New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global buffer overflow in shoco_decompress() #28

Open
geeknik opened this Issue Feb 22, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@geeknik
Copy link

geeknik commented Feb 22, 2017

Compiled with AFL with ASan like CC=afl-clang-fast make and then run like ./shoco decompress test000 /dev/null which produces this:

==19039==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004d0548 at pc 0x0000004bfdda bp 0x7ffd2945a650 sp 0x7ffd2945a648
READ of size 4 at 0x0000004d0548 thread T0
    #0 0x4bfdd9 in shoco_decompress (/root/shoco/shoco+0x4bfdd9)
    #1 0x4c017c in main (/root/shoco/shoco+0x4c017c)
    #2 0x7f542c310b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #3 0x4bd56c in _start (/root/shoco/shoco+0x4bd56c)

0x0000004d0548 is located 24 bytes to the left of global variable 'chrs_by_chr_and_successor_id' defined in './shoco_model.h:58:21' (0x4d0560) of size 1328
0x0000004d0548 is located 8 bytes to the right of global variable 'chrs_by_chr_id' defined in './shoco_model.h:15:19' (0x4d0520) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 shoco_decompress

test000.zip

@geeknik

This comment has been minimized.

Copy link
Author

geeknik commented Jul 17, 2017

This has been assigned CVE-2017-11367.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment