This is an incomplete list collecting a part of bugs reported by Fusion and Pinpoint Scan (Total: 200 Bugs)
In Binutils 2.39, A memory leak occurs
In Binutils 2.39, A memory leak occurs
In Binutils 2.39, A memory leak occurs
In Binutils 2.39, A memory leak occurs
In libSDL 1.2, a use after free occurs
In dynamips 0.2.23, a use of uninitialized variable occurs
in openldap 2.4.2, six sites may occur null pointer dereference.
in openssl 1.1.1, twenty-one sites may occur null pointer dereference.
in vim 8.1.2269, one site may occur null pointer dereference.
in libsndfile 1.0.28, a null pointer dereference occurs.
in hwloc 2.1.0, a null pointer dereference occurs.
in opusfile, a null pointer dereference occurs.
in mariadb 10.11.0, a null pointer dereference occurs.
in mariadb 10.11.0, a null pointer dereference occurs.
in mariadb 10.11.0, a null pointer dereference occurs.
A data race condition issue from curl.cpp#L1486 to curl.cpp#L1495 in s3fs-fuse
A stack address escapes to the caller function. There are several similar ones. This is the FIRST issue we confirmed with software developers.
An Invalid Reference to Stack Memory (modules/http/chunk_filters.c).
inconsistent operation on a pointer in baidu's sofa-pbrpc.
buffer overflow detected by static analysis and reproduced by fuzzing
CVE-2019–13238
null deref detected by static analysis and reproduced by fuzzing
CVE-2019–13959
In Bftpd 4.6, A memory leak occurs in a malcrafted sequence of FTP requests.
In Bftpd 4.7, a non-heap memory stored in remotehostname
may be released at the
end of the main function.
There were two failure paths where the CodeProtectionInfo object would not be
freed. This adds a free() on those paths to prevent a memory leak.
There are paths that could lead to exBeanDeser
dereferencing when
exBeanDeser
is null.
There paths could lead to class_gd
dereferencing when class_gd
is
null.
Since the two frees follow each other immediately it's hard to see how an attacker could take advantage of it. maybe something on another thread could be allocating things meanwhile, but that'd be a nightmarish timing needle to thread.
Actual results:
File: dom/media/encoder/VP8TrackEncoder.cpp:254
videoData allocated on line 279 is not freed when the function returns on line 286/293/300/306. Since videodata is considered a big data, it may cause severe memory leaks.
Actual results:
File: media/libvpx/libvpx/vp8/vp8_cx_iface.c:594
The memory shared_mem_loc allocated on line 587 is leaked when the program takes the true branch on line 594. It is a rare case, but better fix it.
Actual results:
File mozilla-unified/media/mtransport/nr_timer.cpp:216
The allocated variable callback on line 210 is leaked when the program returns on line 217.
Actual results:
The memory allocated by strdup(appEnv) on line 179 is never freed in the program.
File: browser/app/nsBrowserApp.cpp:179
Actual results:
"adapter" allocated on line 603 is leaked when mGMPLoader->load returns false on line 606.
File: dom/media/gmp/GMPChild.cpp:555
Actual results:
File mozilla-unified/media/mtransport/nr_timer.cpp:216
The allocated variable callback on line 210 is leaked when the program returns on line 217.
A flaw was found in glusterfs. A null pointer dereference in in send_brick_req function in glusterfsd/src/gf_attach.c may cause local denial of service.
A potential null pointer dereference, in function error_gen_writev
of
xlators/debug/error-gen/src/error-gen.c
A use after free may happen with a malicious configure file.
1/4 Comment: Closes #17033, #17032, #17031, thanks @fangang190
Im not sure about right way to fix for #17030, cuz im not an expert in android apk, and calling zipClose(unaligned_apk, NULL); before return may cause errors, so anybody with free time and knowledge could fix it instead
2/4 Comment: Closes #17033, #17032, #17031, thanks @fangang190
Im not sure about right way to fix for #17030, cuz im not an expert in android apk, and calling zipClose(unaligned_apk, NULL); before return may cause errors, so anybody with free time and knowledge could fix it instead
3/4 Comment: Closes #17033, #17032, #17031, thanks @fangang190
Im not sure about right way to fix for #17030, cuz im not an expert in android apk, and calling zipClose(unaligned_apk, NULL); before return may cause errors, so anybody with free time and knowledge could fix it instead
4/4 Comment: Closes #17033, #17032, #17031, thanks @fangang190
Im not sure about right way to fix for #17030, cuz im not an expert in android apk, and calling zipClose(unaligned_apk, NULL); before return may cause errors, so anybody with free time and knowledge could fix it instead
Given empty rs, kvs shall be null instead of an empty list, leading to potential null pointer exception
<CloneKernelInfo uses AcquireMagickMemory and it might return NULL, and causing Null Pointer Dereference and Denial of Service.
AcquireRandomInfoThreadSet might return NULL if AcquireMagickMemory fails, then it will cause Null Pointer Deference and Denial of Service.
This issue was assigned CVE-2017-1000445
Another potential NPD at resample_filter=AcquireResampleFilterThreadSet(image of DistortImage, there is no null check after this acquiring, it then dereference the pointer in after. It could lead to process crash in acquiring when there is not enough available memory. This is the first CVE id we got.
A potential null pointer dereference bug is at "blob/master/test/dnet/fw.c#L109"
A potential null pointer dereference bug is in the function "cork_slice_slice" of the file "libcork/ds/slice.c"
A double free issue in libicu. It has been in the code for more than 10 years. It is fixed by this commit. Projects using libicu
mem leak detected by static analysis and reproduced by fuzzing
CVE-2019–13960
A double free that may happen in the error-handling process when error happens. Projects using libssh: KDE, Github, X2Go, etc.
In memcached, Deref a pointer in the condition that the pointer is null.
Comment: looks like a non-issue, since those returns end up exiting the process. I've fixed them anyway.
Comment: fixed in next. another non-issue, since that code is only executed from a specific test or two, and executes once in startup.
A double free vulnerability that may happen during failure process.
A variable is not set to null after free. The freed pointer will escape to the callers of the function.
There is a potential memory leak defect in mysql-server-mysql-5.5.51/cmd-line-utils/libedit/np/vis.c:436.
The memory allocated on line 420 is assigned to variable nextra. It is not freed when this function returns to its caller on line 436. The leak on line 436 might be a mistake.
Missing null check after ctlog_store_load_ctx_new. We reported it by commenting another bug, but the comment is mis-deleted... Just as the developer said in the pull request: "And also a comment about another missing check, but I can't see the comment any more."
We find a memory leak bug in apps/s_server.c 3294 (3330 in the most recent version). The variable con is not released when taking the "err" goto statement at line 3305.
Hi, we find a memory leak bug in ssl/s3_lib.c 4554 (4606 in current version).
This bug happens when the program taking true branch at line 4569 and goto the err label.
There is no free operation in the err section.
It happens at line 2923 ( 2961 in the current version). Leaks when going to the err label.
A series of NPD bugs caused by the possible NULL return value of the function EVP_aes_128_cbc_hmac_sha1() in e_dasync.c
if it follows the goto LBL_ERR; in line 150, tmpbuf will be freed again, seems the upstream of libtomcrypt have already fixed this issue.
the early return of return TEE_ERROR_BAD_STATE; at line 380 will leak the memory block pointed by dir (line 364)
Pinpoint has reported a potential use after free in the following for loop, the freed proxy still used in the for loop (var) = ((var)->field.tqe_next))
alloc_and_copy_shdr could free shdr when return error, then it goes to label error_free_payload. then the label error_free_payload frees shdr again:
Check for null return value [_elementtree.c : subelement]
Need a look for return value checking [selectmodule.c]
Need a look for return value checking [_elementtree.c :element_getattr ]
Unchecked return null of epoll_create, which may lead to null pointer dereference
The first use-after-free bug detected by persistence
Shadowsocks-libev does not check the return value, which may be -1.
A use-after-free (variable: remote) in Shadowsocks.
A use-after-free (variable: server) in shadowsocks
Mishandling of json configuration file ("plugin") could lead to Null Pointer Dereference
Mishandling of json configuration file ("mode") could lead to Null Pointer Dereference
The developer made an mistake when fixing the npd we reported before.
cdata leaks when job_run fails. I've checked the code of job_run, it does not free cdata when fails.
This is the first bug detected by the persistence work.
In transmission project, a use-after-free which may happen when race condition happens.
In transmission project, a memory leak which may happen when race condition happens.
The pointers nodes in the code point to two newly-allocated memory. If rc < 0 in the code happens, it will go to the label fail, where nodes are not released.
The pointers nodes6 in the code point to two newly-allocated memory. If rc < 0 in the code happens, it will go to the label fail, where nodes6 are not released.
libvterm through 0+bzr726, as used in Vim and other products, mishandles certain out-of-memory conditions, leading to a denial of service (application crash), related to screen.c, state.c, and vterm.c
Assigned ID: CVE-2018-20786
There are two delete[] data inside function ProgramMain, if read_file failed, it could occur some unexpected behaviors. We can add a return statement after the first delete to avoid this
At many early returns, it would skip the fclose(file) statement and leak this file descriptor.
It has been confirmed first, but later being classified as unconfirmed since it happens in
main.
We classify this one as confirmed since it has been confirmed by at least one developer.
We find a memory leak defect in the file tools/wrc/wrc.c.
I've uploaded a screenshot of the leak trace.
An improper locking bug on hg_thread_mutex_lock(&NA_MPI_CLASS(na_class)->accept_mutex) in mercury. Multiple calls on the function na_mpi_accept can lead to a deadlock.
An improper locking bug on hg_thread_mutex_lock(&NA_MPI_CLASS(na_class)->remote_list_mutex) in mercury. Multiple calls on the function na_mpi_progress_unexpected can lead to a deadlock.
An improper locking bug on hg_thread_mutex_lock(&request->request_class->progress_mutex) in mercury. Multiple calls on the function hg_request_wait can lead to a deadlock.
An improper locking bug on hg_thread_mutex_lock(&poll_set->lock) in mercury. Multiple calls on the function hg_poll_wait can lead to a deadlock.
A use-after-free bug is detected in coturn on the function write_to_peerchannel.
A use-after-free bug is detected in coturn on the function write_client_connection.
It is found in lwan and fixed. It occurs due to calling the critical logging function when hash_str_new() fails in parse_listener_prefix().
It is found in coturn on the function tcp_client_input_handler_rfc6062data and fixed.
A data race in coturn between the functions set_rtpfile and rollover_logfile.
It is found in poco and fixed. The close() is being called before handleLastErrorImpl(), so the call to close will actually change/reset errno and handleLastErrorImpl() will throw the wrong exception.
A NULL pointer dereference found in libfreenect on the method freenect_select_subdevices where ctx may be NULL. It is fixed.
A NULL pointer dereference on the function afalg_aes_cbc and is fixed.
An improper locking bug on pthread_mutex_lock(&mutex_mmap) in box64. Multiple calls on the function AllocDynarecMap can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&mutex_mmap) in box86. Multiple calls on the function AllocDynarecMap can lead to a deadlock.
Double unlocks on pthread_mutex_unlock(&td->io_u_lock) in fio.
An improper locking bug on pthread_mutex_lock(&pool->lock) in CORTX-S3 Server. Multiple calls on the function mempool_destroy can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&rd.mutex) in liburing. Multiple calls on the function test can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&mutex) in liburing. Multiple calls on the function test can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&lock) in liburing.
Multiple status code mapping errors. Receiving multiple status codes but outputting them inconsistently in many places.
Multiple status code mapping errors. Receiving multiple status codes but outputting them inconsistently in many places.
Inconsistent status code mappings between GRPC and HTTP status codes.
An improper locking bug on pthread_mutex_lock(&once_init_lock) in libevent. Multical calls on evthread_use_pthreads_with_flags can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&timer_mutex) in siege. Multical calls on pthread_usleep_np can lead to a deadlock.
An improper locking bug on pthread_mutex_unlock(&init_mutex) in haproxy that is not correctly released before program exit.
An improper locking bug on pthread_mutex_lock(&fakeMutex) in libfaketime that is not correctly released before program exit.
An improper locking bug on pthread_mutex_lock(&fakeMutex) in libfaketime that is not correctly released before program exit.(The same lock on different program locations)
An improper locking bug on pthread_mutex_lock(&netcam->mutex) in motion. Multical calls on netcam_cleanup can lead to a deadlock.
The exit call in the thread functions have potential thread racing issues and may leave another process hanging.
An improper locking bug on pthread_mutex_lock(&threadLocks[myCPU]) in likwid. Multical calls on likwid_markerStopRegion can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&stats.lock) in netopeer. Multical calls on ncm_session_add can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&server_opts.authkey_lock) in libnetconf. Multical calls on _nc_server_ssh_add_authkey can lead to a deadlock.
A deadlock bug due to cyclic order between workq_lock and doneq_lock.
An improper locking bug on pthread_mutex_lock(&lset->lock) in ovis. Multical calls on __process_dir_set_info can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&x->lock) in ovis. Multical calls on __send_lookup_reply can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(&conn->lock) in axel. Multical calls on conn_info can lead to a deadlock.
An improper locking bug on pthread_mutex_lock(¬ify_lock) in 389 server adopted by freeIPA(Red Hat Identify Management System). The bug is easy to understand but existed for 8 months.
An improper locking bug on pthread_mutex_lock(&init_mutex) in postgres-x2 that is not correctly released before program exit.
An improper locking bug about re-acquiring the cen64_mutex_lock(&gdb->client_mutex) in cen64.
An improper locking bug on pthread_mutex_lock(&perl_threads->mutex) in collectd that is not correctly released before program exit.
An improper locking bug on pthread_mutex_lock(&server_started_mtx) in linux that is not correctly if the pthread_create fails and goes to close_server_fd.
An improper locking bug on pthread_mutex_lock(&test_sec_mutex) in uadk. Multical calls on test_sec_cipher_async can lead to a deadlock.
The lock us->lock seems to guard the variable us->locked. However, the lock is released before accessing us->locked.
The lock cond_mutex should guard dbus_startup_completed to make the write operation atomic.
A communication deadlock bug between the signal (Line 700) and wait sites (Line 996).
That code evolved from running on a single thread to running on multiple threads, which introduced data races and so made unreliable.
A potential data races when accessing variable stderr in the function PthreadCall.
On failure the pthread mutex would still be hold with the new connection object listed but free()'d.
In libtrace, a potential deadlock for the lock b->lock in the libtrace_release_bucket_id method.
In libtrace, a potential deadlock for the lock q->lock in the libtrace_deque_push_back method.
In libtrace, a potential deadlock for the lock q->lock in the libtrace_deque_push_front method.
In libtrace, a potential deadlock for the lock v->lock in the libtrace_vector_push_back method.
In libtrace, a potential deadlock for the lock mutex in the trace_bpf_compile method.
In libtrace, a potential deadlock for the lock trace->libtrace_lock in the hasher_entry method.
In libtrace, a potential deadlock for the lock libtrace->libtrace_lock in the trace_pstart method.
There was an unreleased lock in the read_watch_internal() with no risk in reality (fixed).
A deadlock found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia-codec/and_aud_mediacodec.cpp.
A deadlock found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia-codec/ipp_codecs.c.
A deadlock found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia-codec/opus.c.
A deadlock found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia-codec/passthrough.c.
A deadlock found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia-codec/speex_codec.c.
A deadlock (vid_conf->mutex in pjmedia_vid_conf_add_port method) found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia/vid_conf.c.
A deadlock (vid_conf->mutex in pjmedia_vid_conf_remove_port) found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia/vid_conf.c.
A deadlock (vid_conf->mutex in pjmedia_vid_conf_connect_port) found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia/vid_conf.c.
A deadlock (vid_conf->mutex in pjmedia_vid_conf_disconnect_port) found in PJSIP with CVE ID assigned in pjmedia/src/pjmedia/vid_conf.c.
In OpenSSL, the lock pk->lock is not released correctly in the function evp_keymgmt_util_export_to_provider.
A cyclic-dependence deadlock between locks ctxt->mutex and list_lock.
A data race on the thread-shared variable hg_progress_shutdown_flag found in mercury.
A data race found in the function ts_allocate_fast_id (Line 335, 336) in PHP.
A data race found in the function ts_allocate_fast_id (Line 350) in PHP.
In memcached, there is race condition while incrementing log entries dropped.
In transmission project, there is a possible data race between tr_threadNew and ThreadFunc.
Race conditions happen in the function conn_setup without holding locks.
A data race happens on the variable treq->finished in the ocf project.
The is_paused = false is not protected by a lock in do_resume method.
In libtrace, the lock b->lock in the libtrace_release_bucket_id method is released twice; at the second time of releasing, it may race with other concurrent threads using the lock.
In libtrace, the lock b->lock in the libtrace_push_into_bucket method is released twice; at the second time of releasing, it may race with other concurrent threads using the lock.
In fio, the lock td->io_u_lock in the verify_async_thread method is released twice; at the second time of releasing, it may race with other concurrent threads using the lock.
The guest pthread locks a mutex on the beginning of each synchronization iteration and uses it to wait on a conditional variable. When the synchronization is done and the thread exists, this mutex should be unlocked.
Persistent valid buffers are guaranteed by the SDR backend to fix a missing lock release.
Release the update lock if starting trust db read operations errors.
The file_data->mutex is not released before returning at Line 595.
There are cyclic lock acquisitions between locks mux_hr and mux_hg in the method brain_server_handle_client executed by multiple concurrent threads.
The lock best->mutex is missed to be released before line 815.
A deadlock occurs when other == t in the loop and lock other->mutex is acquired twice at Line 138.
Lock pool->mutex is not released before destroying at Line 1343.
fraud_detection: Fix missing lock_release() on OOM error case.
event_virtual: Fix several missing lock_release() ops. (modules/event_virtual/event_virtual.c, Line 469)
event_virtual: Fix several missing lock_release() ops. (modules/event_virtual/event_virtual.c, Line 620)
event_virtual: Fix several missing lock_release() ops. (modules/event_virtual/event_virtual.c, Line 628)
event_virtual: Fix several missing lock_release() ops. (modules/event_virtual/event_virtual.c, Line 658)
fraud_detection: Fix missing lock_release() on OOM error case
presence: Fix missing lock_release() on error case in the function get_stored_info.
presence: Fix missing lock_release() on error case in the function refresh_watcher.
clusterer: Fix missing lock_release() on capability error cases.
presence: Fix missing lock_release() ops on error cases in the function get_stored_info.
presence: Fix missing lock_release() ops on error cases in the function refresh_watcher.
clusterer: Fix missing lock_release() on capability error cases.
The destroy() callback is only called if there is a single process left, there is no need for any locking anymore. Also, the lock wasn't released afterwards, which was bogus.
The lock data->lock (Line 572) is directly destroyed (Line 632) without releasing before.
The lock data->lock also should be released before return at Line 85.
In the aml_allocator_area_destroy, a double locking is induced by typo due to fixing a missing lock release.
Maintained by Qingkai Shi