Skip to content

Several heap buffer overflow issues have been found. #189

Closed
@fCorleone

Description

@fCorleone

A buffer overflow has been discovered. The information is displayed as follows:

==4515==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000a91a at pc 0x7f7e7a5e7df8 bp 0x7ffe878efa50 sp 0x7ffe878ef1f8
READ of size 103 at 0x60b00000a91a thread T0
#0 0x7f7e7a5e7df7 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cdf7)
#1 0x40b516 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h:59
#2 0x40b516 in __mkd_trim_line /home/ubuntu/mfc_fuzz/discount/mkdio.c:85
#3 0x4260e0 in codeblock /home/ubuntu/mfc_fuzz/discount/markdown.c:611
#4 0x4260e0 in compile /home/ubuntu/mfc_fuzz/discount/markdown.c:1317
#5 0x42a56e in compile_document /home/ubuntu/mfc_fuzz/discount/markdown.c:1230
#6 0x42a56e in mkd_compile /home/ubuntu/mfc_fuzz/discount/markdown.c:1436
#7 0x40272c in main /home/ubuntu/mfc_fuzz/discount/mkd2html.c:177
#8 0x7f7e7a1b182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x403d48 in _start (/home/ubuntu/mfc_fuzz/discount/mkd2html+0x403d48)

0x60b00000a91a is located 0 bytes to the right of 106-byte region [0x60b00000a8b0,0x60b00000a91a)
allocated by thread T0 here:
#0 0x7f7e7a5f3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x41e88d in splitline /home/ubuntu/mfc_fuzz/discount/markdown.c:174
#2 0x41e88d in htmlblock /home/ubuntu/mfc_fuzz/discount/markdown.c:333

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0c167fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9510: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c167fff9520: 00 00 00[02]fa fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff9530: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
0x0c167fff9540: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c167fff9550: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff9560: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00
0x0c167fff9570: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4515==ABORTING

The input test case is at: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue1_testcase
The executable file is mkd2html.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions