99 matches found
CVE-2022-23460 Stack overflow in Jsonxx
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized ASAN build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the...
heap-buffer-overflow in mrb_vm_exec in mruby/mruby
Affected commit: 3cf291f72224715942beaf8553e42ba8891ab3c6 Proof of Concept ruby= v10 = 0 v15 = "" v16 = srand1337 v20 = protectedmethods.fill|| v20 = Array.instanceeval|| method method privatemethods.zip rescue GC.start removemethod removemethod privatemethods.sample rescue Float v16.v15.v10 resc...
Wireshark - get_t61_string Heap Out-of-Bounds Read
Wireshark - gett61string Heap Out-of-Bounds Read The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of Wireshark, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file". --- cut ---...
Wireshark - find_signature Heap Out-of-Bounds Read
Wireshark - findsignature Heap Out-of-Bounds Read The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": --- cut --- ==35788==ERROR: AddressSanitizer:...
Wireshark - cdma2k_message_ACTIVE_SET_RECORD_FIELDS Stack Corruption
Wireshark - cdma2kmessageACTIVESETRECORDFIELDS Stack Corruption The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": Attached are three files...
Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption
The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark -nVxr /path/to/file": Attached are three files which trigger the crash. --- cut --- ==25039==ERROR:...
SUSE-SU-2018:3879-1 Security update for tiff
This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tiflzw.c bsc1113672. - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf bsc1099257. - CVE-2017-9147: Fixed...
WebKit - WebCore::SVGTextLayoutAttributes::context Use-After-Free Exploit
Exploit for multiple platform in category dos / poc tref, feMerge, title inherit; float: right; none; 81em function jsfuzzer try var var00006 = htmlvar00002.getSVGDocument; catche try var var00162 = document.head; catche try htmlvar00015.setSelectionRange2,56; catche try...
WebKit - WebCore::Node::ensureRareData Use-After-Free Exploit
Exploit for multiple platform in category dos / poc .class1 -webkit-mask-box-image-source: urlfoo; function freememory var a; forvar i=0;i100;i++ a = new Uint8Array10241024; document.implementation.createHTMLDocument"doc"; function jsfuzzer try var00097 = document.createElement"source"; catche tr...
WebKit - WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded Use-After-Free
WebKit - WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded Use-After-Free ::selection, input:focus, .class0, ul::first-letter -webkit-column-count: 85; float: left; function jsfuzzer var fuzzervars = ; try / / var00034 = document.getSelection; catche try...
WebKit - WebCore::AXObjectCache::handleMenuItemSelected Use-After-Free
WebKit - WebCore::AXObjectCache::handleMenuItemSelected Use-After-Free function jsfuzzer var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==69238==ERROR: AddressSanitizer:...
WebKit - WebCore::InlineTextBox::paint Out-of-Bounds Read
WebKit - WebCore::InlineTextBox::paint Out-of-Bounds Read -webkit-logical-width: 1px; -webkit-perspective: 1px; function jsfuzzer var htmlvar00011 = document.getElementById"htmlvar00011"; var htmlvar00019 = document.getElementById"htmlvar00019"; var htmlvar00049 =...
WebKit WebCore::SVGAnimateElementBase::resetAnimatedType Use-After-Free
WebKit: Use-after-free in WebCore::SVGAnimateElementBase::resetAnimatedType CVE-2018-4314 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX. PoC:...
WebKit WebCore::RenderMultiColumnSet::updateMinimumColumnHeight Use-After-Free
WebKit: Use-after-free in WebCore::RenderMultiColumnSet::updateMinimumColumnHeight CVE-2018-4323 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233419 on OSX. The vulnerability has also been confirmed on Safari 11.1...
WebKit WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded Use-After-Free
WebKit: Use-after-free in WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded CVE-2018-4197 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX. PoC:...
WebKit WebCore::Node::ensureRareData Use-After-Free
WebKit: Use-after-free in WebCore::Node::ensureRareData CVE-2018-4306 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX. PoC: ================================================================= .class1...
WebKit - WebCore::RenderLayer::updateDescendantDependentFlags Use-After-Free
WebKit - WebCore::RenderLayer::updateDescendantDependentFlags Use-After-Free htmlvar00005, noframes, diplay: inline; padding-top: 0vw; -webkit-column-count: 41; transition-delay: body::first-letter box-flex-group: -webkit-background-size: contain; -webkit-opacity: 0.716727864979; htmlvar00001,...
WebKit - WebCore::Node::ensureRareData Use-After-Free
WebKit - WebCore::Node::ensureRareData Use-After-Free .class1 -webkit-mask-box-image-source: urlfoo; function freememory var a; forvar i=0;i100;i++ a = new Uint8Array10241024; document.implementation.createHTMLDocument"doc"; function jsfuzzer try var00097 = document.createElement"source"; catche...
WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free
function jsfuzzer var b = document.createElement"body"; a.appendb; ta.autofocus = true; var iframe = document.createElement"iframe"; b.appendChildiframe; li.appendChilddd; iframe.contentDocument.caretRangeFromPoint; function eventhandler ta.insertAdjacentElement"beforeBegin",a; ::operator...
WebKit: out-of-bounds read in WebCore::SVGPatternElement::collectPatternAttributes(CVE-2017-13783)
There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200007e474 at pc...