While fuzzing Schism Tracker git nightly rev: e665489 (and also latest release Schism Tracker 20200412 ) with Honggfuzz, I found a heap-based buffer overflow READ of size 8 in the fmt_mtm_load_song() function, in mtm.c.
Attaching a reproducer (gzipped so GitHub accepts it): testx.mtm.gz
Issue can be reproduced by running:
schismtracker testx.mtm
Note: It may not crash or segfault, it silently reads 8 bytes, so to reproduce the behaviour please follow the below steps:
clang version 10.0.0-4ubuntu1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
=================================================================
==165186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x000000594375 bp 0x7ffd1cd7e4f0 sp 0x7ffd1cd7e4e8
READ of size 8 at 0x633000018800 thread T0
#0 0x594374 in fmt_mtm_load_song /home/bsdboy/schismtracker/fmt/mtm.c:210:15
#1 0x69d127 in song_create_load /home/bsdboy/schismtracker/schism/audio_loadsave.c:224:11
#2 0x69d63a in song_load_unchecked /home/bsdboy/schismtracker/schism/audio_loadsave.c:282:12
#3 0x5ee913 in main /home/bsdboy/schismtracker/schism/main.c:1132:7
#4 0x7fced812b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41eb6d in _start (/home/bsdboy/schismtracker/schismtracker+0x41eb6d)
0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
allocated by thread T0 here:
#0 0x497422 in calloc (/home/bsdboy/schismtracker/schismtracker+0x497422)
#1 0x5cb82c in mem_calloc /home/bsdboy/schismtracker/schism/util.c:113:6
#2 0x593fc3 in fmt_mtm_load_song /home/bsdboy/schismtracker/fmt/mtm.c:190:14
#3 0x69d127 in song_create_load /home/bsdboy/schismtracker/schism/audio_loadsave.c:224:11
#4 0x69d63a in song_load_unchecked /home/bsdboy/schismtracker/schism/audio_loadsave.c:282:12
#5 0x5ee913 in main /home/bsdboy/schismtracker/schism/main.c:1132:7
#6 0x7fced812b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bsdboy/schismtracker/fmt/mtm.c:210:15 in fmt_mtm_load_song
Shadow bytes around the buggy address:
0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==165186==ABORTING
The text was updated successfully, but these errors were encountered:
Hi,
While fuzzing Schism Tracker git nightly rev: e665489 (and also latest release Schism Tracker 20200412 ) with Honggfuzz, I found a heap-based buffer overflow READ of size 8 in the fmt_mtm_load_song() function, in mtm.c.
Attaching a reproducer (gzipped so GitHub accepts it): testx.mtm.gz
Issue can be reproduced by running:
schismtracker testx.mtmNote: It may not crash or segfault, it silently reads 8 bytes, so to reproduce the behaviour please follow the below steps:
CC=clang CFLAGS="-g -fsanitize=address" ./configuremakeschismtracker testx.mtmOS Version:
Compiler Version:
The text was updated successfully, but these errors were encountered: