0x34d
commented
2 years ago Bug Report
ASAN Log:
=================================================================
==13470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000009d8a at pc 0x00000051d115 bp 0x7fffc374d1b0 sp 0x7fffc374c970
READ of size 2 at 0x603000009d8a thread T0
#0 0x51d114 in __asan_memcpy (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x51d114) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#1 0x571c3c in __mqtt_unpack_uint16 /home/Ez/project/Test/MQTT-C/src/mqtt.c:1748:3
#2 0x571759 in mqtt_unpack_publish_response /home/Ez/project/Test/MQTT-C/src/mqtt.c:1360:31
#3 0x56f83e in mqtt_unpack_response /home/Ez/project/Test/MQTT-C/src/mqtt.c:1706:18
#4 0x561ce5 in LLVMFuzzerTestOneInput /home/Ez/project/Test/MQTT-C/fuzzer.c:8:12
#5 0x44bbf1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x44bbf1) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#6 0x44c530 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x44c530) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#7 0x44d510 in fuzzer::Fuzzer::MutateAndTestOne() (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x44d510) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#8 0x44eeb7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x44eeb7) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#9 0x433104 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x433104) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#10 0x4229f6 in main (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x4229f6) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
#11 0x7ff10954158f in __libc_start_call_main (/lib64/libc.so.6+0x2958f) (BuildId: 58056842ddaf8c272b19025e036bd01444dae27d)
#12 0x7ff109541648 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x29648) (BuildId: 58056842ddaf8c272b19025e036bd01444dae27d)
#13 0x422a34 in _start (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x422a34) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3)
Address 0x603000009d8a is a wild pointer inside of access range of size 0x000000000002.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/Ez/project/Test/MQTT-C/bin/fuzzer+0x51d114) (BuildId: 85fdcfbb545279100db9c4f52545a02acf31bda3) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c067fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff93b0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cbTo reproduce the Bug
unzip bug.zip
$ ./fuzzer bug.raw
Just Simple libfuzzer Support