search

jasper-software / xv

XV Software
Other
26 stars 9 forks source link

AddressSanitizer: stack-buffer-overflow in xv.c ReadFileType() #15

Open mal359 opened 11 months ago

mal359 commented 11 months ago

This occurs upon any attempt to read a plain text file.

=================================================================
==1591672==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8d2c10353e at pc 0x7f8d2ef9e00a bp 0x7ffcb4ea7f70 sp 0x7ffcb4ea7730
READ of size 31 at 0x7f8d2c10353e thread T0
    #0 0x7f8d2ef9e009 in StrstrCheck ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:652
    #1 0x7f8d2effbb0a in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:669
    #2 0x7f8d2effbb0a in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:662
    #3 0x5613594c45b4 in ReadFileType (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x7f5b4) (BuildId: dd2b17c4b2fe400fee221df9fbb0e8ad1d27da06)
    #4 0x5613594c77a5 in openPic (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x827a5) (BuildId: dd2b17c4b2fe400fee221df9fbb0e8ad1d27da06)
    #5 0x5613594b79b3 in main (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x729b3) (BuildId: dd2b17c4b2fe400fee221df9fbb0e8ad1d27da06)
    #6 0x7f8d2e908b89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7f8d2e908c44 in __libc_start_main_impl ../csu/libc-start.c:360
    #8 0x5613594ba8e0 in _start (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x758e0) (BuildId: dd2b17c4b2fe400fee221df9fbb0e8ad1d27da06)

Address 0x7f8d2c10353e is located in stack of thread T0 at offset 62 in frame
    #0 0x5613594c352f in ReadFileType (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x7e52f) (BuildId: dd2b17c4b2fe400fee221df9fbb0e8ad1d27da06)

  This frame has 1 object(s):
    [32, 62) 'magicno' (line 3041) <== Memory access at offset 62 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:652 in StrstrCheck
Shadow bytes around the buggy address:
  0x7f8d2c103280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00
  0x7f8d2c103300: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f8d2c103380: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00
  0x7f8d2c103400: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00
  0x7f8d2c103480: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x7f8d2c103500: f1 f1 f1 f1 00 00 00[06]f3 f3 f3 f3 00 00 00 00
  0x7f8d2c103580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f8d2c103600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f8d2c103680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f8d2c103700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f8d2c103780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1591672==ABORTING