New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan stack-based buffer overflow compileTranslationTable.c in 1130 in parseChars #595

Closed
fgeek opened this Issue Jun 5, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@fgeek

fgeek commented Jun 5, 2018

4c8ecb4f49e783c3fff70b43869dda30351b5084.zip
Tested commit: 15635b4
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

cat 4c8ecb4f49e783c3fff70b43869dda30351b5084|./lou_translate en-us-g2.ctb
<snip>
==29109==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdefd0a862 at pc 0x7fccb369de19 bp 0x7ffdefd08780 sp 0x7ffdefd08778
WRITE of size 2 at 0x7ffdefd0a862 thread T0
    #0 0x7fccb369de18 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1130
    #1 0x7fccb36d4260 in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1176
    #2 0x56114ed04f31 in translate_input /home/hsalo/src/liblouis/tools/lou_translate.c:71
    #3 0x56114ed0455d in main /home/hsalo/src/liblouis/tools/lou_translate.c:199
    #4 0x7fccb330c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x56114ed047d9 in _start (/home/hsalo/builds/liblouis/15635b4769252c113765c9562c558fef27e4df22/bin/lou_translate+0x27d9)

Address 0x7ffdefd0a862 is located in stack of thread T0 at offset 8290 in frame
    #0 0x7fccb36d3ccf in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1168

  This frame has 2 object(s):
    [32, 4130) 'wideIn'
    [4192, 8290) 'result' <== Memory access at offset 8290 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1130 in parseChars
Shadow bytes around the buggy address:
  0x10003df994b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df994c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df994d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df994e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df994f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003df99500: 00 00 00 00 00 00 00 00 00 00 00 00[02]f4 f4 f4
  0x10003df99510: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df99520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df99530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df99540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003df99550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29109==ABORTING

@egli egli added the buffer overflow label Jun 6, 2018

@egli egli closed this in dbfa58b Jun 6, 2018

@egli egli added this to the 3.7 milestone Jun 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment