=================================================================
==59598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000004dc at pc 0x0000004c2b5b bp 0x7fffffffd890 sp 0x7fffffffd888
READ of size 1 at 0x6190000004dc thread T0
#0 0x4c2b5a (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4c2b5a)
#1 0x4e13c0 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e13c0)
#2 0x4d71a2 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4d71a2)
#3 0x4e1b28 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1b28)
#4 0x7ffff6e24b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x41ad49 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x41ad49)
0x6190000004dc is located 4 bytes to the right of 1112-byte region [0x619000000080,0x6190000004d8)
allocated by thread T0 here:
#0 0x492c4d (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x492c4d)
#1 0x4e1ac8 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1ac8)
#2 0x7ffff6e24b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4c2b5a)
Shadow bytes around the buggy address:
0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==59598==ABORTING
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x73be28 --> 0x0
RCX: 0x7ffff6e41e97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffffc8d0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffd860 --> 0x7fffffffd890 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 --> 0x7fffffffe340 (--> ...)
RSP: 0x7fffffffc8d0 --> 0x0
RIP: 0x7ffff6e41e97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffc8d0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffffd890 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 --> 0x7fffffffe340 --> 0x4f3870 (<__libc_csu_init>: push r15)
R13: 0x7fffffffd888 --> 0x7fff00000070
R14: 0x7fffffffd830 --> 0x6190000001ef --> 0x3e00070002000000
R15: 0x7ce288 --> 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6e41e8b <__GI_raise+187>: mov edi,0x2
0x7ffff6e41e90 <__GI_raise+192>: mov eax,0xe
0x7ffff6e41e95 <__GI_raise+197>: syscall
=> 0x7ffff6e41e97 <__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108]
0x7ffff6e41e9f <__GI_raise+207>: xor rcx,QWORD PTR fs:0x28
0x7ffff6e41ea8 <__GI_raise+216>: mov eax,r8d
0x7ffff6e41eab <__GI_raise+219>: jne 0x7ffff6e41ecc <__GI_raise+252>
0x7ffff6e41ead <__GI_raise+221>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc8d0 --> 0x0
0008| 0x7fffffffc8d8 --> 0x7fffffffe118 --> 0x0
0016| 0x7fffffffc8e0 --> 0x3200b5ff
0024| 0x7fffffffc8e8 --> 0x0
0032| 0x7fffffffc8f0 --> 0x0
0040| 0x7fffffffc8f8 --> 0x0
0048| 0x7fffffffc900 --> 0x0
0056| 0x7fffffffc908 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2 0x00000000004b0707 in __sanitizer::Abort() ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:154
#3 0x00000000004af0e1 in __sanitizer::Die() ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:58
#4 0x0000000000496c69 in ~ScopedInErrorReport ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:186
#5 0x00000000004983df in ReportGenericError ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:470
#6 0x0000000000498ab8 in __asan_report_load1 () at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:117
#7 0x00000000004c2b5b in ttUSHORT (p=0x6190000004dc "") at ./SRC/stb_truetype.h:1254
#8 0x00000000004e13c1 in stbtt_InitFont_internal (info=0x7fffffffe180, data=0x619000000080 "OTTO", fontstart=0x0)
at ./SRC/stb_truetype.h:1422
#9 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe180, data=0x619000000080 "OTTO", offset=0x0)
at ./SRC/stb_truetype.h:4771
#10 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe428) at ../fuzzsrc/ttfuzz.c:29
#11 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe428,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe418)
at ../csu/libc-start.c:310
#12 0x000000000041ad4a in _start ()
The text was updated successfully, but these errors were encountered:
ttUSHORTdon't have any bound check, so heap overflow can be triggered.poc:
poc.zip
result:
The text was updated successfully, but these errors were encountered: