A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write. ==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0) ==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40 WRITE of size 1 at 0x7f099e9f7800 thread T0
Arbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized.
A redirect-based Server-Side Request Forgery (SSRF) bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 byte(s) in 1 object(s) allocated from:
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImage(read_info,exception);. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails (i.e., status == MagickFalse), the calling function will exit immediately but fail to release the texture object, leading to memory leakage.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex.
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads.
When using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed.
All versions of this crate have function deregister_command which can result in use after free. This is unsound. In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads. In addition, the hexchat crate is no longer actively maintained. If users rely on this crate, consider switching to an alternative.
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
When users share password-protected files, the recipient can completely bypass the password and still download the file.
All 5 of fickling's safety interfaces — is_likely_safe(), check_safety(), CLI –check-safety, always_check_safety(), and the check_safety() context manager — report LIKELY_SAFE / raise no exceptions for pickle files that call dangerous top-level stdlib functions (signal handlers, network servers, network connections, file operations) when the REDUCE opcode is followed by a BUILD opcode. Demonstrated impacts include backdoor network listeners (socketserver.TCPServer), process persistence (signal.signal), outbound data exfiltration (smtplib.SMTP), and file creation on disk …
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
An SSRF vulnerability (CWE-918) exists in esm.sh’s /http(s) fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, 127.0.0.1.nip.io resolving to 127.0.0.1). This allows an external requester to make the esm.sh server fetch internal localhost services. Severity: High (depending on deployment network exposure).
The RSASHA256Algorithm and RSASHA1Algorithm contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under …
A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3.
Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact. The RSS single-watch endpoint reflects the UUID path parameter directly in the …
Changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function is_safe_valid_url() does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs such as: http://169.254.169.254 http://10.0.0.1/ http://127.0.0.1/ The application fetches these URLs server-side, stores the response content, and …
c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map<String,Map<String,String>>. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing ConnectionPoolDataSource or via maliciously crafted serialized objects or javax.naming.Reference instances could be tailored execute unexpected code on the application's CLASSPATH. The …
An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI.
A critical unsafe eval() vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in packages/server/src/db/inMemoryView.ts where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: …
The basic-ftp library contains a path traversal vulnerability in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download directory.
The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.
A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts.
Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: Host Domain: The Host and X-Forwarded-Host headers were not checked …
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: Host Domain: The Host and X-Forwarded-Host headers were not checked …
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the following: Host Domain: The Host and X-Forwarded-Host headers were not checked …
An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com). The application processes a redirect (e.g., from a router redirectTo or i18n …
It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1.
A stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.
Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector where a guest can induce a range of crashing behaviors on the host such as: Allocating arbitrarily large amounts of host memory. Causing an allocation failure on the host, which in Rust defaults to …
The affected versions of Wasmtime can panic if the host embedder drops the future returned by wasmtime::component::[Typed]Func::call_async before it resolves.
Wasmtime's implementation of the wasi:http/types.fields resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the wasmtime-wasi-http crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in …
An attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset.
The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: getFilterRequiresByPath() lines 90, 95, 100 getFilterRequiredByPath() lines 148, 153, 158 All 6 locations use direct string concatenation like: "AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'" Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has …
A Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. Users are affected if ALL of these are true: Payload version < v3.75.0 At least one collection with upload enabled A user has create access to that upload-enabled collection An authenticated user with upload collection …
OneUptime lets project members write custom JavaScript that runs inside monitors. The problem is it executes that code using Node.js's built-in vm module, which Node.js itself documents as "not a security mechanism — do not use it to run untrusted code." The classic one-liner escape gives full access to the underlying process, and since the probe runs with host networking and holds all cluster credentials in its environment, this turns …
Several NiceGUI APIs that execute methods on client-side elements (Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and others) use an eval() fallback in the JavaScript-side runMethod() function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, Element.run_method() and Element.get_computed_prop() used string interpolation instead of json.dumps() for the method/property name, allowing quote injection to break out of the intended string context.
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server …
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server …
There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
This is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping was …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: <policy domain="path" rights="none" pattern="-"/> However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. <policy domain="path" rights="none" pattern="fd:*"/> And this will also be …
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent …
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer.
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from:
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
The MSL interpreter crashes when processing a invalid <map> element that causes it to use an image after it has been freed.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service.
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS.
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An …
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)