Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-flow in stl_update_connects_remove_1 #28

Closed
tianxiaogu opened this issue Sep 12, 2018 · 2 comments
Closed

heap-buffer-flow in stl_update_connects_remove_1 #28

tianxiaogu opened this issue Sep 12, 2018 · 2 comments
Labels

Comments

@tianxiaogu
Copy link

Find a heap-buffer-overflow with the input. Hope this report is helpful.

0.zip

ADMesh version 0.99.0dev, Copyright (C) 1995, 1996 Anthony D. Martin
ADMesh comes with NO WARRANTY.  This is free software, and you are welcome to
redistribute it under certain conditions.  See the file COPYING for details.
Opening 0
Checking exact...
Checking nearby. Tolerance= 3.937008 Iteration=1 of 2...  Fixed 2 edges.
Checking nearby. Tolerance= 196854.328125 Iteration=2 of 2...  Fixed 0 edges.
Removing unconnected facets...
=================================================================
==29577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000030 at pc 0x7f791f89fefe bp 0x7fffd3395da0 sp 0x7fffd3395d98
READ of size 4 at 0x610000000030 thread T0
    #0 0x7f791f89fefd in stl_update_connects_remove_1 /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:831:9
    #1 0x7f791f89fefd in stl_remove_degenerate /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:796
    #2 0x7f791f89fefd in stl_remove_unconnected_facets /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:728
    #3 0x7f791f8cf622 in stl_repair /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/util.c:527:7
    #4 0x51a148 in main /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/admesh.c:303:3
    #5 0x7f791e8dab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41af79 in _start (/home/t/Projects/afl/fuzzing-experiments/subjects/admesh/.libs/admesh+0x41af79)

0x610000000030 is located 16 bytes to the left of 192-byte region [0x610000000040,0x610000000100)
allocated by thread T0 here:
    #0 0x4e382f in calloc /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155
    #1 0x7f791f8b5239 in stl_allocate /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/stlinit.c:185:26
    #2 0x7f791f8b5239 in stl_open /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/stlinit.c:42

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/t/Projects/afl/fuzzing-experiments/subjects/admesh/src/connect.c:831:9 in stl_update_connects_remove_1
Shadow bytes around the buggy address:
  0x0c207fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c207fff8000: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00
  0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c207fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29577==ABORTING
@hroncok hroncok added the bug label Sep 12, 2018
@hroncok
Copy link
Member

hroncok commented Sep 12, 2018

Thanks for the report. I unfortunately won't have time to look at it any time soon.

andreondra added a commit to andreondra/admesh that referenced this issue Mar 17, 2022
… neighbor value check in stl_remove_degenerate. Fixes admesh#28.
andreondra added a commit to andreondra/admesh that referenced this issue Apr 15, 2022
… neighbor value check in stl_remove_degenerate. Fixes admesh#28.
@gladk
Copy link
Contributor

gladk commented May 8, 2022

CVE-2018-25033 is assigned to this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants