heap-buffer-overflow parse.c:3482 in do_tune

[fgeek]

Reproducer: abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc.zip (SHA1: 292bad90a19bc9dc8a61729daef4e76550d39347) Tested in: 070cfe675580d8deb01227ade7fb854a4ebee641 Fuzzing tool used: afl-2.52b

00000000  58 3a 30 0a 54 3a 20 20  20 20 20 20 20 30 30 30  |X:0.T:       000|
00000010  0a 92 30 30 30 30 30 30  30 30 30 30 30 30 30 80  |..0000000000000.|
00000020  30 30 30 30 30 30 0a 20  20 30 30 30 30 30 30 30  |000000.  0000000|
00000030  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000050  30 30 30 30 8e 30 30 30  30 30 30 30 30 30 30 30  |0000.00000000000|
00000060  0a 4b 3a 47 0a 92 22 30  30 30 30 30 22 30 22 22  |.K:G.."00000"0""|
00000070  22 22 22 22 3a 30 30 bb  30 7c 40 7c 7c 7c 67 32  |"""":00.0|@|||g2|
00000080  67 81 20 4a 30 64 32 30  66 32 22 30 22 22 22 22  |g. J0d20f2"0""""|
00000090  22 22 30 30 30 30 30 30  30 30 30 30 30 30 0a 4d  |""000000000000.M|
000000a0  3a 34 2f 34                                       |:4/4|
000000a4

./src/abcm2ps/abcm2ps abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:0: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
     ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:1: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
      ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:9: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
              ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:19: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                        ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:20: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                         ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:21: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                          ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:23: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                            ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:30: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                                   ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:31: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                                    ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:34: error: Bad character
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                                       ^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:60: error: No end of guitar chord
   6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
                                                                 ^
=================================================================
==23434==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000e0 at pc 0x55aaafbb5fc8 bp 0x7ffc649ef9e0 sp 0x7ffc649ef9d8
READ of size 1 at 0x6250000000e0 thread T0
    #0 0x55aaafbb5fc7 in do_tune /home/hsalo/src/abcm2ps/parse.c:3482
    #1 0x55aaafa239b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200
    #2 0x55aaafafddf8 in frontend /home/hsalo/src/abcm2ps/front.c:905
    #3 0x55aaafa1bf3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
    #4 0x55aaafa182b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
    #5 0x7fc6e08642e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x55aaafa1a649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)

0x6250000000e0 is located 32 bytes to the left of 8222-byte region [0x625000000100,0x62500000211e)
allocated by thread T0 here:
    #0 0x7fc6e0fa8d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55aaafa1eba1 in getarena /home/hsalo/src/abcm2ps/abcm2ps.c:1105

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/abcm2ps/parse.c:3482 in do_tune
Shadow bytes around the buggy address:
  0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c4a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23434==ABORTING

[moinejf]

Hi, I could not find any problem with this tune using the last github version (commit 7b5508a).
May you check this again?

[fgeek]

@moinejf I can still reproduce this when compiled with AddressSanitizer (ASan).

[moinejf]

I looked again and made many tests: I could not find any problem.
I am using a 32 bits ARM board, so ASan is not usable.
Did you check if this problem also occurs in 32 bits machines?

[fgeek]

@moinejf sorry I don't have any 32bit machines.

[hkiel]

I cannot reproduce with current abcm2ps on macOS.