CVE-2017-14731: ofxdump heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*)

[fgeek]

Hello,

Fuzzed with: afl-2.49, afl-utils
Credit: Henri Salo from Nixu Corporation
Notes: Thanks to Kapsi internet-käyttäjät ry for providing fuzzing resources.

You can create the reproducer with:

python3 -c "import binascii;print(binascii.unhexlify('3c4f46583e').decode('ascii'))" > char_traits-heap-buffer-overflow.ofx

And run it with ofxdump:

./bin/ofxdump char_traits-heap-buffer-overflow.ofx

LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting...
(Above message occurred on Line 18446744073709551615, Column 18446744073709551615)
LibOFX INFO: libofx_proc_file(): Detected file format: OFX (Open Financial eXchange (OFX or QFX))
(Above message occurred on Line 18446744073709551615, Column 18446744073709551615)
=================================================================
==14513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef71 at pc 0x7fac88506b4e bp 0x7ffdbe1202e0 sp 0x7ffdbe1202d8
READ of size 1 at 0x60200000ef71 thread T0
    #0 0x7fac88506b4d in std::char_traits<char>::length(char const*) /usr/include/c++/4.9/bits/char_traits.h:263
    #1 0x7fac88506b4d in std::string::assign(char const*) /usr/include/c++/4.9/bits/basic_string.h:1149
    #2 0x7fac88506b4d in std::string::operator=(char const*) /usr/include/c++/4.9/bits/basic_string.h:563
    #3 0x7fac88506b4d in ofx_proc_file(void*, char const*) /home/afl/src/libofx/lib/ofx_preproc.cpp:326
    #4 0x7fac884f4a82 in libofx_proc_file /home/afl/src/libofx/lib/file_preproc.cpp:94
    #5 0x402923 in main /home/afl/src/libofx/ofxdump/ofxdump.cpp:491
    #6 0x7fac87929b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x402dac (/home/afl/builds/libofx/2017-09-20/bin/ofxdump+0x402dac)

0x60200000ef71 is located 0 bytes to the right of 1-byte region [0x60200000ef70,0x60200000ef71)
allocated by thread T0 here:
    #0 0x7fac8881173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7fac88500737 in ofx_proc_file(void*, char const*) /home/afl/src/libofx/lib/ofx_preproc.cpp:311
    #2 0x7ffdbe1215bf ([stack]+0x1f5bf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*)
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fff9df0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 00 03
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==14513==ABORTING

[alteholz]

Are there any news available for this issue?

[cstim]

On my system the input file doesn't run into problems, neither with plain starting nor with valgrind. This is from git, c426e22 (released as version 0.9.12). I've committed fad8418 which should avoid some of the problems, but since I can't reproduce orgiinally, I also don't know whether this fixed anything.

[fgeek]

@cstim fad8418 commit fixes this issue, thank you.