Reading symbols from doc2txt...done.
(gdb) run libdoc_reader_process_file_203.overflow
Starting program: /var/normal/bin/doc2txt libdoc_reader_process_file_203.overflow
*** Error in `/var/normal/bin/doc2txt': malloc(): memory corruption: 0x000000000064e1c0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff7a91184]
/var/normal/bin/doc2txt[0x402a63]
/var/normal/bin/doc2txt[0x4012fd]
/var/normal/bin/doc2txt[0x400f3d]
/var/normal/bin/doc2txt[0x400e46]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540 /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540 /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540 /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0 [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2 0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x64e1c0, str=0x7ffff7b9ad3f "malloc(): memory corruption", action=<optimized out>)
at malloc.c:5006
#4 _int_malloc (av=av@entry=0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry=200) at malloc.c:3474
#5 0x00007ffff7a91184 in __GI___libc_malloc (bytes=200) at malloc.c:2913
#6 0x0000000000402a63 in ole_readdir (f=0x64d290, ole_params=0x7fffffffe1d0) at /root/libdoc/ole.c:314
#7 0x00000000004012fd in analyze_format (f=0x64d290, out=0x64d010) at /root/libdoc/analyze.c:52
#8 0x0000000000400f3d in doc2text (buf=0x64e250 "", size=41095, buffer_out=0x7fffffffe368) at /root/libdoc/catdoc.c:55
#9 0x0000000000400e46 in main ()
Asan Debug Information
root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_reader_process_file_203.overflow
=================================================================
==76395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa2b88fa7fe at pc 0x000000407d19 bp 0x7ffc58dcb2a0 sp 0x7ffc58dcb290
READ of size 2 at 0x7fa2b88fa7fe thread T0
#0 0x407d18 in process_file /root/libdoc/reader.c:203
#1 0x402344 in parse_word_header /root/libdoc/analyze.c:123
#2 0x401e54 in analyze_format /root/libdoc/analyze.c:57
#3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
#4 0x401715 in main /root/libdoc/example/main.c:24
#5 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)
0x7fa2b88fa7fe is located 2 bytes to the left of 524288-byte region [0x7fa2b88fa800,0x7fa2b897a800)
allocated by thread T0 here:
#0 0x7fa2b78cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x407733 in process_file /root/libdoc/reader.c:111
#2 0x402344 in parse_word_header /root/libdoc/analyze.c:123
#3 0x401e54 in analyze_format /root/libdoc/analyze.c:57
#4 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
#5 0x401715 in main /root/libdoc/example/main.c:24
#6 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/reader.c:203 process_file
Shadow bytes around the buggy address:
0x0ff4d71174a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff4d71174b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff4d71174c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff4d71174d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff4d71174e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff4d71174f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0ff4d7117500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff4d7117510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff4d7117520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff4d7117530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff4d7117540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==76395==ABORTING
Test Version
latest version, git clone https://github.com/uvoteam/libdoc
Environment
Ubuntu 16.04-x64, gcc version 5.4.0 20160609
Test Program and command
gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.adoc2txt [infile]Gdb and Backtrace
Asan Debug Information
POC file
libdoc_reader_process_file_203.zip
CREDIT
Zhao Liang, Huawei Weiran Labs
The text was updated successfully, but these errors were encountered: