Bombs

The list of bugs and vulnerabilities found during my research.

Protocol Systems (12 CVEs)

CVE-2021-38380 Live555 through 1.08 mishandles huge requests for the same MP3 stream, leading to recursion and s stack-based buffer over-read. An attacker can leverage this to launch a DoS attack. CVSS severity score: 7.5
CVE-2021-38381 Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash. CVSS severity score: 6.5
CVE-2021-38382 Live555 through 1.08 does not handle Matroska and Ogg files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash. CVSS severity score: 6.5
CVE-2021-38383 OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c. CVSS severity score: 9.8
CVE-2021-39282 Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files. CVSS severity score: 7.5
CVE-2021-39283 Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands in liveMedia/FramedSource.cpp. CVSS severity score: 5.5
CVE-2021-41396 Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack. CVSS severity score: 7.5
CVE-2021-41397 Live555 through 1.08 does not handle MPEG data properly. Sending specific a command sequence in the MPEG stream leaks 2020 bytes once. An attacker can use this to launch a DoS attack.
CVE-2021-41687 DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack. CVSS severity score: 7.5
CVE-2021-41688 DCMTK through 3.6.6 does not handle memory free properly. The object in the program is free but its address is still used in other locations. Sending specific requests to the dcmqrdb program will incur a double free. An attacker can use it to launch a DoS attack. CVSS severity score: 7.5
CVE-2021-41689 DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack. CVSS severity score: 7.5
CVE-2021-41690 DCMTK through 3.6.6 does not handle memory free properly. The malloced memory for storing all file information are recorded in a global variable LST and are not freed properly. Sending specific requests to the dcmqrdb program can incur a memory leak. An attacker can use it to launch a DoS attack. CVSS severity score: 7.5

Database Management Systems (66 bugs)

CockroachDB (18 bugs)

sql: support SCRUB on temp tables Link: https://github.com/cockroachdb/cockroach/issues/83770
Internal Error: Comparison Overload not Found Link: https://github.com/cockroachdb/cockroach/issues/83792
ERROR: no builtin aggregate for SUM_INT on [unknown] Link: https://github.com/cockroachdb/cockroach/issues/83874
Crashing by EXPLAIN Statement Link: https://github.com/cockroachdb/cockroach/issues/83965
Invalid Memory Address Error of Specific SQL Query Link: https://github.com/cockroachdb/cockroach/issues/83973
Unexpected Error of Unique Index Link: https://github.com/cockroachdb/cockroach/issues/83976
Crash: panic: RecordingStructured has 30 recordings; expected 1 Link: https://github.com/cockroachdb/cockroach/issues/84056
Unexpected Overflow Error by Huge Interval Value Link: https://github.com/cockroachdb/cockroach/issues/84154
Inconsistent Case Return Types Decimal Int Link: https://github.com/cockroachdb/cockroach/issues/85356
No Result Returned by SHOW COLUMN Link: https://github.com/cockroachdb/cockroach/issues/85388
internal error: no volatility for cast decimal::timestamp Link: https://github.com/cockroachdb/cockroach/issues/85389
opt: internal error: lookup for ComparisonExpr Link: https://github.com/cockroachdb/cockroach/issues/85390
opt: internal error: no output column equivalent to 2 Link: https://github.com/cockroachdb/cockroach/issues/85393
Unexpected Error in SHOW COLUMNS Link: https://github.com/cockroachdb/cockroach/issues/85394
opt: internal error: estimated row count must be non-zero Link: https://github.com/cockroachdb/cockroach/issues/85499
Unexpected Result by UNION Link: https://github.com/cockroachdb/cockroach/issues/85502
An Unexpected Error in `CROSS MERGE JOIN` Link: https://github.com/cockroachdb/cockroach/issues/88104
ERROR: internal error: expected *DInt, found tree.dNull Link: https://github.com/cockroachdb/cockroach/issues/94264

DuckDB (1 bugs)

Crash When Creating Index Link: https://github.com/duckdb/duckdb/issues/4976

SQLite (29 bugs)

An Inconsistent Result Depending on Parenthesization Link: https://sqlite.org/forum/forumpost/af3d07f908
An Unexpected NULL Column Caused by Where Clause in RIGHT JOIN Link: https://sqlite.org/forum/forumpost/41cc3851d8
Rows are Unexpectedly Filtered Out by DISTINCT in RIGHT JOIN Link: https://sqlite.org/forum/forumpost/c06b10ad7e
Expression or Constant in GroupBy Clause Link: https://sqlite.org/forum/forumpost/2458c5dea2
Ambiguous Reference Error for Right Join Link: https://sqlite.org/forum/forumpost/e90a8e6e6f
Unexpected Result by WHERE when Joining Tables Link: https://sqlite.org/forum/forumpost/687b0bf563
Unexpected Result by WHERE/RIGHT JOIN Link: https://sqlite.org/forum/forumpost/5cfe08eed6
Unexpected Result in Joining Virtual Tables Link: https://sqlite.org/forum/forumpost/3902c7b833
Unexpected Result by Joining Link: https://sqlite.org/forum/forumpost/c2554d560b
Unexpected Result by RIGHT JOIN on RTree Tables Link: https://sqlite.org/forum/forumpost/087de2d9ec
Unexpected Result by WHERE Again Link: https://sqlite.org/forum/forumpost/de16c4abe2
Unexpected Result by RIGHT JOIN Link: https://sqlite.org/forum/forumpost/206d99a16d
Unexpected Assertion Error in SQLite3MemCompare Link: https://sqlite.org/forum/forumpost/800eecf5e6
Unexpected Result by ORDER BY Link: https://sqlite.org/forum/forumpost/323f86cc30
Unexpected Result by RIGHT JOIN with INDEX Link: https://sqlite.org/forum/forumpost/c4676c4956
Unexpected Result by JSON Link: https://sqlite.org/forum/forumpost/3d9caa45cb
Unexpected Result by Complicated JOINING Link: https://sqlite.org/forum/forumpost/eeb8173cf8
Assertion `pCur->eCurType==CURTYPE_VTAB' failed Link: https://sqlite.org/forum/forumpost/dafe0500b0
Unexpected Result by RIGHT JOIN Again Link: https://sqlite.org/forum/forumpost/51e6959f61
Unexpected Result by Complicated JOINING Again Link: https://sqlite.org/forum/forumpost/b40696f501
Unexpected Assertion Error in valueFromFunction Link: https://sqlite.org/forum/forumpost/e3243e07e8
Unexpected Result by FULL OUTER JOIN Link: https://sqlite.org/forum/forumpost/5610c17c3d
Unexpected Expression on ON clause Link: https://sqlite.org/forum/forumpost/57bdf2217d
Unexpected Expression Result by FULL OUTER JOIN Link: https://sqlite.org/forum/forumpost/6650cd40b5
Unexpected Parse Error Link: https://sqlite.org/forum/forumpost/1a7fea4651
Unexpected Assertion Error in whereRangeScanEst Link: https://sqlite.org/forum/forumpost/c3496cf6b1
Unexpected Result by Union Link: https://sqlite.org/forum/forumpost/174afeae57
Assertion `pRec->nField>0 && pRec->nField<=pIdx->nSampleCol' failed. Link: https://sqlite.org/forum/forumpost/3607259d3c

TiDB (18 bugs)

incorrect unresolved column when using natural join Link: https://github.com/pingcap/tidb/issues/35522
unexpected unresolved column error when the view refers to dual table Link: https://github.com/pingcap/tidb/issues/35527
Runtime error: invalid memory address Link: https://github.com/pingcap/tidb/issues/35623
Unexpected Result with a FALSE Expression in WHERE Link: https://github.com/pingcap/tidb/issues/35645
Unexpected Error by CAST and CHAR functions Link: https://github.com/pingcap/tidb/issues/35652
Unexpected Error for Function INET_ATON Link: https://github.com/pingcap/tidb/issues/35677
Unexpected Connection Lost Link: https://github.com/pingcap/tidb/issues/35678
Inconsistent Results in SELECT Link: https://github.com/pingcap/tidb/issues/36853
Unexpected Result by CONCAT_WS Link: https://github.com/pingcap/tidb/issues/36888
ERROR 8141 (HY000): assertion failed Link: https://github.com/pingcap/tidb/issues/38295
Incorrect Results by `REGEXP` Link: https://github.com/pingcap/tidb/issues/38303
Incorrect Result by `LEFT JOIN` Link: https://github.com/pingcap/tidb/issues/38304
runtime error: invalid memory address or nil pointer dereference Link: https://github.com/pingcap/tidb/issues/38305
Unexpected Results Link: https://github.com/pingcap/tidb/issues/38310
Error [types:1690]%s value is out of range in '%s' Link: https://github.com/pingcap/tidb/issues/38352
Unexpected Error: Failed to read auto-increment value from storage engine Link: https://github.com/pingcap/tidb/issues/38483
Unexpected Results by RIGHT JOIN Link: https://github.com/pingcap/tidb/issues/38654
rule PredicatePushDown pushes wrong filter across projection Link: https://github.com/pingcap/tidb/issues/38736