This is caused by the len > 0 check on line 13 which comes after the array access but len can be 0 already which will cause an out-of-bounds access past the string.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/nekz/git/clone/mdp/mdp+0x53764c) in util_strip_whitespace
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 01 fa fa[fa]01 fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==419636==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
This is caused by the
len > 0check on line 13 which comes after the array access butlencan be 0 already which will cause an out-of-bounds access past the string.https://github.com/p2sr/mdp/blob/4a580f63eb5c70bd1371153f2ff1ad219a1598fa/src/util.c#L8C1-L17
Found with libFuzzer + ASAN:
CFLAGS=-Wall -Werror -fsanitize=address,fuzzerLDFLAGS=-lm -fsanitize=address,fuzzerReproducible example: