lewdlime
Heap Buffer-overflow vulnerability in deco.c
There is a heap buffer overflow vulnerability in deco.c and draw_all_deco function which is occurred by parsing an input file.
output :
=================================================================
==10052==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009764 at pc 0x0000003f9189 bp 0x7ffdfb16aa90 sp 0x7ffdfb16aa88
READ of size 4 at 0x629000009764 thread T0
#0 0x3f9188 in draw_all_deco /home/arash/abcm2ps/deco.c:1384:32
#1 0x5b760c in output_music /home/arash/abcm2ps/music.c:5120:3
#2 0x6b7a79 in generate /home/arash/abcm2ps/parse.c:1042:2
#3 0x645f70 in gen_ly /home/arash/abcm2ps/parse.c:1063:2
#4 0x645f70 in do_tune /home/arash/abcm2ps/parse.c:3643:2
#5 0x54a1da in abc_eof /home/arash/abcm2ps/abcparse.c:202:2
#6 0x54a1da in frontend /home/arash/abcm2ps/front.c:905:2
#7 0x33549c in treat_file /home/arash/abcm2ps/abcm2ps.c:240:2
#8 0x339393 in main /home/arash/abcm2ps/abcm2ps.c:1041:3
#9 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x2868d9 in _start (/home/arash/abcm2ps/abcm2ps.laf.asan+0x2868d9)
0x629000009764 is located 1350 bytes to the right of 16414-byte region [0x629000005200,0x62900000921e)
allocated by thread T0 here:
#0 0x30094d in malloc (/home/arash/abcm2ps/abcm2ps.laf.asan+0x30094d)
#1 0x33804d in clrarena /home/arash/abcm2ps/abcm2ps.c:1064:24
#2 0x33804d in main /home/arash/abcm2ps/abcm2ps.c:687:2
#3 0x7fcfbe228bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arash/abcm2ps/deco.c:1384:32 in draw_all_deco
Shadow bytes around the buggy address:
0x0c527fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c527fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==10052==ABORTING
To reproduce :
./abcm2ps poc7
I cannot reproduce the problem on my machine ARM 32 bits. Anyway, there is no relation with the commit 9630392: there is no !trem2! in your source.
Hi. The Crash is reproducible in x84-64 Ubuntu 18.04, I didn't test it on ARM.
Thanks.
Can you install an Ubuntu version 18.04? unless I can send you a VM which you can test and reproduce on that box.
I use VoidLinux, so I have the last versions of the GNU tools (gcc (GCC) 10.2.1 20201203).
About a VM, I think that you were talking about a x84-64 system, but I cannot run Intel binaries, even with qemu: my BananaPi M2+ board is too small (clock 700MHz, RAM 1GB).