-
Notifications
You must be signed in to change notification settings - Fork 304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c #87
Comments
If I'm not mistaken this happens when you try to parse a file with |
sure. seems you have known this bug. |
I didn't know the bug but could figure it from the actual lines of code from the address sanitizer output. If you have other bugs you can submit them here. |
As pointed out in #87 plistutil would do a memcmp with a heap buffer without checking the size. If the size is less than 8 it would read beyond the bounds of this heap buffer. This commit prevents that.
Fixed in master with commit 7391a50 |
This is CVE-2017-5545 |
I found a heap-buffer-overflow vulnerability.
Should I submit it here and can it be assigned a CVE ID if validated?
Should I submit poc after the report is closed?
Thanks,
here is the stack trace:
==21852== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e007d7 at pc 0x804a78c bp 0xbf815888 sp 0xbf81587c
READ of size 1 at 0xb5e007d7 thread T0
#0 0x804a78b in main /home/b/asan/libplist/tools/plistutil.c:137
#1 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#2 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)
0xb5e007d7 is located 4 bytes to the right of 3-byte region [0xb5e007d0,0xb5e007d3)
allocated by thread T0 here:
#0 0xb6147854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x80497ae in main /home/b/asan/libplist/tools/plistutil.c:132
#2 0xb5f7fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/tools/plistutil.c:137
The text was updated successfully, but these errors were encountered: