Jaroslav Lobačevski

Results 81 issues of Jaroslav Lobačevski

## Summary [QQConnect](https://github.com/china-live/QQConnect) is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS). ## Product...

This pull request: * Uncomments fuzzing targets that were commented out * Adds the targets that were mentioned in the [audit](https://ostif.org/wp-content/uploads/2023/01/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf) done by X41 * Adds some new fuzzing targets...

A crafted file may trigger out of bounds write in [`f->vendor[i] = get8_packet(f);`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3656). The root cause is an integer overflow in [`setup_malloc`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L950-L960). A sufficiently large `sz` overflows `sz+7` in [1]...

A crafted file may trigger memory allocation failure in [`start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3666) at [1]. In that case the function returns early [2], the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not...

A crafted file may trigger memory allocation failure in [`start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677) at [1]. In that case the function returns early [2], but some of the pointers in `f->comment_list` are left initialized...

A crafted file may trigger out of bounds write in [`f->vendor[len] = (char)'\0';`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3658) [1]. The root cause is that if [`len` read in `start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3652-L3658) [2] is a negative number and...

A crafted file may trigger out of buffer write in [`start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4105-L4111) at [1] and [2] ```cpp for (j=0; j < m->submaps; ++j) { get_bits(f,8); // discard m->submap_floor[j] = get_bits(f,8); //...

A crafted file may trigger out of bounds write in [`f->vendor[len] = (char)'\0';`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3658) [1]. The root cause is that if [`len` read in `start_decoder`](https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3652-L3658) [2] is `-1` and `len +...