heap-buffer-overflow in find_string

[gy741]

Hello.

I found a heap-buffer-overflow bug in libcbor.

Please confirm.

Thanks.

OS: CentOS 7 64bit
PoC Download: crash_overflow.zip

Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./streaming_parser $POC

=================================================================
==28627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000002a at pc 0x0000004a7e60 bp 0x7ffeeb255cd0 sp 0x7ffeeb255480
READ of size 5 at 0x60300000002a thread T0
    #0 0x4a7e5f in printf_common(void*, char const*, __va_list_tag*) /home/karas/src/llvm/projects/compiler-rt/lib/ASan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544
    #1 0x4a8bda in __interceptor_vprintf /home/karas/src/llvm/projects/compiler-rt/lib/ASan/../sanitizer_common/sanitizer_common_interceptors.inc:1388
    #2 0x4a8c97 in printf /home/karas/src/llvm/projects/compiler-rt/lib/ASan/../sanitizer_common/sanitizer_common_interceptors.inc:1434
    #3 0x5145f7 in find_string /home/karas/ASan/libcbor/examples/streaming_parser.c:31:3
    #4 0x514d11 in cbor_stream_decode /home/karas/ASan/libcbor/src/cbor/streaming.c
    #5 0x5148c9 in main /home/karas/ASan/libcbor/examples/streaming_parser.c:56:19
    #6 0x7f589bf27c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #7 0x41b71b in _start (/home/karas/ASan/libcbor/examples/streaming_parser+0x41b71b)

0x60300000002a is located 0 bytes to the right of 26-byte region [0x603000000010,0x60300000002a)
allocated by thread T0 here:
    #0 0x4df0b6 in __interceptor_malloc /home/karas/src/llvm/projects/compiler-rt/lib/ASan/ASan_malloc_linux.cc:66
    #1 0x514805 in main /home/karas/ASan/libcbor/examples/streaming_parser.c:48:27
    #2 0x7f589bf27c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/src/llvm/projects/compiler-rt/lib/ASan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544 in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00[02]fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28627==ABORTING

=================
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]