VYPR
← All advisories
Unrated severityOSV Advisory· Published Feb 17, 2019· Updated Aug 4, 2024

CVE-2019-8379

CVE-2019-8379

Description

A NULL pointer dereference in AdvanceCOMP's be_uint32_read() function allows denial of service via a crafted file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in AdvanceCOMP's be_uint32_read() function allows denial of service via a crafted file.

Vulnerability

A NULL pointer dereference vulnerability exists in the function be_uint32_read() located in endianrw.h of AdvanceCOMP through version 2.1. The flaw can be triggered when a victim opens a specially crafted file using the advmng command with specific flags (-l -0 -1 -2 -3 -4 -i 8 -r -e $POC) [1][2]. Affected versions include all releases up to and including 2.1 [1].

Exploitation

An attacker must craft a malicious file and convince a victim to process it with the advmng utility (part of AdvanceCOMP). The victim’s invocation of the command with the crafted file as input triggers the NULL pointer dereference, leading to a segmentation fault. No authentication or special privileges are required, but user interaction is needed (the victim must open the file) [1][3].

Impact

Successful exploitation causes the application to crash (denial of service) due to a segmentation fault. The reference text also mentions “possibly have unspecified other impact,” but the available sources do not confirm any further compromise [1][2].

Mitigation

Red Hat released an update (RHSA-2019:2332) on 2019-08-06 for Red Hat Enterprise Linux 7, fixing this issue [2]. Fedora package updates were also announced [4]. Users should upgrade to the patched version of AdvanceCOMP. If no official patch is available for a particular distribution, limiting the processing of untrusted files with advmng is advised [2][4].

References
  1. AdvanceMAME / Bugs / #271 null pointer dereference in be_uint32_read()
  2. https://access.redhat.com/errata/RHSA-2019:2332
  3. Research As A Service | Loginsoft
  4. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
7deeafc02b29

Fix a crash condition due invalid ZIP data

https://github.com/amadvance/advancecompAndrea MazzoleniFeb 12, 2018via osv
commit
6 files changed · +26 11
  • doc/history.1+3 1 modified
    @@ -1,10 +1,12 @@
 .TH "History For AdvanceCOMP" 1
 .SH NAME
 advcomp \- History For AdvanceCOMP
-.SH ADVANCECOMP VERSION 2.1 2018/01 
+.SH ADVANCECOMP VERSION 2.1 2018/02 
 .PD 0
 .IP \(bu
 Support ZIPs with data descriptor signature.
+.IP \(bu
+Fixed a crash condition with invalid ZIP data.
 .PD
 .SH ADVANCECOMP VERSION 2.0 2017/06 
 .PD 0
  • doc/history.d+2 1 modified
    @@ -1,8 +1,9 @@
 Name
 	advcomp - History For AdvanceCOMP
 
-AdvanceCOMP Version 2.1 2018/01
+AdvanceCOMP Version 2.1 2018/02
 	) Support ZIPs with data descriptor signature.
+	) Fixed a crash condition with invalid ZIP data.
 
 AdvanceCOMP Version 2.0 2017/06
 	) Added support for reading MNG files with depth of 1, 2, and 4 bits.
  • doc/history.txt+2 1 modified
    @@ -3,10 +3,11 @@
                             =======================

 

 

-ADVANCECOMP VERSION 2.1 2018/01

+ADVANCECOMP VERSION 2.1 2018/02

 ===============================

 

 * Support ZIPs with data descriptor signature.

+* Fixed a crash condition with invalid ZIP data.

 

 

 ADVANCECOMP VERSION 2.0 2017/06
  • HISTORY+2 1 modified
    @@ -3,10 +3,11 @@
                             =======================
 
 
-ADVANCECOMP VERSION 2.1 2018/01
+ADVANCECOMP VERSION 2.1 2018/02
 ===============================
 
 * Support ZIPs with data descriptor signature.
+* Fixed a crash condition with invalid ZIP data.
 
 
 ADVANCECOMP VERSION 2.0 2017/06
  • zip.cc+15 5 modified
    @@ -456,13 +456,15 @@ string zip_entry::name_get() const
 }
 
 /** Check central directory entry. */
-void zip_entry::check_cent(const unsigned char* buf) const
+void zip_entry::check_cent(const unsigned char* buf, unsigned buf_size) const
 {
+	if (buf_size < ZIP_CO_FIXED) {
+		throw error_invalid() << "Invalid central directory data";
+	}
 	// check signature
 	if (le_uint32_read(buf+ZIP_CO_central_file_header_signature) != ZIP_C_signature) {
 		throw error_invalid() << "Invalid central directory signature";
 	}
-
 	// check filename_length > 0, can't exist a file without a name
 	if (le_uint16_read(buf+ZIP_CO_filename_length) == 0) {
 		throw error_invalid() << "Empty filename in central directory";
@@ -679,11 +681,11 @@ void zip_entry::save_local(FILE* f)
  * \param buf Fixed size cent dir.
  * \param f File seeked after the fixed size cent dir.
  */
-void zip_entry::load_cent(const unsigned char* buf, unsigned& skip)
+void zip_entry::load_cent(const unsigned char* buf, unsigned buf_size, unsigned& skip)
 {
 	const unsigned char* o_buf = buf;
 
-	check_cent(buf);
+	check_cent(buf, buf_size);
 
 	// read header
 	info.version_made_by = le_uint8_read(buf+ZIP_CO_version_made_by);
@@ -705,6 +707,14 @@ void zip_entry::load_cent(const unsigned char* buf, unsigned& skip)
 	info.relative_offset_of_local_header = le_uint32_read(buf+ZIP_CO_relative_offset_of_local_header);
 	buf += ZIP_CO_FIXED;
 
+	if (buf_size < info.filename_length
+		|| buf_size < info.central_extra_field_length
+		|| buf_size < info.file_comment_length
+		|| buf_size < ZIP_CO_FIXED + info.filename_length + info.central_extra_field_length + info.file_comment_length
+	) {
+		throw error_invalid() << "Invalid central directory data";
+	}
+
 	// read filename
 	data_free(file_name);
 	file_name = data_alloc(info.filename_length);
@@ -853,7 +863,7 @@ void zip::open()
 
 			unsigned skip = 0;
 			try {
-				i->load_cent(data + data_pos, skip);
+				i->load_cent(data + data_pos, data_size - data_pos, skip);
 			} catch (...) {
 				map.erase(i);
 				throw;
  • zip.h+2 2 modified
    @@ -192,7 +192,7 @@ class zip_entry {
 	unsigned char* central_extra_field;
 	unsigned char* data;
 
-	void check_cent(const unsigned char* buf) const;
+	void check_cent(const unsigned char* buf, unsigned buf_size) const;
 	void check_local(const unsigned char* buf) const;
 	void check_descriptor(const unsigned char* buf) const;
 
@@ -208,7 +208,7 @@ class zip_entry {
 
 	void load_local(const unsigned char* buf, FILE* f, unsigned size);
 	void save_local(FILE* f);
-	void load_cent(const unsigned char* buf, unsigned& skip);
+	void load_cent(const unsigned char* buf, unsigned size, unsigned& skip);
 	void save_cent(FILE* f);
 	void unload();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.