Skip to content
This repository was archived by the owner on Jun 4, 2022. It is now read-only.
This repository was archived by the owner on Jun 4, 2022. It is now read-only.

global-buffer-overflow in /lib/support/unicodeconv/unicodeconv.c:40:2 #59

Closed
@zzcentury

Description

@zzcentury

Test Version

dev version, git clone https://github.com/caryll/otfcc.git

Test Program

otfcc/bin/release-x64/otfccdump [infile]

Asan Debug Information

release-x64 git:(master) ✗ ./otfccdump ../../../crashes_1/2018-12-30-01-global-buffer-overflow.otf   
=================================================================
==46365==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000008be881 at pc 0x0000004582e5 bp 0x7fff894427d0 sp 0x7fff89441f80
READ of size 95 at 0x0000008be881 thread T0
    #0 0x4582e4  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4582e4)
    #1 0x86c0c1  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x86c0c1)
    #2 0x844322  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x844322)
    #3 0x68c74d  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x68c74d)
    #4 0x4fb6ec  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4fb6ec)
    #5 0x4eb79f  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4eb79f)
    #6 0x7f893917c82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x418c88  (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x418c88)

0x0000008be881 is located 0 bytes to the right of global variable '<string literal>' defined in '../../lib/support/unicodeconv/unicodeconv.c:40:22' (0x8be880) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/moonagirl/megic_afl/otfcc/bin/release-x64/otfccdump+0x4582e4) 
Shadow bytes around the buggy address:
  0x00008010fcc0: 00 00 00 06 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x00008010fcd0: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008010fce0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
  0x00008010fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008010fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008010fd10:[01]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008010fd20: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x00008010fd30: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008010fd40: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x00008010fd50: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x00008010fd60: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 07 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==46365==ABORTING

POC file

https://github.com/moonAgirl/Bugs/blob/master/otfcc/2018-12-30-01-global-buffer-overflow.otf/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions