There is a stack-based buffer overflow in the readOHDRHeaderMessageDatatype function of dataobject.c(at 216)

[gutiniao]

A crafted input will lead to crash in dataobject.c at libmysofa v0.8.

Triggered by
./mysofa2json POC

Poc
overflow-libmysofa2

The ASAN information is as follows:

./mysofa2json overflow-libmysofa2 
ASAN:SIGSEGV
=================================================================
==9769==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb49eeff8 (pc 0x7f4d5c559b01 bp 0x7ffeb49ef910 sp 0x7ffeb49ef000 T0)
    #0 0x7f4d5c559b00  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b00)
    #1 0x7f4d5c5cf5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #2 0x4074dd in readOHDRHeaderMessageDatatype /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:216
    #3 0x4093b4 in readOHDRHeaderMessageAttribute /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:694
    #4 0x409c78 in readOHDRmessages /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:822
    #5 0x409ee6 in readOCHK /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:865
    #6 0x408fbe in readOHDRHeaderMessageContinue /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:631
    #7 0x409c9c in readOHDRmessages /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:826
    #8 0x40a3de in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:913
    #9 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #10 0x40e0ec in indirectblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:295
    #11 0x40f722 in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:448
    #12 0x40a534 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:931
    #13 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #14 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #15 0x40a626 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:937
    #16 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #17 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #18 0x40a626 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:937
    #19 0x40d8d6 in directblockRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:201
    #20 0x40f74a in fractalheapRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/fractalhead.c:451
    #21 0x40a626 in dataobjectRead /home/libmysofa/libmysofa_asan/libmysofa/src/hdf/dataobject.c:937
.....

about code:

case 6:
                log("    COMPONENT %d %02X\n", dt->size, dt->class_bit_field);
                if ((dt->class_and_version & 0xf0) != 0x30) {
                        log("object OHDR datatype message must have version 1 not %d\n",
                                        dt->class_and_version >> 4);
                        return MYSOFA_INVALID_FORMAT;
                }
                for (i = 0; i < (dt->class_bit_field & 0xffff); i++) {
                        int maxsize = 0x1000;
--------------->  buffer = malloc(maxsize);

[hoene]

same as #83