Closed
Description
Hi,
While fuzzing milkytracker with American Fuzzy Lop, I found a heap-based buffer overflow in XMFile::read(), in XMFile.cpp L404.
Attaching a reproducer (gzipped so GitHub accepts it): test03.s3m.gz
Issue can be reproduced by running:
milkytracker test03.s3m
=================================================================
==5728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001b004 at pc 0x000000498042 bp 0x7fff46931ba0 sp 0x7fff46931348
WRITE of size 28 at 0x63300001b004 thread T0
#0 0x498041 in __interceptor_fread /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16
#1 0x94a046 in XMFile::read(void*, int, int) /home/fcambus/milkytracker/src/milkyplay/XMFile.cpp:404:36
#2 0xa07c4e in LoaderS3M::load(XMFileBase&, XModule*) /home/fcambus/milkytracker/src/milkyplay/LoaderS3M.cpp:545:7
#3 0x95d324 in XModule::loadModule(XMFileBase&, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1976:40
#4 0x95cd03 in XModule::loadModule(char const*, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1954:22
#5 0x5b2849 in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:668:27
#6 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43
#7 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11
#8 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3
#9 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17
#10 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20
#11 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2
#12 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3
#13 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
#14 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9)
0x63300001b004 is located 4 bytes to the right of 108544-byte region [0x633000000800,0x63300001b000)
allocated by thread T0 here:
#0 0x556652 in operator new[](unsigned long) (/home/fcambus/milkytracker/milkytracker+0x556652)
#1 0x95bcf8 in XModule::XModule() /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1875:10
#2 0x5aa04d in ModuleEditor::ModuleEditor() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:126:15
#3 0x78b706 in TabManager::createModuleEditor() /home/fcambus/milkytracker/src/tracker/TabManager.cpp:81:35
#4 0x7944f3 in Tracker::Tracker() /home/fcambus/milkytracker/src/tracker/Tracker.cpp:160:29
#5 0x81aaa3 in initTracker(unsigned int, PPDisplayDevice::Orientations, bool, bool) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:805:18
#6 0x81c8a7 in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:960:2
#7 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16 in __interceptor_fread
Shadow bytes around the buggy address:
0x0c667fffb5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==5728==ABORTING
Metadata
Metadata
Assignees
Labels
No labels