stack buffer overflow in get_extended_header
This file https://crashes.fuzzing-project.org/lha-stack-overflow-get_extended_header.lha triggers a stack buffer overflow in the function get_extended_header(). This was found with address sanitizer and american fuzzy lop.
Here's address sanitizer's stack dump:
==7502==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd9ea3ebd0 at pc 0x000000512ea2 bp 0x7ffd9ea3b1f0 sp 0x7ffd9ea3b1e8 WRITE of size 1 at 0x7ffd9ea3ebd0 thread T0 #0 0x512ea1 in get_extended_header /f/lha/lha/src/header.c:690:27 #1 0x5006d1 in get_header_level2 /f/lha/lha/src/header.c:1088:19 #2 0x5006d1 in get_header /f/lha/lha/src/header.c:1236 #3 0x52c2cf in cmd_extract /f/lha/lha/src/lhext.c:571:12 #4 0x524456 in main /f/lha/lha/src/lharc.c:680:9 #5 0x7f16f7a9178f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289 #6 0x419888 in _start (/mnt/ram/lha/lha+0x419888) Address 0x7ffd9ea3ebd0 is located in stack of thread T0 at offset 4304 in frame #0 0x52c09f in cmd_extract /f/lha/lha/src/lhext.c:557 This frame has 6 object(s): [32, 40) 'top.sroa.0.sroa.0.i.i' [64, 208) 'stbuf.i.i' [272, 416) 'stbuf.i' [480, 1504) 'name.i' [1632, 1640) 'read_size.i' [1664, 4304) 'hdr' <== Memory access at offset 4304 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /f/lha/lha/src/header.c:690:27 in get_extended_header Shadow bytes around the buggy address: 0x100033d3fd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100033d3fd70: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 0x100033d3fd80: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 0x100033d3fd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100033d3fdc0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7502==ABORTING
Fixed at 82efba6 Thanks!
This file https://crashes.fuzzing-project.org/lha-stack-overflow-get_extended_header.lha triggers a stack buffer overflow in the function get_extended_header(). This was found with address sanitizer and american fuzzy lop.
Here's address sanitizer's stack dump: