=================================================================
==60039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002810 at pc 0x0000004e639b bp 0x7fffffffd6d0 sp 0x7fffffffd6c8
READ of size 1 at 0x625000002810 thread T0
#0 0x4e639a (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e639a)
#1 0x4e7ad0 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e7ad0)
#2 0x4e9f65 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e9f65)
#3 0x4e10a4 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e10a4)
#4 0x4d71a2 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4d71a2)
#5 0x4e1b28 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1b28)
#6 0x7ffff6e24b96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#7 0x41ad49 (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x41ad49)
Address 0x625000002810 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e639a)
Shadow bytes around the buggy address:
0x0c4a7fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff84e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8500: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==60039==ABORTING
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x73be28 --> 0x0
RCX: 0x7ffff6e41e97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffffc710 --> 0x0
RDI: 0x2
RBP: 0x7fffffffd6a0 --> 0x7fffffffd6d0 --> 0x7fffffffd740 --> 0x7fffffffd770 --> 0x7fffffffd8d0 --> 0x7fffffffe120 (--> ...)
RSP: 0x7fffffffc710 --> 0x0
RIP: 0x7ffff6e41e97 (<__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffc710 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffffd6d0 --> 0x7fffffffd740 --> 0x7fffffffd770 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 (--> ...)
R13: 0x7fffffffd6c8 --> 0x7fffffffd948 --> 0x2700000027 --> 0x0
R14: 0x7fffffffd670 --> 0xffffffc6000001ba
R15: 0x7ce288 --> 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6e41e8b <__GI_raise+187>: mov edi,0x2
0x7ffff6e41e90 <__GI_raise+192>: mov eax,0xe
0x7ffff6e41e95 <__GI_raise+197>: syscall
=> 0x7ffff6e41e97 <__GI_raise+199>: mov rcx,QWORD PTR [rsp+0x108]
0x7ffff6e41e9f <__GI_raise+207>: xor rcx,QWORD PTR fs:0x28
0x7ffff6e41ea8 <__GI_raise+216>: mov eax,r8d
0x7ffff6e41eab <__GI_raise+219>: jne 0x7ffff6e41ecc <__GI_raise+252>
0x7ffff6e41ead <__GI_raise+221>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc710 --> 0x0
0008| 0x7fffffffc718 --> 0x7fffffffe118 --> 0x0
0016| 0x7fffffffc720 --> 0x940000c600006100
0024| 0x7fffffffc728 --> 0x1008e0000dd0000
0032| 0x7fffffffc730 --> 0x0
0040| 0x7fffffffc738 --> 0x0
0048| 0x7fffffffc740 --> 0x0
0056| 0x7fffffffc748 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2 0x00000000004b0707 in __sanitizer::Abort() ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:154
#3 0x00000000004af0e1 in __sanitizer::Die() ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:58
#4 0x0000000000496c69 in ~ScopedInErrorReport ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:186
#5 0x00000000004983df in ReportGenericError ()
at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:470
#6 0x0000000000498ab8 in __asan_report_load1 () at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:117
#7 0x00000000004e639b in stbtt__buf_get8 (b=0x7fffffffd920) at ./SRC/stb_truetype.h:1105
#8 0x00000000004e7ad1 in stbtt__buf_get (b=0x7fffffffd920, n=0x2) at ./SRC/stb_truetype.h:1132
#9 0x00000000004e9f66 in stbtt__cff_get_index (b=0x7fffffffd920) at ./SRC/stb_truetype.h:1162
#10 0x00000000004e10a5 in stbtt_InitFont_internal (info=0x7fffffffe180, data=0x625000000100 "OTTO", fontstart=0x0)
at ./SRC/stb_truetype.h:1405
#11 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe180, data=0x625000000100 "OTTO", offset=0x0)
at ./SRC/stb_truetype.h:4771
#12 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe428) at ../fuzzsrc/ttfuzz.c:29
#13 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe428,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe418)
at ../csu/libc-start.c:310
#14 0x000000000041ad4a in _start ()
The text was updated successfully, but these errors were encountered:
stbtt__buf_get8has heap overflow vulnerability.poc:
poc.zip
result:
The text was updated successfully, but these errors were encountered: