Heap Buffer-overflow vulnerability in deco.c

[Microsvuln]

There is a heap buffer overflow vulnerability in deco.c and draw_all_deco function which is occurred by parsing an input file.

output :

=================================================================
==10052==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009764 at pc 0x0000003f9189 bp 0x7ffdfb16aa90 sp 0x7ffdfb16aa88
READ of size 4 at 0x629000009764 thread T0
    #0 0x3f9188 in draw_all_deco /home/arash/abcm2ps/deco.c:1384:32
    #1 0x5b760c in output_music /home/arash/abcm2ps/music.c:5120:3
    #2 0x6b7a79 in generate /home/arash/abcm2ps/parse.c:1042:2
    #3 0x645f70 in gen_ly /home/arash/abcm2ps/parse.c:1063:2
    #4 0x645f70 in do_tune /home/arash/abcm2ps/parse.c:3643:2
    #5 0x54a1da in abc_eof /home/arash/abcm2ps/abcparse.c:202:2
    #6 0x54a1da in frontend /home/arash/abcm2ps/front.c:905:2
    #7 0x33549c in treat_file /home/arash/abcm2ps/abcm2ps.c:240:2
    #8 0x339393 in main /home/arash/abcm2ps/abcm2ps.c:1041:3
    #9 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x2868d9 in _start (/home/arash/abcm2ps/abcm2ps.laf.asan+0x2868d9)

0x629000009764 is located 1350 bytes to the right of 16414-byte region [0x629000005200,0x62900000921e)
allocated by thread T0 here:
    #0 0x30094d in malloc (/home/arash/abcm2ps/abcm2ps.laf.asan+0x30094d)
    #1 0x33804d in clrarena /home/arash/abcm2ps/abcm2ps.c:1064:24
    #2 0x33804d in main /home/arash/abcm2ps/abcm2ps.c:687:2
    #3 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arash/abcm2ps/deco.c:1384:32 in draw_all_deco
Shadow bytes around the buggy address:
  0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c527fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==10052==ABORTING

To reproduce :

./abcm2ps poc7

poc7.zip

[moinejf]

I cannot reproduce the problem on my machine ARM 32 bits.
Anyway, there is no relation with the commit 9630392: there is no !trem2! in your source.

[Microsvuln]

Hi.
The Crash is reproducible in x84-64 Ubuntu 18.04, I didn't test it on ARM.

Thanks.

[hkiel]

I cannot reproduce this bug on x64 macOS.

[Microsvuln]

Can you install an Ubuntu version 18.04? unless I can send you a VM which you can test and reproduce on that box.

[moinejf]

I use VoidLinux, so I have the last versions of the GNU tools (gcc (GCC) 10.2.1 20201203).
About a VM, I think that you were talking about a x84-64 system, but I cannot run Intel binaries, even with qemu: my BananaPi M2+ board is too small (clock 700MHz, RAM 1GB).