Description:
libaacplus is a HE-AAC+ v2 library, based on the reference implementation.

While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him.

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:91: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type 'int'

Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00254-libaacplus-signedintoverflow
CVE:
CVE-2017-7603

##############################################

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:83: runtime error: left shift of 241 by 24 places cannot be represented in type 'int'

Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00255-libaacplus-leftshift
CVE:
CVE-2017-7604

##############################################

# aacplusenc $FILE out.aac 24000 s
aacplusenc: aacplusenc.c:67: aacplusEncHandle aacplusEncOpen(unsigned long, unsigned int, unsigned long *, unsigned long *): Assertion `numChannels <= MAX_CHANNELS' failed.

Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00256-libaacplus-assertion-failure
CVE:
CVE-2017-7605

##############################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-03-12: bug discovered and poked upstream about
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libaacplus: signed integer overflow, left shift and assertion failure

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A fuzz with the undefined behavior sanitizer revealed some crashes.

# tiffcp -i $FILE /tmp/foo
runtime error: value 5.84589e+199 is outside the range of representable values
of type 'float'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00113-libtiff-outside-float
CVE:
CVE-2017-7596

##################################################

# tiffcp -i $FILE /tmp/foo
tif_dirread.c:2409:12: runtime error: value -4.779e+161 is outside the range of
representable values of type 'float'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00114-libtiff-outside-float-tif_dirread
CVE:
CVE-2017-7597

##################################################

# tiffcp -i $FILE /tmp/foo
tif_dirread.c:2878:24: runtime error: division by zero
tif_dirread.c:2906:33: runtime error: division by zero

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
Reproducer:
https://github.com/asarubbo/poc/blob/master/00115-libtiff-fpe-tif_dirread
CVE:
CVE-2017-7598

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: value 65280 is outside the range of representable values of type 'short'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00117-libtiff-outside-short-tif_dirwrite
CVE:
CVE-2017-7599

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: value -115 is outside the range of representable values of type 'unsigned char'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00118-libtiff-outside-unsigned-char-tif_dirwrite
CVE:
CVE-2017-7600

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: shift exponent 136 is too large for 64-bit type 'long'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00119-libtiff-shift-long-tif_jpeg
CVE:
CVE-2017-7601

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: signed integer overflow: 9223372036452122640 + 85899345928
cannot be represented in type 'long'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
Reproducer:
https://github.com/asarubbo/poc/blob/master/00121-libtiff-signintoverflow-tif_read
CVE:
CVE-2017-7602

##################################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-01-01: bugs discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libtiff: multiple UBSAN crashes

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff can crash the library.

The complete ASan output:

# tiffcp -i $FILE /tmp/out
==28692==ERROR: AddressSanitizer: FPE on unknown address 0x7f03239af35b (pc 0x7f03239af35b bp 0x7ffc7923f730 sp 0x7ffc7923f600 T0)                                                                                                                                             
    #0 0x7f03239af35a in JPEGSetupEncode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26                                                                                                                                                         
    #1 0x7f0323a00312 in TIFFWriteEncodedTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_write.c:446:8                                                                                                                                                     
    #2 0x510f06 in writeBufferToContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1539:8                                                                                                                                                           
    #3 0x50f1ce in cpImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1236:14                                                                                                                                                                           
    #4 0x50dc1b in cpContigTiles2ContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1673:9                                                                                                                                                          
    #5 0x50c5b6 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:815:15                                                                                                                                                                             
    #6 0x50c5b6 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:304                                                                                                                                                                                  
    #7 0x7f0322a4661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #8 0x419f18 in _init (/usr/bin/tiffcp+0x419f18)                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26 in JPEGSetupEncode 

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7595

Reproducer:
https://github.com/asarubbo/poc/blob/master/00123-libtiff-fpe-JPEGSetupEncode

Timeline:
2017-01-04: bug discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it through the podofotxtextract command line tool reavealed some NULL dereferences. This post will be forwarded on the upstream mailing list.

The complete ASan output:

# podofotxtextract $FILE
==21905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2e6fad8bd8 bp 0x7ffee4f96d10 sp 0x7ffee4f96ca0 T0)
==21905==The signal is caused by a READ memory access.
==21905==Hint: address points to the zero page.
    #0 0x7f2e6fad8bd7 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPage.cpp:614:20
    #1 0x51dda3 in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:98:47
    #2 0x51d021 in TextExtractor::Init(char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:48:15
    #3 0x539f6d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/podofotxtextract.cpp:52:17
    #4 0x7f2e6db4e6ff in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x420d48 in _start (/usr/bin/podofotxtextract+0x420d48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPage.cpp:614:20 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1
CVE:
CVE-2017-7380

##############################################################

# podofotxtextract $FILE
==23885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f44177e97b7 bp 0x7ffe130bed10 sp 0x7ffe130beca0 T0)
==23885==The signal is caused by a READ memory access.
==23885==Hint: address points to the zero page.
    #0 0x7f44177e97b6 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPage.cpp:609:23
    #1 0x51dda3 in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:98:47
    #2 0x51d021 in TextExtractor::Init(char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:48:15
    #3 0x539f6d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/podofotxtextract.cpp:52:17
    #4 0x7f441585f6ff in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x420d48 in _start (/usr/bin/podofotxtextract+0x420d48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPage.cpp:609:23 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2
CVE:
CVE-2017-7381

##############################################################

# podofotxtextract $FILE
==20388==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f08c6a3c3de bp 0x7ffd52235bd0 sp 0x7ffd52235b20 T0)
==20388==The signal is caused by a READ memory access.
==20388==Hint: address points to the zero page.
    #0 0x7f08c6a3c3dd in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontFactory.cpp:200:88
    #1 0x7f08c6a1028d in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontCache.cpp:362:22
    #2 0x51debb in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:104:43
    #3 0x51d021 in TextExtractor::Init(char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:48:15
    #4 0x539f6d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/podofotxtextract.cpp:52:17
    #5 0x7f08c4c9a6ff in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x420d48 in _start (/usr/bin/podofotxtextract+0x420d48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontFactory.cpp:200:88 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3
CVE:
CVE-2017-7382

##############################################################

# podofotxtextract $FILE
==26727==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4c23dd5e41 bp 0x7ffd6ce24bd0 sp 0x7ffd6ce24b20 T0)
==26727==The signal is caused by a READ memory access.
==26727==Hint: address points to the zero page.
    #0 0x7f4c23dd5e40 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontFactory.cpp:195:62
    #1 0x7f4c23daa28d in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontCache.cpp:362:22
    #2 0x51debb in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:104:43
    #3 0x51d021 in TextExtractor::Init(char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/TextExtractor.cpp:48:15
    #4 0x539f6d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxtextract/podofotxtextract.cpp:52:17
    #5 0x7f4c220346ff in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x420d48 in _start (/usr/bin/podofotxtextract+0x420d48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFontFactory.cpp:195:62 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4
CVE:
CVE-2017-7383

##############################################################

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: blog post about the issue
2017-03-31: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

podofo: four null pointer dereference

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it through the podofotxt2pdf command line tool reavealed an heap overflow. This post will be forwarded on the upstream mailing list.

The complete ASan output:

# podofotxt2pdf $FILE out.pdf
==12895==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000c47ff at pc 0x7f7434e576ea bp 0x7ffde7868b70 sp 0x7ffde7868b68
READ of size 1 at 0x6310000c47ff thread T0
    #0 0x7f7434e576e9 in PoDoFo::PdfSimpleEncoding::ConvertToEncoding(PoDoFo::PdfString const&, PoDoFo::PdfFont const*) const /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfEncoding.cpp:484:21
    #1 0x7f7435337c7f in PoDoFo::PdfFont::WriteStringToStream(PoDoFo::PdfString const&, PoDoFo::PdfStream*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFont.cpp:144:47
    #2 0x7f74356a5374 in PoDoFo::PdfPainter::DrawText(double, double, PoDoFo::PdfString const&, long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPainter.cpp:824:14
    #3 0x519755 in draw(char*, PoDoFo::PdfDocument*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:94:25
    #4 0x51aa52 in init(char const*, char const*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:165:5
    #5 0x51c253 in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:212:7
    #6 0x7f743363f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x41ccb8 in _start (/usr/bin/podofotxt2pdf+0x41ccb8)

0x6310000c47ff is located 0 bytes to the right of 65535-byte region [0x6310000b4800,0x6310000c47ff)
allocated by thread T0 here:
    #0 0x4dc585 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f7434f9f978 in PoDoFo::podofo_calloc(unsigned long, unsigned long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfMemoryManagement.cpp:136:9
    #2 0x7f7434e51913 in PoDoFo::PdfSimpleEncoding::InitEncodingTable() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfEncoding.cpp:370:47
    #3 0x7f7434e55af1 in PoDoFo::PdfSimpleEncoding::ConvertToEncoding(PoDoFo::PdfString const&, PoDoFo::PdfFont const*) const /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfEncoding.cpp:459:51
    #4 0x7f7435337c7f in PoDoFo::PdfFont::WriteStringToStream(PoDoFo::PdfString const&, PoDoFo::PdfStream*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfFont.cpp:144:47
    #5 0x7f74356a5374 in PoDoFo::PdfPainter::DrawText(double, double, PoDoFo::PdfString const&, long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPainter.cpp:824:14
    #6 0x519755 in draw(char*, PoDoFo::PdfDocument*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:94:25
    #7 0x51aa52 in init(char const*, char const*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:165:5
    #8 0x51c253 in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:212:7
    #9 0x7f743363f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfEncoding.cpp:484:21 in PoDoFo::PdfSimpleEncoding::ConvertToEncoding(PoDoFo::PdfString const&, PoDoFo::PdfFont const*) const
Shadow bytes around the buggy address:
  0x0c62800108a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800108b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800108c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800108d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c62800108e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c62800108f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x0c6280010900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280010910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280010920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280010930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c6280010940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12895==ABORTING

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7379

Reproducer:
https://github.com/asarubbo/poc/blob/master/00249-podofo-heapoverflow-PdfEncoding_cpp

Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: blog post about the issue
2017-03-31: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: heap-based buffer overflow in PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp)

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it through the podofotxt2pdf command line tool reavealed an heap overflow. This post will be forwarded on the upstream mailing list.

The complete ASan output:

# podofotxt2pdf $FILE out.pdf
==12524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001178 at pc 0x7f44ebaa5c89 bp 0x7ffce55aac90 sp 0x7ffce55aac88
READ of size 2 at 0x607000001178 thread T0
    #0 0x7f44ebaa5c88 in PoDoFo::PdfPainter::ExpandTabs(PoDoFo::PdfString const&, long) const /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPainter.cpp:1945:26
    #1 0x7f44eba95942 in PoDoFo::PdfPainter::DrawText(double, double, PoDoFo::PdfString const&, long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPainter.cpp:755:31
    #2 0x519755 in draw(char*, PoDoFo::PdfDocument*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:94:25
    #3 0x51aa52 in init(char const*, char const*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:165:5
    #4 0x51c253 in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:212:7
    #5 0x7f44e9a3878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41ccb8 in _start (/usr/bin/podofotxt2pdf+0x41ccb8)

0x607000001178 is located 0 bytes to the right of 72-byte region [0x607000001130,0x607000001178)
allocated by thread T0 here:
    #0 0x514870 in operator new(unsigned long) /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_new_delete.cc:82
    #1 0x7f44eb460304 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfRefCountedBuffer.cpp:161:21
    #2 0x7f44eb21212d in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfRefCountedBuffer.h:307:9
    #3 0x7f44eb47a466 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfRefCountedBuffer.h:227:11
    #4 0x7f44eb47a466 in PoDoFo::PdfString::Init(char const*, long) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfString.cpp:570
    #5 0x7f44eb47c24c in PoDoFo::PdfString::PdfString(char const*, PoDoFo::PdfEncoding const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/base/PdfString.cpp:109:9
    #6 0x519718 in draw(char*, PoDoFo::PdfDocument*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:94:43
    #7 0x51aa52 in init(char const*, char const*, bool, char const*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:165:5
    #8 0x51c253 in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofotxt2pdf/podofotxt2pdf.cpp:212:7
    #9 0x7f44e9a3878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/src/doc/PdfPainter.cpp:1945:26 in PoDoFo::PdfPainter::ExpandTabs(PoDoFo::PdfString const&, long) const
Shadow bytes around the buggy address:
  0x0c0e7fff81d0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff81e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
  0x0c0e7fff81f0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8200: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8210: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0e7fff8220: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00[fa]
  0x0c0e7fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12524==ABORTING

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7378

Reproducer:
https://github.com/asarubbo/poc/blob/master/00248-podofo-heapoverflow-PdfPainter_cpp

Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: blog post about the issue
2017-03-31: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: heap-based buffer overflow in PoDoFo::PdfPainter::ExpandTabs (PdfPainter.cpp)

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

Another round of fuzzing pointed out that the memory allocation failure I discovered, known as CVE-2016-8862 and CVE-2016-8866 is still reproducible in the 7.0.4.9 version.
As usual, the upstream security policy are enabled.

The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):

# identify $FILE
    #8 0x7f2aeaea2812 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:460:10
    #9 0x7f2aeaea2812 in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/memory.c:642
    #10 0x7f2ae32d941a in ReadPCXImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/coders/pcx.c:400:16
    #11 0x7f2aea9cdb26 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:497:13
    #12 0x7f2aeb3a2df9 in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/stream.c:1013:9
    #13 0x7f2aea9cb3a6 in PingImage /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:226:9
    #14 0x7f2aea9cc2a6 in PingImages /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickCore/constitute.c:327:10
    #15 0x7f2ae97a6118 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/identify.c:319:18
    #16 0x7f2ae98f800a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/MagickWand/mogrify.c:183:14
    #17 0x50a389 in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:149:10
    #18 0x50a389 in main /tmp/portage/media-gfx/imagemagick-7.0.4.9/work/ImageMagick-7.0.4-9/utilities/magick.c:180
    #19 0x7f2ae7dda78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #20 0x419da8 in _init (/usr/bin/magick+0x419da8)

Affected version:
7.0.4.9

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7275

Timeline:
2017-02-19: bug re-discovered and re-reported upstream
2017-03-27: blog post about the issue
2017-03-27: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866

Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed by one of the previous commit. However I’m providing as usual the stacktrace and the reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros, you may want to check better the status of this bug.

The complete ASan output:

# pcretest -32 -d $FILE
==27914==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3f580efe04 (pc 0x7f3f577b8048 bp 0x7ffcb035b390 sp 0x7ffcb035b320 T0)
==27914==The signal is caused by a READ memory access.
    #0 0x7f3f577b8047 in _pcre32_xclass /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_xclass.c:135:30
    #1 0x7f3f576137ca in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:3203:16
    #2 0x7f3f575e7226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8
    #3 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9
    #4 0x7f3f565b478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41b438 in _init (/usr/bin/pcretest+0x41b438)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_xclass.c:135:30 in _pcre32_xclass
==27914==ABORTING

Affected version:
8.40

Fixed version:
8.41 (not released atm)

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7244

Reproducer:
https://github.com/asarubbo/poc/blob/master/00206-pcre-invalidread-_pcre32_xclass

Timeline:
2017-02-24: bug discovered and reported to upstream
2017-03-20: blog post about the issue
2017-03-23: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)

Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an heap overflow in the utility itself. Will follow a feedback from upstream.

I am not going to do anything about this one. (a) It is concerned with a feature of pcretest that has been dropped from pcre2test, and (b) the input contains binary zeros, which are not supported in pcretest input. This is documented for pcre2test but not, I see for pcretest. I have added a paragraph to the documentation.

However, it does not cost much for me inform the community that this bug exists.
In any case, if you have a web application that calls directly the pcretest utility to parse untrusted data, then you are affected.
Also, it is important share the details because some distros/packagers may want to patch this issue instead of follow the upstream’s way.

The complete ASan output:

# pcretest -16 -d $FILE
==30352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b000 at pc 0x00000053cef0 bp 0x7ffd02dccb90 sp 0x7ffd02dccb88
READ of size 2 at 0x60b00000b000 thread T0
    #0 0x53ceef in regexflip8_or_16 /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:2552:24
    #1 0x53ceef in regexflip /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:2792
    #2 0x53ceef in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:4425
    #3 0x7fb6693d678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x41b438 in _init (/usr/bin/pcretest+0x41b438)

0x60b00000b000 is located 0 bytes to the right of 112-byte region [0x60b00000af90,0x60b00000b000)
allocated by thread T0 here:
    #0 0x4d41f8 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x53e883 in new_malloc /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:2372:15
    #2 0x7fb66a9473a1 in pcre16_compile2 /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_compile.c:9393:19
    #3 0x5335d9 in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:4034:5
    #4 0x7fb6693d678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:2552:24 in regexflip8_or_16

Affected version:
8.40

Commit fix:
N/A

Fixed version:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00196-pcre-heapoverflow-regexflip8_or_16

Timeline:
2017-02-22: bug discovered and reported to upstream
2017-03-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libpcre: heap-based bufffer overflow in regexflip8_or_16 (pcretest.c)

Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed two stack overflow write. Upstream says that these bugs are fixed by one of the previous commit. However I’m providing as usual the stacktrace and the reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros, you may want to check better the status of this bug.

The complete ASan output:

# pcretest -32 -d $FILE
==29686==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f58f32026a0 at pc 0x7f58f6f90a24 bp 0x7ffea3aa3b30 sp 0x7ffea3aa3b28
WRITE of size 4 at 0x7f58f32026a0 thread T0
    #0 0x7f58f6f90a23 in pcre32_copy_substring /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_get.c:358:15
    #1 0x528220 in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5333:13
    #2 0x7f58f5ea778f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #3 0x41b438 in _init (/usr/bin/pcretest+0x41b438)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00207-pcre-stackoverflow-pcre32_copy_substring
CVE:
CVE-2017-7245

# pcretest -32 -d $FILE
==21399==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f83734026a0 at pc 0x0000004bd2ac bp 0x7ffdda673b30 sp 0x7ffdda6732e0
WRITE of size 268 at 0x7f83734026a0 thread T0
    #0 0x4bd2ab in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f8377118925 in pcre32_copy_substring /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_get.c:357:1
    #2 0x528220 in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5333:13
    #3 0x7f837602f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x41b438 in _init (/usr/bin/pcretest+0x41b438)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00209-pcre-stackoverflow2-read_capture_name32
CVE:
CVE-2017-7246

Affected version:
8.40

Fixed version:
8.41 (not released atm)

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-24: bug discovered and reported to upstream
2017-03-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libpcre: two stack-based buffer overflow write in pcre32_copy_substring (pcre_get.c)