チケット #36302

stack buffer overflow in get_extended_header

登録: 2016-05-05 17:46 最終更新: 2016-05-07 08:52

報告者:
担当者:
チケットの種類:
状況:
完了
コンポーネント:
(未割り当て)
マイルストーン:
(未割り当て)
優先度:
5 - 中
重要度:
5 - 中
解決法:
なし
ファイル:
なし

詳細

This file https://crashes.fuzzing-project.org/lha-stack-overflow-get_extended_header.lha triggers a stack buffer overflow in the function get_extended_header(). This was found with address sanitizer and american fuzzy lop.

Here's address sanitizer's stack dump:

==7502==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd9ea3ebd0 at pc 0x000000512ea2 bp 0x7ffd9ea3b1f0 sp 0x7ffd9ea3b1e8
WRITE of size 1 at 0x7ffd9ea3ebd0 thread T0
    #0 0x512ea1 in get_extended_header /f/lha/lha/src/header.c:690:27
    #1 0x5006d1 in get_header_level2 /f/lha/lha/src/header.c:1088:19
    #2 0x5006d1 in get_header /f/lha/lha/src/header.c:1236
    #3 0x52c2cf in cmd_extract /f/lha/lha/src/lhext.c:571:12
    #4 0x524456 in main /f/lha/lha/src/lharc.c:680:9
    #5 0x7f16f7a9178f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x419888 in _start (/mnt/ram/lha/lha+0x419888)

Address 0x7ffd9ea3ebd0 is located in stack of thread T0 at offset 4304 in frame
    #0 0x52c09f in cmd_extract /f/lha/lha/src/lhext.c:557

  This frame has 6 object(s):
    [32, 40) 'top.sroa.0.sroa.0.i.i'
    [64, 208) 'stbuf.i.i'
    [272, 416) 'stbuf.i'
    [480, 1504) 'name.i'
    [1632, 1640) 'read_size.i'
    [1664, 4304) 'hdr' <== Memory access at offset 4304 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /f/lha/lha/src/header.c:690:27 in get_extended_header
Shadow bytes around the buggy address:
  0x100033d3fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100033d3fd70: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
  0x100033d3fd80: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x100033d3fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033d3fdc0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7502==ABORTING

チケットの履歴 (3 件中 3 件表示)

2016-05-05 17:46 更新者: hanno
  • 新しいチケット "stack buffer overflow in get_extended_header" が作成されました
2016-05-06 12:15 更新者: arai
  • 担当者(未割り当て) から arai に更新されました
2016-05-07 08:52 更新者: arai
  • 状況オープン から 完了 に更新されました
  • チケット完了時刻2016-05-07 08:52 に更新されました
コメント

Fixed at 82efba6 Thanks!

添付ファイルリスト

添付ファイルはありません

編集

ログインしていません。ログインしていない状態では、コメントに記載者の記録が残りません。 » ログインする