Closed Dabiaoge6 closed 1 year ago
Thanks for the report! Do you have a fix at hand?
Sorry , i don't have more time to fix this defect.
------------------ 原始邮件 ------------------ 发件人: "Christian @.>; 发送时间: 2023年3月28日(星期二) 下午5:44 收件人: @.>; 抄送: @.>; @.>; 主题: Re: [LibVNC/libvncserver] The rfbProcessSizeArguments () function triggers heap-use-after-free defects (Issue #567)
Thanks for the report! Do you have a fix at hand?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
This will of course crash if argc
doesn't match argv
size. I see no way around this.
testcase:
EASYFUZZ(maygYOHg){
}
crashlog:
==146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000009d8 at pc 0x7f03dd01a75a bp 0x7ffc99094bf0 sp 0x7ffc99094be0 READ of size 8 at 0x6020000009d8 thread T0
0 0x7f03dd01a759 in rfbProcessSizeArguments /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/cargs.c:250
0x6020000009dc is located 0 bytes to the right of 12-byte region [0x6020000009d0,0x6020000009dc) allocated by thread T0 here:
0 0x7f03dd191867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
SUMMARY: AddressSanitizer: heap-buffer-overflow /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/cargs.c:250 in rfbProcessSizeArguments Shadow bytes around the buggy address: 0x0c047fff80e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa 0x0c047fff80f0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 04 fa 0x0c047fff8100: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 00 04 0x0c047fff8110: fa fa fd fd fa fa 04 fa fa fa 04 fa fa fa 04 fa 0x0c047fff8120: fa fa 04 fa fa fa 00 04 fa fa 04 fa fa fa 04 fa =>0x0c047fff8130: fa fa 04 fa fa fa 04 fa fa fa 00[04]fa fa fa fa 0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc