Cheng Wen

Cheng Wen

Lecturer at the Guangzhou Institute of Technology, Xidian University, China

Practical Security Impact

I have found several security-critical vulnerabilities in widely used open-source projects and libraries, such as Binutils, Elfutils, Libtiff, Binaryen, NASM, etc.

CVE ID (73)

VulnerabilityPackageProgramVulnerability Type
CVE-2022-26291lrzip v0.641lrzipConcurrency Use-after-free
CVE-2020-36375MJS 1.20.1mjsStack-overflow
CVE-2020-36374MJS 1.20.1mjsStack-overflow
CVE-2020-36373MJS 1.20.1mjsStack-overflow
CVE-2020-36372MJS 1.20.1mjsStack-overflow
CVE-2020-36371MJS 1.20.1mjsStack-overflow
CVE-2020-36370MJS 1.20.1mjsStack-overflow
CVE-2020-36369MJS 1.20.1mjsStack-overflow
CVE-2020-36368MJS 1.20.1mjsStack-overflow
CVE-2020-36367MJS 1.20.1mjsStack-overflow
CVE-2020-36366MJS 1.20.1mjsStack-overflow
CVE-2020-18900libyal before 20181128libexeHeap Buffer Overflow
CVE-2020-18899Exiv2 0.27exiv2Uncontrolled Memory Allocation
CVE-2020-18898Exiv2 0.27exiv2Stack-overflow
CVE-2020-18897libyal before 2018112libpffUse-after-free
CVE-2020-18395GNU Gama 2.04gamaNULL Pointer Dereference
CVE-2020-18392MJS 1.20.1mjsStack-overflow
CVE-2020-18395Binaryen 1.38.25wasm-asNULL Pointer Dereference
CVE-2020-18392Binaryen 1.38.26wasm-optHeap Buffer Overflow
CVE-2019-16166GNU cflow 1.6cflowHeap Buffer Overflow
CVE-2019-16165GNU cflow 1.6cflowUse-after-free
CVE-2019-15140ImageMagick 7.0.8-43convertUse-after-free
CVE-2019-11471libheif v1.4.0heif-convertUse-after-free
CVE-2019-7704Binaryen 1.38.22wasm-optUncontrolled-memory-allocation
CVE-2019-7703Binaryen 1.38.22wasm-mergeUse-after-free
CVE-2019-7702Binaryen 1.38.22wasm-asNULL pointer dereference
CVE-2019-7701Binaryen 1.38.22wasm2jsHeap Buffer-overflow
CVE-2019-7700Binaryen 1.38.22wasm-mergeHeap Buffer-overflow
CVE-2019-7699Bento4 v1.5.1-627avcinfoHeap Buffer-overflow
CVE-2019-7698Bento4 v1.5.1-627mp4dumpUncontrolled-memory-allocation
CVE-2019-7697Bento4 v1.5.1-627mp42hlsAssertion failed
CVE-2019-7665Elfutils 0.175eu-readelfHeap Buffer-overflow
CVE-2019-7664Elfutils 0.175eu-elflintnegative-size in memcpy
CVE-2019-7663Libtiff 4.0.10tiffcpInvalid Address Read
CVE-2019-7662Binaryen 1.38.22wasm-optAssertion failed
CVE-2019-7154Binaryen 1.38.22wasm2jsHeap Buffer-overflow
CVE-2019-7153Binaryen 1.38.22wasm-optNULL pointer dereference
CVE-2019-7152Binaryen 1.38.22wasm-optHeap Buffer-overflow
CVE-2019-7151Binaryen 1.38.22wasm-optNULL pointer dereference
CVE-2019-7150Elfutils 0.175eu-stackUnknown Crash
CVE-2019-7149Elfutils 0.175eu-nmHeap Buffer-overflow
CVE-2019-7148Elfutils 0.175eu-arUncontrolled-memory-allocation
CVE-2019-7147NASM 2.14rc16nasmGlobal Buffer-overflow
CVE-2019-7146Elfutils 0.175eu-readelfHeap Buffer-overflow
CVE-2019-6293Flex 2.6.4flexStack-overflow
CVE-2019-6292Yaml-cpp v0.6.2praseStack-overflow
CVE-2019-6291NASM 2.14.03rc1nasmStack-overflow
CVE-2019-6290NASM 2.14.03rc1nasmStack-overflow
CVE-2018-20712Binutils 2.31c++filtHeap Buffer-overflow
CVE-2018-20657Binutils 2.31c++filtMemory Leak
CVE-2018-20652Tinyexr v0.9.5tinyexrUncontrolled-memory-allocation
CVE-2018-20651Binutils 2.31ldInvalid Address Read
CVE-2018-20593Mini Xml v2.1mxmldocStack Buffer-overflow
CVE-2018-20592Mini Xml v2.1mxmldocUse-after-free
CVE-2018-20591libming v0.4.8swftocxxHeap Buffer-overflow
CVE-2018-20002Binutils 2.31nmMemory Leak
CVE-2018-18701Binutils 2.31nmStack-overflow
CVE-2018-18700Binutils 2.31nmStack-overflow
CVE-2018-18607Binutils 2.31ldNULL Pointer Dereference
CVE-2018-18606Binutils 2.31ldNULL Pointer Dereference
CVE-2018-18605Binutils 2.31ldHeap Buffer-overflow
CVE-2018-18521Elfutils 0.174eu-ranlibDivide-by-zero
CVE-2018-18520Elfutils 0.174eu-sizeInvalid Address Read
CVE-2018-18484Binutils 2.31c++filtStack-overflow
CVE-2018-18483Binutils 2.31c++filtUncontrolled-memory-allocation
CVE-2018-18310Elfutils 0.174eu-stackInvalid Address Read
CVE-2018-18309Binutils 2.31objdumpInvalid Address Read
CVE-2018-17985Binutils 2.31c++filtStack-overflow
CVE-2018-17795LibTIFF 4.0.9tiff2pdfHeap Buffer-overflow
CVE-2018-17794Binutils 2.31c++filtNULL Pointer Dereference
CVE-2018-16403Elfutils 0.173eu-readelfHeap Buffer-overflow
CVE-2018-16402Elfutils 0.173eu-nmDouble Free
CVE-2018-16062Elfutils 0.173eu-addr2lineHeap Buffer-overflow


Open Bugs Reported (132)

PackageProgramBug TypeReference
CBMC-5.45.0cbmcsoundness issueshttps://github.com/diffblue/cbmc/issues/6483
Wireshark v3.6.1rc0wiresharkUse-of-uninitialized-valuehttps://gitlab.com/wireshark/wireshark/-/issues/17759
lrzip v0.641lrzipUse-after-free*https://github.com/ckolivas/lrzip/issues/206
Axel 2.17.10axelData Racehttps://github.com/axel-download-accelerator/axel/issues/354
Axel 2.17.10axelMemory Leakhttps://github.com/axel-download-accelerator/axel/issues/353
SVFwpaAssertion failed’https://github.com/SVF-tools/SVF/issues/457
AgetagetHeap Buffer-overflowhttps://github.com/EnderUNIX/Aget/issues/4
libminglistswfStack-overflowhttps://github.com/libming/libming/issues/181
libsixel v1.8.2sixel2pngHeap Buffer-overflowhttps://github.com/saitoha/libsixel/issues/90
tinyexr 0.9.5tinyexrHeap Buffer-overflowhttps://github.com/syoyo/tinyexr/issues/121
mjs 1.20.1mjsStack-overflow*https://github.com/cesanta/mjs/issues/106
mjs 1.20.1mjsStack-overflow*https://github.com/cesanta/mjs/issues/110
mupdf 1.15.0-rc1murasterHeap Buffer-overflowhttps://bugs.ghostscript.com/show_bug.cgi?id=701034
mupdf 1.15.0-rc1murasterUse-after-free*https://bugs.ghostscript.com/show_bug.cgi?id=701018
imagemagick 7.0.8-43convertUse-after-free*https://github.com/ImageMagick/ImageMagick/issues/1554
libheif v1.4.0heif-convertUse-after-free*https://github.com/strukturag/libheif/issues/123
libosip2-5.1.0torture_testHeap Buffer-overflowhttps://savannah.gnu.org/bugs/index.php?56071
gama 2.04gama-g3NULL pointer deference*http://lists.gnu.org/archive/html/bug-gama/2019-04/msg00000.html
cflow 1.6cflowUse-after-free*http://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
cflow 1.6cflowHeap Buffer-overflow*http://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html
Binutils 2.32gprofGlobal Buffer-overflowhttps://sourceware.org/bugzilla/show_bug.cgi?id=24402
liblouis 3.9.0lou_checktableStack Buffer-overflowhttps://github.com/liblouis/liblouis/issues/728
liblouis 3.9.0lou_checktableGlobal Buffer-overflowhttps://github.com/liblouis/liblouis/issues/721
Bison 3.3bisonHeap Buffer-overflowhttp://lists.gnu.org/archive/html/bug-bison/2019-03/msg00007.html
Bison 3.3yaccNULL pointer deferencehttp://lists.gnu.org/archive/html/bug-bison/2019-03/msg00008.html
recutils 1.8recfixdouble freehttp://lists.gnu.org/archive/html/bug-recutils/2019-03/msg00001.html
elfutils 0.176eu-readelfInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24398
boolector 3.0.0boolectorHeap Buffer-overflowhttps://github.com/Boolector/boolector/issues/42
boolector 3.0.0boolectorUse-after-freehttps://github.com/Boolector/boolector/issues/41
elfutils 0.176eu-stackInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24387
elfutils 0.176eu-stripInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24385
lrzip 0.631lrzipInvalid Address Readhttps://github.com/ckolivas/lrzip/issues/109
zziplib 0.13.69unzzipStack Buffer-overflowhttps://github.com/gdraheim/zziplib/issues/70
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24340
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24339
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24338
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24337
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24336
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24334
Binutils 2.32ldInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=24333
Binutils 2.32ldHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24332
exiv2 0.27exiv2Uncontrolled-memory-allocation*https://github.com/Exiv2/exiv2/issues/742
exiv2 0.27exiv2Stack-overflow*https://github.com/Exiv2/exiv2/issues/741
openh264 1.8.0h264decUse After Free’https://github.com/cisco/openh264/issues/3108
Binaryen 1.38.26wasm-optHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1900
Binaryen 1.38.25wasm-asNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1893
Elfutils 0.175eu-nmHeap Buffer-overflowhttps://sourceware.org/bugzilla/show_bug.cgi?id=24140
Binaryen 1.38.25wasm2jsAssertion failed’https://github.com/WebAssembly/binaryen/issues/1885
Elfutils 0.175eu-readelfHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Binaryen 1.38.22wasm-optNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1881
Binaryen 1.38.22wasm-optHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1880
Binaryen 1.38.22wasm-optNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1879
Binaryen 1.38.22wasm-optAssertion failed’https://github.com/WebAssembly/binaryen/issues/1878
Binaryen 1.38.22wasm2jsAssertion failed’https://github.com/WebAssembly/binaryen/issues/1877
Binaryen 1.38.22wasm2jsHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1876
Elfutils 0.175eu-stackWild Pointer Deference*https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Elfutils 0.175eu-nmHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Binaryen 1.38.22wasm-optAssertion failed*https://github.com/WebAssembly/binaryen/issues/1872
Binaryen 1.38.22wasm-asNULL Pointer Dereference*https://github.com/WebAssembly/binaryen/issues/1867
Binaryen 1.38.22wasm-optUncontrolled-memory-allocation*https://github.com/WebAssembly/binaryen/issues/1866
Binaryen 1.38.22wasm-megreUse After Free*https://github.com/WebAssembly/binaryen/issues/1865
Binaryen 1.38.22wasm-megreHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1864
Binaryen 1.38.22wasm2jsHeap Buffer-overflow*https://github.com/WebAssembly/binaryen/issues/1863
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24089
Elfutils 0.174eu-stripMemory Leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24086
Elfutils 0.174eu-arUncontrolled-memory-allocation*https://sourceware.org/bugzilla/show_bug.cgi?id=24085
Elfutils 0.174eu-elflintNegative-size-param*https://sourceware.org/bugzilla/show_bug.cgi?id=24084
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24081
Elfutils 0.174eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24075
flex 2.6.4flexStack-overflow*https://github.com/westes/flex/issues/414
NASM 2.14.03rc1nasmStack-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392549
NASM 2.14.03rc1nasmStack-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392548
yaml-cpp 0.6.2praseStack-overflow*https://github.com/jbeder/yaml-cpp/issues/657
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392547
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392546
NASM 2.14rc16ndisamStack Buffer-overflow’https://bugzilla.nasm.us/show_bug.cgi?id=3392545
LibRaw 0.19.2dcraw_emuMemory leak’https://github.com/LibRaw/LibRaw/issues/196
NASM 2.14rc16nasmGlobal Buffer-overflow*https://bugzilla.nasm.us/show_bug.cgi?id=3392544
Bento4 v1.5.1-624avcinfoHeap Buffer-overflow*https://github.com/axiomatic-systems/Bento4/issues/355
Bento4 v1.5.1-624mp4dumpUncontrolled-memory-allocation*https://github.com/axiomatic-systems/Bento4/issues/354
Bento4 v1.5.1-624mp42hlsGlobal Buffer-overflow’https://github.com/axiomatic-systems/Bento4/issues/353
Bento4 v1.5.1-624mp42hlsInvalid Address Read*https://github.com/axiomatic-systems/Bento4/issues/352
Bento4 v1.5.1-624mp42hlsAssertion failed*https://github.com/axiomatic-systems/Bento4/issues/351
tinyexr v0.9.5test_tinyexrUncontrolled-memory-allocation*https://github.com/syoyo/tinyexr/issues/104
tinyexr v0.9.5test_tinyexrUncontrolled-memory-allocation’https://github.com/syoyo/tinyexr/issues/103
tinyexr v0.9.5test_tinyexrHeap Buffer-overflow’https://github.com/syoyo/tinyexr/issues/102
tinyexr v0.9.5test_tinyexrInvalid Address Read’https://github.com/syoyo/tinyexr/issues/101
htslib v1.9tabixInvalid Address Read’https://github.com/samtools/htslib/issues/810
Binutils 2.31c++filtHeap Buffer-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629
Binutils 2.31c++filtHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=24043
Binutils 2.31ldGlobal Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=24042
Binutils 2.31ldInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=24041
jasper v2.0.14jasperAssertion failed’https://github.com/mdadams/jasper/issues/190
libming v0.4.8swftocxxHeap Buffer-overflow*https://github.com/libming/libming/issues/168
Mini Xml v2.1mxmldocStack Buffer-overflow*https://github.com/michaelrsweet/mxml/issues/237
Mini Xml v2.1mxmldocUse-after-free*https://github.com/michaelrsweet/mxml/issues/237
Binutils 2.31ldMemory leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24007
Binutils 2.31c++filtMemory leak*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539
Binutils 2.31c++filtmemory leak*https://sourceware.org/bugzilla/show_bug.cgi?id=24002
Binutils 2.31objdumpmemory leak’https://sourceware.org/bugzilla/show_bug.cgi?id=24001
Binutils 2.31nmmemory leak*https://sourceware.org/bugzilla/show_bug.cgi?id=23952
Binutils 2.31nmStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681
Binutils 2.31nmStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675
Binutils 2.31ldNULL Pointer Dereference*https://sourceware.org/bugzilla/show_bug.cgi?id=23806
Binutils 2.31ldNULL Pointer Dereference*https://sourceware.org/bugzilla/show_bug.cgi?id=23805
Binutils 2.31ldHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23804
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
Binutils 2.31c++filtInteger overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23767
Binutils 2.31c++filtUncontrolled-memory-allocation*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602
Binutils 2.31ldNULL-Pointer dereference’https://sourceware.org/bugzilla/show_bug.cgi?id=23772
Binutils 2.31objdumpUncontrolled-memory-allocation’https://sourceware.org/bugzilla/show_bug.cgi?id=23771
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87333
Binutils 2.31c++filtStack-overflow*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
Binutils 2.31c++filtNULL Pointer Dereference*https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
Binutils 2.31objdumpInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23770
Elfutils 0.174eu-ranlibDivide-by-zero*https://sourceware.org/bugzilla/show_bug.cgi?id=23786
Elfutils 0.174eu-sizeInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23787
Elfutils 0.174eu-readelfNegative-size-param’https://sourceware.org/bugzilla/show_bug.cgi?id=23782
Elfutils 0.174eu-stackInvalid Address Read*https://sourceware.org/bugzilla/show_bug.cgi?id=23752
Elfutils 0.174eu-stackInvalid Address Read’https://sourceware.org/bugzilla/show_bug.cgi?id=23753
Elfutils 0.174eu-arNULL-Pointer Dereference’https://sourceware.org/bugzilla/show_bug.cgi?id=23754
Elfutils 0.174eu-findtextrelDivide-by-zero’https://sourceware.org/bugzilla/show_bug.cgi?id=23755
Elfutils 0.173eu-addr2lineHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23541
Elfutils 0.173eu-nmDouble Free*https://sourceware.org/bugzilla/show_bug.cgi?id=23528
Elfutils 0.173eu-readelfHeap Buffer-overflow*https://sourceware.org/bugzilla/show_bug.cgi?id=23529
Elfutils 0.173eu-elflintHeap Buffer-overflow’https://sourceware.org/bugzilla/show_bug.cgi?id=23542
LibTIFF 4.0.9tiff2pdfHeap Buffer-overflow*http://bugzilla.maptools.org/show_bug.cgi?id=2816
libexeexeinfoHeap Buffer-overflow*https://github.com/libyal/libexe/issues/1
ImageMagickmagick identifyUncontrolled-memory-allocation’https://github.com/ImageMagick/ImageMagick/issues/1350
ImageMagickmagickMemory Leak’https://github.com/ImageMagick/ImageMagick/issues/1403
liblnklnkinfoHeap Buffer-overflow’https://github.com/libyal/liblnk/issues/36