Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
While fuzzing milkytracker with American Fuzzy Lop, I found a stack-based buffer overflow in LoaderXM::load(), in LoaderXM.cpp L646.
Attaching a reproducer (gzipped so GitHub accepts it): test02.xm.gz
Issue can be reproduced by running:
milkytracker test02.xm
================================================================= ==5561==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff47f9e510 at pc 0x000000a23468 bp 0x7fff47f9e230 sp 0x7fff47f9e228 WRITE of size 4 at 0x7fff47f9e510 thread T0 #0 0xa23467 in LoaderXM::load(XMFileBase&, XModule*) /home/fcambus/milkytracker/src/milkyplay/LoaderXM.cpp:646:19 #1 0x95d324 in XModule::loadModule(XMFileBase&, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1976:40 #2 0x95cd03 in XModule::loadModule(char const*, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1954:22 #3 0x5b2849 in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:668:27 #4 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43 #5 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11 #6 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3 #7 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17 #8 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20 #9 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2 #10 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3 #11 0x7f51856b0b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16 #12 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9) Address 0x7fff47f9e510 is located in stack of thread T0 at offset 720 in frame #0 0xa1a9bf in LoaderXM::load(XMFileBase&, XModule*) /home/fcambus/milkytracker/src/milkyplay/LoaderXM.cpp:64 This frame has 13 object(s): [32, 262) 'insData' (line 65) [336, 720) 'smpReloc' (line 66) <== Memory access at offset 720 overflows this variable [784, 880) 'nbu' (line 67) [912, 914) 'numSamples' (line 144) [928, 1960) 'venv' (line 175) [2096, 3128) 'penv' (line 176) [3264, 3294) 'line' (line 265) [3328, 3333) 'slot' (line 365) [3360, 3389) 'buffer769' (line 481) [3424, 4456) 'venv861' (line 538) [4592, 5624) 'penv862' (line 539) [5760, 5790) 'line1086' (line 631) [5824, 5828) 'buffer1564' (line 832) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fcambus/milkytracker/src/milkyplay/LoaderXM.cpp:646:19 in LoaderXM::load(XMFileBase&, XModule*) Shadow bytes around the buggy address: 0x100068febc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068febc60: 00 00 00 00 00 00 00 00 06 f2 f2 f2 f2 f2 f2 f2 0x100068febc70: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068febc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100068febc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100068febca0: 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 0x100068febcb0: 00 00 00 00 00 00 f2 f2 f2 f2 f8 f2 f8 f8 f8 f8 0x100068febcc0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100068febcd0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100068febce0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100068febcf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5561==ABORTING
The text was updated successfully, but these errors were encountered:
Fixes for buffer overflow issues #182 & #183
ea7772a
This issue got assigned CVE-2019-14496.
Sorry, something went wrong.
No branches or pull requests
Hi,
While fuzzing milkytracker with American Fuzzy Lop, I found a stack-based buffer overflow in LoaderXM::load(), in LoaderXM.cpp L646.
Attaching a reproducer (gzipped so GitHub accepts it): test02.xm.gz
Issue can be reproduced by running:
The text was updated successfully, but these errors were encountered: