There is a stack-based buffer overflow in the directblockRead function of fractalhead.c(at 172)

[gutiniao]

A crafted input will lead to crash in fractalhead.c at libmysofa v0.8.

Triggered by
./mysofa2json POC

Poc
overflow-libmysofa1

The ASAN information is as follows:

./mysofa2json overflow-libmysofa1 
ASAN:SIGSEGV
=================================================================
==6617==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe850c2ed8 (pc 0x7f91956d5568 bp 0x7ffe850c3720 sp 0x7ffe850c2ec0 T0)
    #0 0x7f91956d5567 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98567)
    #1 0x40d5d9 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:172
    #2 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #3 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #4 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #5 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #6 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #7 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #8 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #9 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #10 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #11 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #12 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #13 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #14 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #15 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #16 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #17 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #18 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #19 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
.....

gdb debug info:

gdb ./mysofa2json 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./mysofa2json...done.
(gdb) r overflow-libmysofa1
Starting program: /usr/local/libmysofa_ASAN/bin/mysofa2json overflow-libmysofa1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f02568 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.2
(gdb) bt
#0  0x00007ffff6f02568 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#1  0x000000000040d5da in directblockRead (reader=0x7fffffffde10, dataobject=0x617000a5cd08, fractalheap=0x617000a5cee8) at /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:172
#2  0x000000000040f74b in fractalheapRead (reader=0x7fffffffde10, dataobject=0x617000a5cd08, fractalheap=0x617000a5cee8) at /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
#3  0x000000000040a535 in dataobjectRead (reader=0x7fffffffde10, dataobject=0x617000a5cd08, name=0x60200006ed50 "7") at /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931

about code:

} else if (typeandversion == 1) {
                       /*
                        * pointer to another data object
                        */
                       unknown = readValue(reader, 6);
                       if (unknown) {
                               log("FHDB type 1 unsupported values\n");
                               return MYSOFA_UNSUPPORTED_FORMAT;
                       }

                       len = fgetc(reader->fhd);
                       if (len < 0)
                               return MYSOFA_READ_ERROR;
                       assert(len < 0x100);

           --------> if (!(name = malloc(len + 1)))
                               return MYSOFA_NO_MEMORY;

[hoene]

Thank you very much for your contribution!