Raptor is a web application firewall written in C that uses DFA to block SQL injection, cross site scripting, and path traversals.
e124a10f5e1cc12f366263958aeaf678bc45ef125e7d80430afc2808ac8cf4a5
The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow.
e764018c50128a89c728c3202c374cd2eee6b13beea7305fa6c32f6c0bab6212
There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow.
6154ad3c9f831583ddc42198a12cfa12363713dc40cd3172b448eda799e5eae1
Gentoo Linux Security Advisory 201610-9 - Multiple vulnerabilities have been found in the Chromium web browser, the worst of which allows remote attackers to execute arbitrary code. Versions less than 54.0.2840.59 are affected.
ad761228304f4fe9f8b6ce1842cf6603b66fd22ae641b2101ff84d93f1db9fcf
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks.
217f80d673facc15accb636f625922543219ec6b5feb5df98734f4a373cb88c7
The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writing output.
7290a345ac11921d719fab843f9ee44533b83cdd39e09fc45d06819460973000
The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks.
b14a13d1b77ffa3d060b707004362638f3c5ff6e048afd8cf77611c8cdde2d1a
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer that is at least 255 characters long. The the maximum component paths of most filesystems on Windows have a limit that is <= 255 though, so this shouldn't be an issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes as the path delimiter, which means that the extracted filename here can be "a/b/c/...", leading to a buffer overflow. Additionally, this function has no stack cookie.
d534aa5dbfaaf39a96770f8f3d77175a1058baafc21fe140187d747f2c80d76a
The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it.
ad8c4174f1e08e6564d58aa2d42e1e83d8e014e6a4e5db8020415f6aba4ec946
NVIDIA suffers from a missing bounds check in escape 0x100010b.
0ac6c7ff8137b4f4210690565bb24e9090b98312b19fb5b9f81228ab56b1211c
The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its variable size input.
3f0707279202aa000fc87188c9423545af5ea5238e8a0a0747d912d04badb09d
The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said pointer.
00028040fc1696111b53b38186779858df513b4aa81a7ab2a7c1d708f6b717c5
The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory corruption.
88df8868b62f20e6af812714d8f4fbc7c341957f6633b3258e0389967bc4db8e
A logic issue in launchd message requeuing allows arbitrary mach message control. Mac OS X version 10.11.6 is affected.
0c4a95bb9942e2aa50c7ff4c3ea1baae30e2d99475cd575f65c1e1f70c6285a5
NVIDIA escape code leaks uninitialized ExAllocatePoolWithTag memory to userspace.
f708d6be27d7323b5b92bfefe4673bcc69a708dc90f8c96a6211dd65b7f7b009
Multiple memory safety issues exist in Mac OS X and iOS inside of mach_ports_register.
164ada40109fdf8bff76ff09d76b270061f06289e2e74b857944849bdf5cb42e
NVIDIA's UVMLiteController ioctl handling in nvlddmkm.sys failed to provide proper length checking.
35df092ce423d70fd6bbcf76399d366b6e2c33dd7474e617edb4a4aae54093e8
The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and memory corruption can occur.
fe4199c90270a4da962ed45b45ddf04bfdf0f113751182e41c3f39b735a8f2c9