Closed fgeek closed 6 years ago
8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb.zip Tested commit: b381efd3248902ed2f9a797a46f79dfa0690a9c4 Credit: Henri Salo Tools: american fuzzy lop 2.52b, afl-utils Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.
I am more than happy to continue fuzzing this software after fixes has been applied. Thanks!
./lou_checktable 8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb <snip> ================================================================= ==1606==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff7fe53f40 at pc 0x7fe7a31fc7c9 bp 0x7fff7fe534d0 sp 0x7fff7fe534c8 WRITE of size 1 at 0x7fff7fe53f40 thread T0 #0 0x7fe7a31fc7c8 in includeFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560 #1 0x7fe7a31fc7c8 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3196 #2 0x7fe7a32024ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522 #3 0x7fe7a3203707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627 #4 0x7fe7a3203707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712 #5 0x564fd1060f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112 #6 0x7fe7a2e192e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #7 0x564fd1061199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199) Address 0x7fff7fe53f40 is located in stack of thread T0 at offset 2528 in frame #0 0x7fe7a31e3b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156 This frame has 17 object(s): [32, 34) 'c' [96, 98) 'c' [160, 164) 'lastToken' [224, 228) 'after' [288, 292) 'before' [352, 356) 'holdOffset' [416, 432) 'dict' [480, 2528) 'includeThis' <== Memory access at offset 2528 overflows this variable [2560, 6658) 'token' [6720, 10818) 'ruleChars' [10880, 14978) 'ruleDots' [15040, 19138) 'name' [19200, 23298) 'ruleChars' [23360, 27458) 'ruleDots' [27520, 31618) 'upperDots' [31680, 35778) 'lowerDots' [35840, 39984) 'nested' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560 in includeFile Shadow bytes around the buggy address: 0x10006ffc2790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc27a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc27b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc27c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc27d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006ffc27e0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00 0x10006ffc27f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006ffc2830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1606==ABORTING
CVE-2018-11684 was assigned to this issue.
8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb.zip Tested commit: b381efd3248902ed2f9a797a46f79dfa0690a9c4 Credit: Henri Salo Tools: american fuzzy lop 2.52b, afl-utils Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.
I am more than happy to continue fuzzing this software after fixes has been applied. Thanks!