Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in /ok-file-formats/ok_csv.c:448 ok_csv_decode2() #5

Closed
Ch4nc3n opened this issue Dec 31, 2018 · 0 comments
Closed

Comments

@Ch4nc3n
Copy link

Ch4nc3n commented Dec 31, 2018

Test Version

dev version, git clone https://github.com/brackeen/ok-file-formats.git

Test Program

#include <stdio.h>
#include "ok_csv.h"

int main(int _argc, char **_argv) {
    FILE *file = fopen(_argv[1], "rb");
    ok_csv *image = ok_csv_read(file);
    fclose(file);
    ok_csv_free(image);
    return 0;
}

$ gcc -o csv_decode csv_decode.c ok_csv.h ok_csv.c

Asan Debug Information

ok-file-formats git:(master) ✗ ./csv_decode-asan ./csv_out/2018-12-31-heap-buffer-overflow.csv 
=================================================================
==83695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff1 at pc 0x00000040e0ae bp 0x7fff4ea94bc0 sp 0x7fff4ea94bb0
WRITE of size 1 at 0x60200000eff1 thread T0
    #0 0x40e0ad in ok_csv_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:448
    #1 0x411baf in ok_csv_decode /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:241
    #2 0x411baf in ok_csv_read /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:177
    #3 0x400d7a in main /home/moonagirl/megic_afl/ok-file-formats/csv_decode.c:6
    #4 0x7f33246cd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x400e88 in _start (/home/moonagirl/megic_afl/ok-file-formats/csv_decode-asan+0x400e88)

0x60200000eff1 is located 0 bytes to the right of 1-byte region [0x60200000eff0,0x60200000eff1)
allocated by thread T0 here:
    #0 0x7f3324b0f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x403e82 in ok_csv_decode2 /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:422

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/moonagirl/megic_afl/ok-file-formats/ok_csv.c:448 ok_csv_decode2
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==83695==ABORTING

POC file

https://github.com/moonAgirl/Bugs/blob/master/ok-file-formats/2018-12-31-02-heap-buffer-overflow.csv

@Ch4nc3n Ch4nc3n closed this as completed Jan 7, 2019
brackeen added a commit that referenced this issue Jan 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant