Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in S_parser_feed (src/blocks.c:583) #184

Closed
geeknik opened this issue Jan 20, 2017 · 0 comments
Closed

stack-buffer-overflow in S_parser_feed (src/blocks.c:583) #184

geeknik opened this issue Jan 20, 2017 · 0 comments

Comments

@geeknik
Copy link

@geeknik geeknik commented Jan 20, 2017

While fuzzing the latest git source with AFL I was able to trigger a stack-buffer-overflow in S_parser_feed (src/blocks.c:583).

./cmark test000

==20707==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe598a6fc0 at pc 0x0000004cb408 bp 0x7ffe598a5ec0 sp 0x7ffe598a5eb8
READ of size 1 at 0x7ffe598a6fc0 thread T0
    #0 0x4cb407 in S_parser_feed /root/upstream-cmark/src/blocks.c:583:13
    #1 0x56cdc6 in main /root/upstream-cmark/src/main.c:162:7
    #2 0x7f30005d2b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #3 0x4bfa4c in _start (/root/upstream-cmark/build/src/cmark+0x4bfa4c)

Address 0x7ffe598a6fc0 is located in stack of thread T0 at offset 4128 in frame
    #0 0x56bf9f in main /root/upstream-cmark/src/main.c:68

  This frame has 2 object(s):
    [32, 4128) 'buffer' <== Memory access at offset 4128 overflows this variable
    [4256, 4264) 'unparsed'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/upstream-cmark/src/blocks.c:583 S_parser_feed
Shadow bytes around the buggy address:
  0x10004b30cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30cde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004b30cdf0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
  0x10004b30ce00: f2 f2 f2 f2 f2 f2 f2 f2 00 f3 f3 f3 00 00 00 00
  0x10004b30ce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004b30ce40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==20707==ABORTING
@jgm jgm closed this in 664b860 Jan 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant