The rfbProcessSizeArguments () function triggers heap-use-after-free defects

[Dabiaoge6]

testcase:

EASYFUZZ(maygYOHg){

// ---comment int * rfbProcessSizeArguments.width
int * width_WxgtwEaI = (int *) fuzzInt32(0);
// ---comment int * rfbProcessSizeArguments.height
int * height_LUyyiOYb = (int *) fuzzInt32(1);
// ---comment int * rfbProcessSizeArguments.bpp
int * bpp_WLJIIxGD = (int *) fuzzInt32(2);
// ---comment int * rfbProcessSizeArguments.argc
int * argc_slFoTchz = (int *) fuzzInt32(3);
// ---comment char * rfbProcessSizeArguments.argv
char * argv_sOOjVNIp = (char *) fuzzstring(4);

//用户需要填写被测试接口,这里需要string类型的数据，所以填入fuzzstring。
rfbBool LXviXbaO = rfbProcessSizeArguments(width_WxgtwEaI, height_LUyyiOYb, bpp_WLJIIxGD, argc_slFoTchz, argv_sOOjVNIp);

}

crashlog:

==146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000009d8 at pc 0x7f03dd01a75a bp 0x7ffc99094bf0 sp 0x7ffc99094be0 READ of size 8 at 0x6020000009d8 thread T0

0 0x7f03dd01a759 in rfbProcessSizeArguments /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/cargs.c:250

#1 0x55a92afcd6f7 in easyloop /dockerin/test_file.c:30
#2 0x55a92afcd3eb in main /opt1/software/betafuzz/srap/wrapentry.c:108
#3 0x7f03dccbfd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#4 0x7f03dccbfe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#5 0x55a92afcd444 in _start (/dockerin/clouditera+0x1444)

0x6020000009dc is located 0 bytes to the right of 12-byte region [0x6020000009d0,0x6020000009dc) allocated by thread T0 here:

0 0x7f03dd191867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

#1 0x7f03dd06278c in BetaWmalloc /opt1/software/betafuzz/srap/wrapsystem.c:88

SUMMARY: AddressSanitizer: heap-buffer-overflow /cloud_proj/pr1679995373267xbruewtfxojxvgnl/libvncserver/cargs.c:250 in rfbProcessSizeArguments Shadow bytes around the buggy address: 0x0c047fff80e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa 0x0c047fff80f0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 04 fa 0x0c047fff8100: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 00 04 0x0c047fff8110: fa fa fd fd fa fa 04 fa fa fa 04 fa fa fa 04 fa 0x0c047fff8120: fa fa 04 fa fa fa 00 04 fa fa 04 fa fa fa 04 fa =>0x0c047fff8130: fa fa 04 fa fa fa 04 fa fa fa 00[04]fa fa fa fa 0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc

[bk138]

Thanks for the report! Do you have a fix at hand?

[Dabiaoge6]

Sorry , i don't have more time to fix this defect.

------------------ 原始邮件 ------------------ 发件人: "Christian @.>; 发送时间: 2023年3月28日(星期二) 下午5:44 收件人: @.>; 抄送: @.>; @.>; 主题: Re: [LibVNC/libvncserver] The rfbProcessSizeArguments () function triggers heap-use-after-free defects (Issue #567)

Thanks for the report! Do you have a fix at hand?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[bk138]

This will of course crash if argc doesn't match argv size. I see no way around this.