Vancir issues

Results 12 issues of


                                            Vancir

Failed to run hybrid fuzzing(AFL+SymCC) in VM.

In ubuntu 20.04 VM created with VMWare, symcc failed to generate any testcase. But on native machines, symcc can normally generate many testcases. ``` [2022-08-04T15:36:30Z INFO symcc_fuzzing_helper] Generated 0 test...

question

编写了个脚本同步公众号推送到Github仓库

编写了一个脚本, 可以做定时任务更新微信公众号的推送到Github仓库. 1. 推送文章的元数据保存在archives.db, sqlite数据库 2. 推送文章保存在archives文件夹下, 以每日推送的标题进行命名. 3. 推送文章转换成Markdown格式便于在Github查看(也有保存原HTML文件) 4. 支持下载文末标记的PDF, 但受于网络限制默认没有开启.

Segmentation fault in function mjs_getretvalpos (at mjs.c:7812)

I found a segmentation fault bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_segv_mjs7812.zip](https://github.com/user-attachments/files/17820012/mjs_segv_mjs7812.zip) ## ASAN Report ```bash ==198941==ERROR: AddressSanitizer: SEGV on unknown address...

Segmentation fault in function mjs_stack_size (at mjs.c:7849)

I found a segmentation fault bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_segv_mjs7849.zip](https://github.com/user-attachments/files/17819988/mjs_segv_mjs7849.zip) ## ASAN Report ```bash ==866928==ERROR: AddressSanitizer: SEGV on unknown address...

Segmentation fault in function getprop_builtin_string (at mjs.c:8421)

I found a segmentation fault bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_segv_mjs8421.zip](https://github.com/user-attachments/files/17819801/mjs_segv_mjs8421.zip) ## ASAN Report ```bash ==3004153==ERROR: AddressSanitizer: SEGV on unknown address...

stack-use-after-scope in function mg_avprintf (at mjs.c:4697)

I found a stack-use-after-scope bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_stack-use-after-scope_mjs4697.zip](https://github.com/user-attachments/files/17818219/mjs_stack-use-after-scope_mjs4697.zip) ## ASAN Report ```bash ==1710788==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe3fe2ab40 at...

Assertion `s < mjs->owned_strings.buf + mjs->owned_strings.len' failed in function gc_mark_string (mjs.c:10678)

I found an assertion failure while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_assertion-failure_mjs10678.zip](https://github.com/user-attachments/files/17818324/mjs_assertion-failure_mjs10678.zip) ## Output ```bash mjs-bin: mjs.c:10678: void gc_mark_string(struct mjs *, mjs_val_t *):...

heap-buffer-overflow in function mjs_execute (at mjs.c:8531)

I found a heap buffer overflow while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04. Download the PoC: [mjs_heap-buffer-overflow_mjs8531.zip](https://github.com/user-attachments/files/17818120/mjs_heap-buffer-overflow_mjs8531.zip) ## ASAN Report ```bash ==346708==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000000c0...

Remote code execution via ImageViewTransform during model loading

### Description `ImageViewTransform` in ModelScope loads a YAML model config from a remote repo and immediately instantiates objects based on fields in that YAML. The instantiation code resolves a string...

Remote code execution by loading MPlugConfig and HiTeAConfig from remote model repository

**Describe the bug** modelscope uses the unsafe loader `yaml.Loader` to load the `config.yaml` from the remote model repository, which may lead to the YAML deserialization attack and arbitrary code execution....