joachimmetz
commented
6 years ago (Another person mentioned another issue in this page).
Thanks for letting me know I'll track this in https://github.com/libyal/libpff/issues/64, but this is a different issue than the one you mention here.
==2788== Invalid read of size 1
==2788== at 0x486008: libpff_data_array_read_entries (libpff_data_array.c:567)
==2788== by 0x485AB2: libpff_data_array_read (libpff_data_array.c:321)
==2788== by 0x46725D: libpff_io_handle_read_descriptor_data_list (libpff_io_handle2.c:317)
==2788== by 0x41DE3A: libpff_table_read (libpff_table.c:2133)
==2788== by 0x40E9C7: libpff_item_values_read (libpff_item_values.c:289)
==2788== by 0x40F928: libpff_name_to_id_map_read (libpff_name_to_id_map.c:292)
==2788== by 0x404490: libpff_file_open_read (libpff_file.c:1081)
==2788== by 0x4039E9: libpff_file_open_file_io_handle (libpff_file.c:580)
==2788== by 0x403748: libpff_file_open (libpff_file.c:322)
==2788== by 0x401651: info_handle_open_input (info_handle.c:298)
==2788== by 0x402AA9: main (pffinfo.c:284)
We found with our fuzzer several heap-buffer-overflow and heap-use-after-free errors when running
pffinfo $file(compiled with Address Sanitizer). We will enumerate in the following issues and hope this can be tackled when you have time.(Another person mentioned another issue in this page).
1st one: heap-buffer-overflow at libpff_data_array.c:567
POC files: https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_1.input.txt https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_2.input.txt
ASan output: https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_1.err.SIG06 https://github.com/ntu-sec/pocs/blob/master/libpff-4938b7a/crashes/hbo_libpff_data_array.c%3A567_2.err.SIG06