Reported Vulnerabilities

Our research group analyzes security aspects of widely-used commercial products, which discovered many security vulnerabilities.

Application Vulnerabilities

Product CVE                             Details
FFmpeg CVE-2019-13312 ck_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based buffer over-read.
CVE-2019-13390 In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c.
MuPDF CVE-2019-14975 rtifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.
Nasm CVE-2020-24241 In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.
CVE-2020-24242 In Netwide Assembler (NASM) 2.15rc10, SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory.
ImageMagick    CVE-2020-25663 A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue() was called.
CVE-2020-25664 In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called.
CVE-2020-25665 The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256.
Ghostscript    CVE-2020-16287 A buffer overflow vulnerability in lprn_is_black() in contrib/lips4/gdevlprn.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file.
CVE-2020-16288 A buffer overflow vulnerability in pj_common_print_page() in devices/gdevpjet.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file.

Hardware Vulnerabilities

Product (Vendor) CVE                         Details
Morklx (OpenRISC) CVE-2020-13455 Reservation is not cancelled when there is snooping hit between lwa and swa
CVE-2020-13454 Jump to link register does not assert illegal instruction exception
CVE-2020-13453 Misaligned swa raise exception when reservation is not set
Rocket Chip (RISCV) CVE-2020-13251 Source field in ProbeAckData does not match the sink field of ProbeRequest
CVE-2020-29561 Misaligned lr instruction on a cached line set the reservation
Spike (RISCV) CVE-2020-13456 Misaligned lr.d should not set load reservation

Hypervisor Vulnerabilities