OSV-2021-446 Global-buffer-overflow in AK::StringView::operator==

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31351 Crash type: Global-buffer-overflow READ 1 Crash state: AK::StringView::operator== Markdown::CodeBlock::parse bool Markdown::helper...

OSV-2020-2216 Heap-buffer-overflow in ojph::local::ojph_decode_codeblock

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28103 Crash type: Heap-buffer-overflow WRITE 4 Crash state: ojph::local::ojphdecodecodeblock grk::t1ht::T1HT::decompress grk::DecompressBlockExec::open...

OSV-2020-2167 Heap-buffer-overflow in ojph::local::ojph_decode_codeblock

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27533 Crash type: Heap-buffer-overflow WRITE 4 Crash state: ojph::local::ojphdecodecodeblock grk::t1ht::T1HT::decompress grk::DecompressBlockExec::open...

WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free Exploit

WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free Exploit / While fuzzing JavaScriptCore, I encountered the following simplified and commented JavaScript program which crashes jsc from current HEAD and release: / function v9 // Some watchpoint on the LexicalEnvironment is...

WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free

/ While fuzzing JavaScriptCore, I encountered the following simplified and commented JavaScript program which crashes jsc from current HEAD and release: / function v9 // Some watchpoint on the LexicalEnvironment is triggered here // during the 2nd invocation which jettisons the CodeBlock for v9. ...

WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling

scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry-mcodeBlock| may have an incorrect offset in the stack layout phase. PoC: -- function f function eval'1'; f; ; throw 1; f;...

Apple WebKit - JSC::SymbolTableEntry::isWatchable Heap Buffer Overflow Exploit

Exploit for multiple platform in category dos / poc function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; , unsigned int, unsigned int webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+...

WebKit: heap-buffer-overflow in JSC::SymbolTableEntry::isWatchable (CVE-2017-2469)

I confirmed the PoC crashes the release version of Safari 10.0.312602.4.8. It might need to refresh the page several times. PoC: function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; Asan Log: ==55079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000c8e88 at...