[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Buffer overflow in the StringQuotedWord() function
|
From: |
Frederic Cambus |
|
Subject: |
Buffer overflow in the StringQuotedWord() function |
|
Date: |
Fri, 20 Dec 2019 19:12:14 +0100 |
Hi,
While fuzzing lout 3.40 with Honggfuzz, I found a buffer overflow in
the StringQuotedWord() function, in z39.c.
Attaching a reproducer (gzipped so it doesn't get mangled).
Issue can be reproduced by running:
```
lout test02
```
```
=================================================================
==30489==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001043820 at pc 0x000000683f48 bp 0x7ffed5cd8ad0 sp 0x7ffed5cd8ac8
WRITE of size 1 at 0x000001043820 thread T0
#0 0x683f47 in StringQuotedWord /home/fcambus/lout-3.40/z39.c:254:66
#1 0x689912 in WriteObject /home/fcambus/lout-3.40/z41.c:310:7
#2 0x68b320 in WriteClosure /home/fcambus/lout-3.40/z41.c:215:4
#3 0x689fb8 in WriteObject /home/fcambus/lout-3.40/z41.c:469:7
#4 0x6884a1 in AppendToFile /home/fcambus/lout-3.40/z41.c:688:3
#5 0x57b60f in CrossSequence /home/fcambus/lout-3.40/z10.c:891:2
#6 0x6172ed in Promote /home/fcambus/lout-3.40/z22.c:838:4
#7 0x5face4 in FlushGalley /home/fcambus/lout-3.40/z20.c:776:7
#8 0x5d5e23 in TransferEnd /home/fcambus/lout-3.40/z18.c:499:5
#9 0x4ce4e2 in run /home/fcambus/lout-3.40/z01.c:901:3
#10 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
#11 0x7f00c952b1e2 in __libc_start_main
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#12 0x41b45d in _start (/home/fcambus/lout-3.40/lout+0x41b45d)
0x000001043820 is located 0 bytes to the right of global variable 'buff'
defined in 'z39.c:248:20' (0x1043620) of size 512
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/fcambus/lout-3.40/z39.c:254:66 in StringQuotedWord
Shadow bytes around the buggy address:
0x0000802006b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 04 f9
0x0000802006c0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802006d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802006e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802006f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080200700: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080200710: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x000080200720: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x000080200730: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x000080200740: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x000080200750: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==30489==ABORTING
```
test02.gz
Description: application/gunzip
- Buffer overflow in the StringQuotedWord() function,
Frederic Cambus <=