Closed fgeek closed 6 years ago
Reproducer: abcm2ps-global-buffer-overflow-subs.c-cwid.abc.zip (SHA1: 0bb5bd5f8816137483183149f2e319bfb1af83f6) Tested in: 070cfe675580d8deb01227ade7fb854a4ebee641 Fuzzing tool used: afl-2.52b
00000000 58 3a 0a 4b 3a 0a 47 0a 77 3a 30 80 |X:.K:.G.w:0.| 0000000c
~/src/abcm2ps/abcm2ps abcm2ps-global-buffer-overflow-subs.c-cwid.abc abcm2ps-8.13.20 (2018-02-21) File abcm2ps-global-buffer-overflow-subs.c-cwid.abc ================================================================= ==28346==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55f8791225a0 at pc 0x55f8790b80b7 bp 0x7ffdd1e58870 sp 0x7ffdd1e58868 READ of size 2 at 0x55f8791225a0 thread T0 #0 0x55f8790b80b6 in cwid /home/hsalo/src/abcm2ps/subs.c:130 #1 0x55f87901a155 in ly_width /home/hsalo/src/abcm2ps/music.c:941 #2 0x55f8790286ec in set_width /home/hsalo/src/abcm2ps/music.c:1126 #3 0x55f8790286ec in set_allsymwidth /home/hsalo/src/abcm2ps/music.c:1436 #4 0x55f879048023 in output_music /home/hsalo/src/abcm2ps/music.c:5120 #5 0x55f87907cd20 in generate /home/hsalo/src/abcm2ps/parse.c:1039 #6 0x55f8790a437c in gen_ly /home/hsalo/src/abcm2ps/parse.c:1060 #7 0x55f8790a437c in do_tune /home/hsalo/src/abcm2ps/parse.c:3621 #8 0x55f878f229b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200 #9 0x55f878ffcdf8 in frontend /home/hsalo/src/abcm2ps/front.c:905 #10 0x55f878f1af3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239 #11 0x55f878f172b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040 #12 0x7fd17cd832e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #13 0x55f878f19649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649) 0x55f8791225a0 is located 0 bytes to the right of global variable 'cw_tb' defined in 'subs.c:42:14' (0x55f8791224a0) of size 256 SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/abcm2ps/subs.c:130 in cwid Shadow bytes around the buggy address: 0x0abf8f21c460: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0abf8f21c470: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0abf8f21c480: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 0x0abf8f21c490: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0abf8f21c4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0abf8f21c4b0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00 0x0abf8f21c4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0abf8f21c4d0: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0abf8f21c4e0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 0x0abf8f21c4f0: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0abf8f21c500: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28346==ABORTING
Sample minimized using afl-tmin:
File size reduced by : 93.88% (to 12 bytes) Characters simplified : 1333.33% Number of execs done : 134 Fruitless execs : path=70 crash=0 hang=0
@moinejf Thank you. Fix confirmed.
fgeek
commented
6 years ago fgeek
commented
6 years ago
Reproducer: abcm2ps-global-buffer-overflow-subs.c-cwid.abc.zip (SHA1: 0bb5bd5f8816137483183149f2e319bfb1af83f6) Tested in: 070cfe675580d8deb01227ade7fb854a4ebee641 Fuzzing tool used: afl-2.52b
Sample minimized using afl-tmin: