Description
poc-libRaw.zip
Reproduce step :
compile libraw with Address sanitizer
run cmd : ./libraw_cr2_fuzzer poc
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3355647081
INFO: Loaded 1 modules (18101 inline 8-bit counters): 18101 [0xb3b730, 0xb3fde5),
INFO: Loaded 1 PC tables (18101 PCs): 18101 [0x815158,0x85bca8),
./libraw_cr2_fuzzer: Running 1 inputs 1 time(s) each.
Running: crash-5f77e83098892cb416521525ef399068c83941fe
==173755==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc443b133f at pc 0x0000005b1375 bp 0x7ffc443b1260 sp 0x7ffc443b1258
WRITE of size 1 at 0x7ffc443b133f thread T0
#0 0x5b1374 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5b1374)
#1 0x6e29f0 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6e29f0)
#2 0x6b0d68 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6b0d68)
#3 0x6bf88c (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6bf88c)
#4 0x663f0e (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x663f0e)
#5 0x598252 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x598252)
#6 0x59735a (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x59735a)
#7 0x4c916a (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c916a)
#8 0x5179e6 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5179e6)
#9 0x4c9d9f (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c9d9f)
#10 0x4d7e93 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4d7e93)
#11 0x4c9417 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x4c9417)
#12 0x7fc5fb3df0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#13 0x41e908 (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x41e908)
Address 0x7ffc443b133f is located in stack of thread T0 at offset 95 in frame
#0 0x6e080f (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x6e080f)
This frame has 7 object(s):
[32, 36) 'tag' (line 64)
[48, 52) 'type' (line 64)
[64, 68) 'len' (line 64)
[80, 84) 'save' (line 64)
[96, 608) 'mn_text' (line 219) <== Memory access at offset 95 underflows this variable
[672, 1184) 'ccms' (line 221)
[1248, 1256) 'last' (line 253)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/gtt/out/build/libfuzzer-latest-average/libraw/libraw_cr2_fuzzer+0x5b1374)
Shadow bytes around the buggy address:
0x10000886e210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e250: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10000886e260: 04 f2 04 f2 04 f2 04[f2]00 00 00 00 00 00 00 00
0x10000886e270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000886e2a0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
0x10000886e2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==173755==ABORTING