Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segmentation fault at line 454 in SFileGetFileInfo.cpp #344

Closed
gabe-sherman opened this issue Apr 20, 2024 · 1 comment
Closed

segmentation fault at line 454 in SFileGetFileInfo.cpp #344

gabe-sherman opened this issue Apr 20, 2024 · 1 comment

Comments

@gabe-sherman
Copy link

A segmentation fault occurs in the below program upon a malformed input. This behavior occurs at line 454 in SFileGetFileInfo.cpp.

#include "StormLib.h"
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t   u8;   
typedef uint16_t  u16;  
typedef uint32_t  u32;  
typedef uint64_t  u64;
typedef unsigned int usize;
typedef int8_t  i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef int isize;
typedef float f32;
typedef double f64;
int main(int argc, char** argv) {
    void *v0 = NULL; // hMpq
    void *v1 = NULL; // hFile
    u8 v2_tmp[] = {181, 0, }; // file_buf
    u8 *v2 = malloc(sizeof v2_tmp);
    memcpy(v2, v2_tmp, sizeof v2_tmp);
    char* path_v3 = argv[1];
    FILE *f_v3 = fopen(path_v3, "wb");
    fwrite(v2, sizeof v2_tmp, 1, f_v3);
    fclose(f_v3);
    char* v3 = path_v3; // szFileName
    u32 v4 = 4294967295; // dwSearchScope
    void **v5 = &v1; // phFile
    i8 v6 = SFileOpenFileEx(v0, v3, v4, v5); // $relative
    if (v6 == false) exit(1);
    i8 *v8 = NULL; // pvData
    u32 v9 = 254; // dwSize
    u32 v10 = 11; // dwCompression
    enum _SFileInfoClass v11 = { 55,  }; // InfoClass
    i8 *v12 = NULL; // pvFileInfo
    u32 v13 = 0; // cbFileInfo
    u32 *v14 = NULL; // pcbLengthNeeded
    i8 v15 = SFileGetFileInfo(v1, v11, v12, v13, v14); // $relative
    if (v15 == false) exit(1);
    i8 v16 = SFileWriteFile(v1, v8, v9, v10); // $target
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 6052223

POC File

https://github.com/FuturesLab/POC/blob/main/storm/hop-poc10

Address Sanitizer Output

=================================================================
==3050407==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x5555557c6798 bp 0x7fffffffd6f0 sp 0x7fffffffcae0 T0)
==3050407==The signal is caused by a READ memory access.
==3050407==Hint: address points to the zero page.
    #0 0x5555557c6798 in SFileGetFileInfo /home/gabesherman/harness_test/AutoHarn-Evaluation/storm/lib_asan/src/SFileGetFileInfo.cpp:454:28
    #1 0x5555557b03de in main /home/gabesherman/harness_test/AutoHarn-Results/storm/hopper-10/reproducer.c:42:14
    #2 0x7ffff7029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7ffff7029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x5555556f24b4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/storm/hopper-10/reproducer+0x19e4b4) (BuildId: b98f852475741db716e37e59567707e9d96dcf7a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabesherman/harness_test/AutoHarn-Evaluation/storm/lib_asan/src/SFileGetFileInfo.cpp:454:28 in SFileGetFileInfo
==3050407==ABORTING
ladislav-zezula added a commit that referenced this issue Apr 21, 2024
@ladislav-zezula
Fixed page fault from #344
0f8c306
@ladislav-zezula
Copy link
Owner

Fixed in 0f8c306.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ladislav-zezula @gabe-sherman