ERROR: invalid alloc size 923074563 at ytnef.c : 461, suspected corruption (exceeded 1000 bytes)
=================================================================
==3877672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000001f2 at pc 0x0000002717a4 bp 0x7ffce3647680 sp 0x7ffce3646e08
READ of size 35 at 0x6040000001f2 thread T0
#0 0x2717a3 in printf_common(void*, char const*, __va_list_tag*) (/home/ytnef/bin/ytnef+0x2717a3)
#1 0x273020 in snprintf (/home/ytnef/bin/ytnef+0x273020)
#2 0x3030b4 in ProcessTNEF /home/ytnef/ytnef/main.c:381:9
#3 0x300732 in main /home/ytnef/ytnef/main.c:145:15
#4 0x7fbe727700b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x2533ed in _start (/home/ytnef/bin/ytnef+0x2533ed)
0x6040000001f2 is located 0 bytes to the right of 34-byte region [0x6040000001d0,0x6040000001f2)
allocated by thread T0 here:
#0 0x2cd5d2 in calloc (/home/ytnef/bin/ytnef+0x2cd5d2)
#1 0x7fbe72af6026 in TNEFFillMapi /home/ytnef/lib/ytnef.c:535:24
#2 0x7fbe72b057f7 in TNEFParse /home/ytnef/lib/ytnef.c:1221:15
#3 0x7fbe72b04365 in TNEFParseFile /home/ytnef/lib/ytnef.c:1078:10
#4 0x3006cb in main /home/ytnef/ytnef/main.c:140:9
#5 0x7fbe727700b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ytnef/bin/ytnef+0x2717a3) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 02 fa
0x0c087fff8020: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 07
=>0x0c087fff8030: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00[02]fa
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3877672==ABORTING
If built without ASAN, and use Valgrind , maybe more detailed.
==1176416== Memcheck, a memory error detector
==1176416== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1176416== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1176416== Command: ./bin/ytnef ./crash_verifyed/heap-overflow.1
==1176416==
ERROR: invalid alloc size 923074563 at ytnef.c : 461, suspected corruption (exceeded 1000 bytes)
==1176416== Invalid read of size 1
==1176416== at 0x483EF54: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1176416== by 0x48EBE94: __vfprintf_internal (vfprintf-internal.c:1688)
==1176416== by 0x48FF119: __vsnprintf_internal (vsnprintf.c:114)
==1176416== by 0x48D4F75: snprintf (snprintf.c:31)
==1176416== by 0x10CD50: snprintf (stdio2.h:67)
==1176416== by 0x10CD50: ProcessTNEF (main.c:381)
==1176416== by 0x10950B: main (main.c:145)
==1176416== Address 0x4a72e02 is 0 bytes after a block of size 34 alloc'd
==1176416== at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1176416== by 0x484DB81: TNEFFillMapi (ytnef.c:535)
==1176416== by 0x484F7FE: TNEFParse (ytnef.c:1221)
==1176416== by 0x484FAF2: TNEFParseFile (ytnef.c:1078)
==1176416== by 0x1094E8: main (main.c:140)
==1176416==
==1176416==
==1176416== HEAP SUMMARY:
==1176416== in use at exit: 0 bytes in 0 blocks
==1176416== total heap usage: 177 allocs, 177 frees, 45,764 bytes allocated
==1176416==
==1176416== All heap blocks were freed -- no leaks are possible
==1176416==
==1176416== For lists of detected and suppressed errors, rerun with: -s
==1176416== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Hi, A OOB access can be triggered in latest commit 216377b.
The data might not be NULL-terminated, Size +1 need for the end of string the '\0'
vl->data = calloc(vl->size, sizeof(BYTE));
Test platform:
ubuntu 20.04 x86_64 gcc version 9.3.0
reproduce:
oob_poc.zip
Debug info:
If built without ASAN, and use Valgrind , maybe more detailed.