_fini=, stack_end=0x7fffe258) at ../csu/libc-start.c:291 #6 0xa45a in ?? () (gdb) x/i $rip => 0x77ba7ff8: movzbl (%r11,%rsi,1),%edi (gdb) i r r11 rsi r110x0 0 rsi0x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sox depends on: ii libc6 2.24-17 ii libgomp1 7.2.0-12 ii libsox-fmt-alsa 14.4.1-5+b2 ii libsox-fmt-ao 14.4.1-5+b2 ii libsox-fmt-base 14.4.1-5+b2 ii libsox-fmt-oss14.4.1-5+b2 ii libsox-fmt-pulse 14.4.1-5+b2 ii libsox2 14.4.1-5+b2 sox recommends no packages. Versions of packages sox suggests: ii libsox-fmt-all 14.4.1-5+b2 -- no debconf information poc.aiff Description: Binary data
Bug#881120: gifsicle: use after free while running gifsicle
Package: gifsicle Version: 1.90-1 Severity: important Tags: security use after free while running gifsicle with "poc poc -o output" option Running 'gifsicle poc poc -o output' with the attached file raises use after free which may allow a remote attack to cause a denial-of-service attack or other unspecified impact with a crafted file I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/gifsicle/crash3$ gifsicle poc poc -o output gifsicle:poc:#0: read error: unknown block type 49 at file offset 13 gifsicle:poc: read error: image position and/or dimensions out of range gifsicle:poc:#0: read error: unknown block type 49 at file offset 13 gifsicle:poc: read error: image position and/or dimensions out of range *** Error in `gifsicle': corrupted size vs. prev_size: 0x5607ed886d40 *** === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f4338e5abfb] /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f4338e60fc6] /lib/x86_64-linux-gnu/libc.so.6(+0x7738d)[0x7f4338e6138d] /lib/x86_64-linux-gnu/libc.so.6(+0x78dfa)[0x7f4338e62dfa] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f4338e64f64] gifsicle(+0x877e)[0x5607ecfff77e] gifsicle(+0x21a51)[0x5607ed018a51] gifsicle(+0x22d97)[0x5607ed019d97] gifsicle(+0x1f674)[0x5607ed016674] gifsicle(+0x209a3)[0x5607ed0179a3] gifsicle(+0x4054)[0x5607ecffb054] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f4338e0a2e1] gifsicle(+0x472a)[0x5607ecffb72a] === Memory map: 5607ecff7000-5607ed024000 r-xp 08:01 2104695 /usr/bin/gifsicle 5607ed224000-5607ed225000 r--p 0002d000 08:01 2104695 /usr/bin/gifsicle 5607ed225000-5607ed226000 rw-p 0002e000 08:01 2104695 /usr/bin/gifsicle 5607ed885000-5607ed8ad000 rw-p 00:00 0 [heap] 7f433400-7f4334021000 rw-p 00:00 0 7f4334021000-7f433800 ---p 00:00 0 7f4338bd3000-7f4338be9000 r-xp 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4338be9000-7f4338de8000 ---p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4338de8000-7f4338de9000 r--p 00015000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4338de9000-7f4338dea000 rw-p 00016000 08:01 2235139 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f4338dea000-7f4338f7d000 r-xp 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f4338f7d000-7f433917d000 ---p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f433917d000-7f4339181000 r--p 00193000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f4339181000-7f4339183000 rw-p 00197000 08:01 2235485 /lib/x86_64-linux-gnu/libc-2.24.so 7f4339183000-7f4339187000 rw-p 00:00 0 7f4339187000-7f433928a000 r-xp 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f433928a000-7f4339489000 ---p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f4339489000-7f433948a000 r--p 00102000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f433948a000-7f433948b000 rw-p 00103000 08:01 2235490 /lib/x86_64-linux-gnu/libm-2.24.so 7f433948b000-7f43394a3000 r-xp 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so 7f43394a3000-7f43396a2000 ---p 00018000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so 7f43396a2000-7f43396a3000 r--p 00017000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so 7f43396a3000-7f43396a4000 rw-p 00018000 08:01 2235501 /lib/x86_64-linux-gnu/libpthread-2.24.so 7f43396a4000-7f43396a8000 rw-p 00:00 0 7f43396a8000-7f43396cb000 r-xp 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f43398a6000-7f43398a8000 rw-p 00:00 0 7f43398c7000-7f43398cb000 rw-p 00:00 0 7f43398cb000-7f43398cc000 r--p 00023000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f43398cc000-7f43398cd000 rw-p 00024000 08:01 2230784 /lib/x86_64-linux-gnu/ld-2.24.so 7f43398cd000-7f43398ce000 rw-p 00:00 0 7ffddc943000-7ffddc964000 rw-p 00:00 0 [stack] 7ffddc96f000-7ffddc971000 r--p 00:00 0 [vvar] 7ffddc971000-7ffddc973000 r-xp 00:00 0 [vdso] ff60-ff601000 r-xp 00:00 0 [vsyscall] Aborted --- june@yuweol:~/poc/gifsicle/crash3$ ~/project/analyze/bins/gifsicle-1.90/src/gifsicle poc poc -o output gifsicle:poc:#0: read error: unknown block type 49 at file offset 13 gifsicle:poc: read error: image position and/or dimensions out of range gifsicle:poc:#0:
Bug#881119: gifsicle: double free while running gifsicle
Package: gifsicle Version: 1.90-1 Severity: important Tags: security double free while running 'gifsicle with --delay 50 poc poc -o output' option Running 'gifsicle --delay 50 poc poc -o output' with the attached file raises double free which may allow a remote attacker to cause a denial-of-service attack or other unspecified impact with a crafted file I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/gifsicle/crash1$ gifsicle poc poc -o output gifsicle:poc:#0: read error: unknown block type 83 at file offset 37 gifsicle:poc: file not in GIF format Segmentation fault --- june@yuweol:~/poc/gifsicle/crash1$ ~/project/analyze/bins/gifsicle-1.90/src/gifsicle --delay 50 poc poc -o output gifsicle:poc:#0: read error: unknown block type 83 at file offset 37 gifsicle:poc: file not in GIF format = ==4607==ERROR: AddressSanitizer: attempting double-free on 0x61100400 in thread T0: #0 0x7f519caaafd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) #1 0x562d9a5a6de8 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8) #2 0x562d9a5b19db in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db) #3 0x562d9a5b2fe2 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2) #4 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd) #5 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d) #6 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2) #7 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #8 0x562d9a596da9 in _start (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9) 0x61100400 is located 0 bytes inside of 207-byte region [0x61100400,0x611004cf) freed by thread T0 here: #0 0x7f519caaa8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x562d9a5b33ae in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae) #2 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd) #3 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d) #4 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2) #5 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) previously allocated by thread T0 here: #0 0x7f519caaafd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) #1 0x562d9a5a6de8 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8) #2 0x562d9a5b19db in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db) #3 0x562d9a5b2fe2 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2) #4 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd) #5 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d) #6 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2) #7 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer: double-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) in __interceptor_realloc ==4607==ABORTING --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gifsicle depends on: ii libc6 2.24-17 ii libx11-6 2:1.6.4-3 gifsicle recommends no packages. gifsicle suggests no packages. -- no debconf information poc Description: Binary data
Bug#881019: ffmpeg2theora: null pointer dereference while running ffmpeg2theora with "poc" option
Package: ffmpeg2theora Version: 0.30-1+b2 Severity: normal Tags: security null pointer dereference while running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow --- june@yuweol:~/poc/ffmpeg2theora/crash1$ ffmpeg2theora poc [lrc @ 0x558a4a3b6840] Format lrc detected only with low score of 5, misdetection possible! Input #0, lrc, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Subtitle: text Segmentation fault --- Program received signal SIGSEGV, Segmentation fault. 0x55565b8f in ?? () (gdb) bt #0 0x55565b8f in ?? () #1 0xc8da in main () (gdb) x/i $rip => 0x55565b8f: mov0x8(%rax),%rdi (gdb) i r rax rax0x0 0 --- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec577:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter67:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate10.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf information poc Description: Binary data
Bug#878839: optipng: global-buffer-overflow bug while parsing GIF file
Package: optipng Version: 0.7.6-1 Severity: normal Dear Maintainer, global-buffer-overflow bug while parsing GIF file Running 'optipng' with the attached file raises global-buffer-overflow bug, which may allow a remote attacker to cause a denial-of-service attack or other unspecified impact with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow * Please consider that this bug isn't found in default debian optipng * * which is installed by apt-get. * * This bug is only triggered when optipng was compiled by clang or by * * gcc without any optimizations. * - june@june:~/project/analyze/poc/optipng$ optipng poc ** Processing: poc Warning: Bogus data in GIF = ==11381==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38 WRITE of size 4 at 0x55c9084bf040 thread T0 = ==11381==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38 WRITE of size 4 at 0x55c9084bf040 thread T0 #0 0x55c90828662f (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f) #1 0x55c908285912 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x72912) #2 0x55c90828549f (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7249f) #3 0x55c908284e00 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x71e00) #4 0x55c908239928 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x26928) #5 0x55c9082367a7 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x237a7) #6 0x55c908229674 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x16674) #7 0x55c90822b778 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x18778) #8 0x55c90822c9fe (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x199fe) #9 0x55c90822731e (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x1431e) #10 0x55c908227436 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x14436) #11 0x7fb1b02de2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #12 0x55c908224389 (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x11389) 0x55c9084bf040 is located 0 bytes to the right of global variable 'stack' defined in 'gifread.c:401:16' (0x55c9084b7040) of size 32768 0x55c9084bf040 is located 32 bytes to the left of global variable 'oldcode' defined in 'gifread.c:398:27' (0x55c9084bf060) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow (/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f) Shadow bytes around the buggy address: 0x0ab9a108fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ab9a108fe00: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9 0x0ab9a108fe10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ab9a108fe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ab9a108fe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==11381==ABORTING (gdb) r poc Starting program: /usr/bin/optipng poc ** Processing: poc Warning: Bogus data in GIF Program received signal SIGSEGV, Segmentation fault. 0x5557d075 in LZWReadByte (init_flag=0, input_code_size=2, stream=0x5579e010) at gifread.c:499 499 *sp++ = table[1][code]; (gdb) bt #0 0x5557d075 in LZWReadByte (init_flag=0, input_code_size=2, stream=0x5579e010) at gifread.c:499 #1 0x5557ca05 in GIFReadImageData
Bug#878745: ufraw-batch: NULL pointer dereference when running with --conf option
Package: ufraw-batch Version: 0.22-1.1 Severity: normal Dear Maintainer, Running 'ufraw-batch --conf' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r --conf poc Starting program: /usr/bin/ufraw-batch --conf poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Error parsing 'poc' Error on line 1 char 1: Document must begin with an element (e.g. ) Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) x/i $rip => 0x75456646: movdqu (%rax),%xmm4 (gdb) i r rax rax0x0 0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u1 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18 ii libtiff5 4.0.8-2+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw -- no debconf information poc Description: Binary data
Bug#878739: gifsicle: double-free bug when running gifdiff
Package: gifsicle Version: 1.90-1 Severity: normal Dear Maintainer, Running 'gifdiff poc poc' with the attached file raises double-free bug, which may allow a remote attacker to cause a denial-of-service attack or other unspecified impact with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow june@june:~/project/analyze/poc/gifdiff/crash2$ ~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc = ==22514==ERROR: AddressSanitizer: attempting double-free on 0x61109c80 in thread T0: #0 0x7f3b19570090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) #1 0x56146456d6f3 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) #2 0x561464577ed3 in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) #3 0x561464579219 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) #4 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #5 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #6 0x56146457e96f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f) #7 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #8 0x56146455dde9 in _start (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9) 0x61109c80 is located 0 bytes inside of 253-byte region [0x61109c80,0x61109d7d) freed by thread T0 here: #0 0x7f3b1956fa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x56146457952d in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d) #2 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #3 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #4 0x56146457e95f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) #5 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) previously allocated by thread T0 here: #0 0x7f3b19570090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) #1 0x56146456d6f3 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) #2 0x561464577ed3 in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) #3 0x561464579219 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) #4 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #5 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #6 0x56146457e95f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) #7 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: double-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc ==22514==ABORTING - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gifsicle depends on: ii libc6 2.24-11+deb9u1 ii libx11-6 2:1.6.4-3 gifsicle recommends no packages. gifsicle suggests no packages. -- no debconf information poc Description: Binary data
Bug#878736: gifsicle: NULL pointer dereference when running gifdiff with attached poc(gifdiff poc poc)
Package: gifsicle Version: 1.90-1 Severity: normal Dear Maintainer, Running 'gifdiff' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r poc poc Starting program: /usr/bin/gifdiff poc poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". gifdiff: While reading ‘poc’ frame #0: gifdiff: error: unknown block type 0 at file offset 13 gifdiff: While reading ‘poc’ frame #0: gifdiff: error: unknown block type 0 at file offset 13 Program received signal SIGSEGV, Segmentation fault. 0xce38 in ?? () (gdb) x/i $rip => 0xce38: mov(%rdx,%rax,8),%rbx (gdb) i r rdx rdx0x0 0 (gdb) i r rax rax0x0 0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gifsicle depends on: ii libc6 2.24-11+deb9u1 ii libx11-6 2:1.6.4-3 gifsicle recommends no packages. gifsicle suggests no packages. -- no debconf information GIF
Bug#878734: advancecomp: NULL pointer dereference when running advmng with -l option
Package: advancecomp Version: 2.0-1 Severity: normal Dear Maintainer, Running 'advmng -l' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r -l poc Starting program: /usr/bin/advmng -l poc Program received signal SIGSEGV, Segmentation fault. 0x5556037f in ?? () (gdb) x/i $rip => 0x5556037f: movzwl 0x0(%rbp),%r13d (gdb) i r rbp rbp0x0 0x0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages advancecomp depends on: ii libc6 2.24-11+deb9u1 ii libgcc1 1:6.3.0-18 ii libstdc++6 6.3.0-18 ii zlib1g 1:1.2.8.dfsg-5 advancecomp recommends no packages. advancecomp suggests no packages. -- no debconf information poc Description: video/mng
Bug#878733: ufraw-batch: NULL pointer dereference when running with --conf option
Package: ufraw-batch Version: 0.22-1.1 Severity: normal Dear Maintainer, Running 'ufraw-batch --conf' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r --conf poc Starting program: /usr/bin/ufraw-batch --conf poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x77461823 in g_markup_parse_context_end_parse () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 (gdb) x/i $rip => 0x77461823: mov (%rax),%r12 (gdb) i r rax rax0x0 0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u1 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18 ii libtiff5 4.0.8-2+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw -- no debconf information
Bug#878732: ufraw-batch: NULL pointer dereference when running with --conf option
Package: ufraw-batch Version: 0.22-1.1 Severity: normal Dear Maintainer, Running 'ufraw-batch --conf' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r --conf poc Starting program: /usr/bin/ufraw-batch --conf poc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Error parsing 'poc' Error on line 1 char 1: Document must begin with an element (e.g. ) Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) x/i $rip => 0x75456646: movdqu (%rax),%xmm4 (gdb) i r rax rax0x0 0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc62.24-11+deb9u1 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18 ii libtiff5 4.0.8-2+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw -- no debconf information poc Description: video/mng
Bug#878731: gif2png: NULL pointer dereference when running with -r option
Package: gif2png Version: 2.5.8-1+b2 Severity: normal Dear Maintainer, Running 'gif2png -r' with the attached file raises a NULL pointer dereference, which may allow a denial-of-service attack of a malicious attacker. I expected the program to terminate without segfault, but the program crashes as follow. (gdb) r -r poc Starting program: /usr/bin/gif2png -r poc gif2png: bad version number, not '87a' or '89a', trying anyway gif2png: error in reading DataBlock gif2png: EOF / read error on image data Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) x/i $rip => 0x77887646: movdqu (%rax),%xmm4 (gdb) i r rax rax0x0 0 - The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gif2png depends on: ii libc62.24-11+deb9u1 ii libpng16-16 1.6.28-1 Versions of packages gif2png recommends: ii python 2.7.13-2 gif2png suggests no packages. -- no debconf information poc Description: Binary data