Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bound read lead the program crash. #1

Open
jinyu00 opened this issue Jul 17, 2018 · 0 comments
Open

out of bound read lead the program crash. #1

jinyu00 opened this issue Jul 17, 2018 · 0 comments

Comments

@jinyu00
Copy link

jinyu00 commented Jul 17, 2018

When load the poc file with gdb . I got that It call CopyData function to copy file data to memory buf. But the ap->buf + ap->cur is out of memory , it could lead crash

pwndbg> list 
128	}
129	
130	static void
131	CopyData(Parser_t *ap, unsigned char * to, size_t size)
132	{
133		memcpy(to, ap->buf + ap->cur, size);
134		ap->cur += size;
135		return;
136	}
137	
pwndbg> p/x ap->buf + ap->cur
$6 = 0x3f05320
pwndbg> x/xg 0x3f05320
0x3f05320:	Cannot access memory at address 0x3f05320
pwndbg> bt
#0  CopyData (ap=0x3eed9f0, to=0x3eedc00 "", size=572) at AxmlParser.c:133
#1  0x0000000000429d20 in ParseStringChunk (ap=0x3eed9f0) at AxmlParser.c:252
#2  0x0000000000429508 in AxmlOpen (buffer=0x3ee5280 "\003", size=1868) at AxmlParser.c:329
#3  0x000000000042c1a8 in AxmlToXml (outbuf=0x7fffffffe3b0, outsize=0x7fffffffe3a8, inbuf=0x3ee5280 "\003", insize=1868) at AxmlParser.c:900
#4  0x000000000042de66 in main (argc=2, argv=0x7fffffffe4c8) at main.c:68
#5  0x00007ffff6ee5830 in __libc_start_main (main=0x42da80 <main>, argc=2, argv=0x7fffffffe4c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4b8) at ../csu/libc-start.c:291
#6  0x0000000000403e69 in _start ()
pwndbg> 


The poc and the binary

https://gitee.com/hac425/fuzz_data/blob/master/axml_binary_pocs.rar
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant