[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heap-based buffer overflow in the srcnext() function
|
From: |
Frederic Cambus |
|
Subject: |
Heap-based buffer overflow in the srcnext() function |
|
Date: |
Fri, 20 Dec 2019 19:00:59 +0100 |
Hi,
While fuzzing lout 3.40 with Honggfuzz, I found a heap-based buffer
overflow in the srcnext() function, in z02.c.
Attaching a reproducer (gzipped so it doesn't get mangled).
Issue can be reproduced by running:
```
lout test01
```
```
=================================================================
==30030==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6260000000ff at pc 0x0000004d9b84 bp 0x7fff16458220 sp 0x7fff16458218
WRITE of size 1 at 0x6260000000ff thread T0
#0 0x4d9b83 in srcnext /home/fcambus/lout-3.40/z02.c:381:26
#1 0x4d37b2 in LexGetToken /home/fcambus/lout-3.40/z02.c:491:15
#2 0x4f75fd in Parse /home/fcambus/lout-3.40/z06.c:819:7
#3 0x4ce4b5 in run /home/fcambus/lout-3.40/z01.c:898:9
#4 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
#5 0x7f11f51731e2 in __libc_start_main
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#6 0x41b45d in _start (/home/fcambus/lout-3.40/lout+0x41b45d)
0x6260000000ff is located 1 bytes to the left of 10243-byte region
[0x626000000100,0x626000002903)
allocated by thread T0 here:
#0 0x49335d in malloc (/home/fcambus/lout-3.40/lout+0x49335d)
#1 0x4d1c2d in LexPush /home/fcambus/lout-3.40/z02.c:240:29
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fcambus/lout-3.40/z02.c:381:26 in srcnext
Shadow bytes around the buggy address:
0x0c4c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==30030==ABORTING
```
test01.gz
Description: application/gunzip
- Heap-based buffer overflow in the srcnext() function,
Frederic Cambus <=