You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fuzzing milkytracker with American Fuzzy Lop, I found a heap-based buffer overflow in XMFile::read(), in XMFile.cpp L404.
Attaching a reproducer (gzipped so GitHub accepts it): test03.s3m.gz
Issue can be reproduced by running:
milkytracker test03.s3m
=================================================================
==5728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001b004 at pc 0x000000498042 bp 0x7fff46931ba0 sp 0x7fff46931348
WRITE of size 28 at 0x63300001b004 thread T0
#0 0x498041 in __interceptor_fread /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16
#1 0x94a046 in XMFile::read(void*, int, int) /home/fcambus/milkytracker/src/milkyplay/XMFile.cpp:404:36
#2 0xa07c4e in LoaderS3M::load(XMFileBase&, XModule*) /home/fcambus/milkytracker/src/milkyplay/LoaderS3M.cpp:545:7
#3 0x95d324 in XModule::loadModule(XMFileBase&, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1976:40
#4 0x95cd03 in XModule::loadModule(char const*, bool) /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1954:22
#5 0x5b2849 in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:668:27
#6 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43
#7 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11
#8 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3
#9 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17
#10 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20
#11 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2
#12 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3
#13 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
#14 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9)
0x63300001b004 is located 4 bytes to the right of 108544-byte region [0x633000000800,0x63300001b000)
allocated by thread T0 here:
#0 0x556652 in operator new[](unsigned long) (/home/fcambus/milkytracker/milkytracker+0x556652)
#1 0x95bcf8 in XModule::XModule() /home/fcambus/milkytracker/src/milkyplay/XModule.cpp:1875:10
#2 0x5aa04d in ModuleEditor::ModuleEditor() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:126:15
#3 0x78b706 in TabManager::createModuleEditor() /home/fcambus/milkytracker/src/tracker/TabManager.cpp:81:35
#4 0x7944f3 in Tracker::Tracker() /home/fcambus/milkytracker/src/tracker/Tracker.cpp:160:29
#5 0x81aaa3 in initTracker(unsigned int, PPDisplayDevice::Orientations, bool, bool) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:805:18
#6 0x81c8a7 in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:960:2
#7 0x7f7ce2c5db6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1001:16 in __interceptor_fread
Shadow bytes around the buggy address:
0x0c667fffb5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==5728==ABORTING
The text was updated successfully, but these errors were encountered:
Hi,
While fuzzing milkytracker with American Fuzzy Lop, I found a heap-based buffer overflow in XMFile::read(), in XMFile.cpp L404.
Attaching a reproducer (gzipped so GitHub accepts it): test03.s3m.gz
Issue can be reproduced by running:
The text was updated successfully, but these errors were encountered: