stack-buffer-overflow in S_parser_feed (src/blocks.c:583) #184

Closed
geeknik opened this Issue Jan 20, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@geeknik

geeknik commented Jan 20, 2017

While fuzzing the latest git source with AFL I was able to trigger a stack-buffer-overflow in S_parser_feed (src/blocks.c:583).

./cmark test000

==20707==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe598a6fc0 at pc 0x0000004cb408 bp 0x7ffe598a5ec0 sp 0x7ffe598a5eb8
READ of size 1 at 0x7ffe598a6fc0 thread T0
    #0 0x4cb407 in S_parser_feed /root/upstream-cmark/src/blocks.c:583:13
    #1 0x56cdc6 in main /root/upstream-cmark/src/main.c:162:7
    #2 0x7f30005d2b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #3 0x4bfa4c in _start (/root/upstream-cmark/build/src/cmark+0x4bfa4c)

Address 0x7ffe598a6fc0 is located in stack of thread T0 at offset 4128 in frame
    #0 0x56bf9f in main /root/upstream-cmark/src/main.c:68

  This frame has 2 object(s):
    [32, 4128) 'buffer' <== Memory access at offset 4128 overflows this variable
    [4256, 4264) 'unparsed'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/upstream-cmark/src/blocks.c:583 S_parser_feed
Shadow bytes around the buggy address:
  0x10004b30cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004b30cdf0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
  0x10004b30ce00: f2 f2 f2 f2 f2 f2 f2 f2 00 f3 f3 f3 00 00 00 00
  0x10004b30ce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==20707==ABORTING

@jgm jgm closed this in 664b860 Jan 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment