Closed
Description
4c8ecb4f49e783c3fff70b43869dda30351b5084.zip
Tested commit: 15635b4
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.
cat 4c8ecb4f49e783c3fff70b43869dda30351b5084|./lou_translate en-us-g2.ctb
<snip>
==29109==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdefd0a862 at pc 0x7fccb369de19 bp 0x7ffdefd08780 sp 0x7ffdefd08778
WRITE of size 2 at 0x7ffdefd0a862 thread T0
#0 0x7fccb369de18 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1130
#1 0x7fccb36d4260 in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1176
#2 0x56114ed04f31 in translate_input /home/hsalo/src/liblouis/tools/lou_translate.c:71
#3 0x56114ed0455d in main /home/hsalo/src/liblouis/tools/lou_translate.c:199
#4 0x7fccb330c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#5 0x56114ed047d9 in _start (/home/hsalo/builds/liblouis/15635b4769252c113765c9562c558fef27e4df22/bin/lou_translate+0x27d9)
Address 0x7ffdefd0a862 is located in stack of thread T0 at offset 8290 in frame
#0 0x7fccb36d3ccf in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1168
This frame has 2 object(s):
[32, 4130) 'wideIn'
[4192, 8290) 'result' <== Memory access at offset 8290 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1130 in parseChars
Shadow bytes around the buggy address:
0x10003df994b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df994c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df994d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df994e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df994f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003df99500: 00 00 00 00 00 00 00 00 00 00 00 00[02]f4 f4 f4
0x10003df99510: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df99520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df99530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df99540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df99550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29109==ABORTING