There is a stack-based buffer overflow in the ReadNextCell function of mat5.c(at 1001)

[gutiniao]

A crafted input will lead to crash in mat5.c at matio 1.5.17. Triggered by ./matdump POC

Poc 003-stackoverflow-ReadNextCell-mat51001

The ASAN information is as follows:

./matdump 003-stackoverflow-ReadNextCell-mat51001 
InflateRankDims: inflate returned data error
=================================================================
==41935==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd5e70bb0 at pc 0x7f134197a587 bp 0x7ffdd5e70a20 sp 0x7ffdd5e70a10
READ of size 4 at 0x7ffdd5e70bb0 thread T0
    #0 0x7f134197a586 in ReadNextCell /home/matio_asan/src/mat5.c:1001
    #1 0x7f1341a38e78 in Mat_VarReadNextInfo5 /home/matio_asan/src/mat5.c:4961
    #2 0x7f1341a4f46b in Mat_VarReadNextInfo /home/matio_asan/src/mat.c:2342
    #3 0x408126 in main /home/matio_asan/tools/matdump.c:944
    #4 0x7f134122a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401b58 in _start (/usr/local/matio_asan/bin/matdump+0x401b58)

Address 0x7ffdd5e70bb0 is located in stack of thread T0 at offset 288 in frame
    #0 0x7f13419793b9 in ReadNextCell /home/matio_asan/src/mat5.c:892

  This frame has 4 object(s):
    [32, 40) 'nelems'
    [96, 104) 'dims'
    [160, 184) 'buf'
    [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/matio_asan/src/mat5.c:1001 ReadNextCell
Shadow bytes around the buggy address:
  0x10003abc6120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6150: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4
  0x10003abc6160: f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00
=>0x10003abc6170: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00
  0x10003abc6180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003abc6190: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
  0x10003abc61a0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4
  0x10003abc61b0: f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00
  0x10003abc61c0: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==41935==ABORTING

[tbeu]

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

[gutiniao]

No need to report fuzzing issues since matio is on OSS-Fuzz with still about 40 open issues.

Instead of v1.5.17, please rerun the test against current master and reopen if the issue is still reproducible.

Yes, I just use 'git clone' to fetch the current master of the matio,the issue is still reproducible.

i 'm sure the issue is different from the fuzzing issues on OSS-fuzz.

[tbeu]

Should be fixed now.

[carnil]

CVE-2019-20018 has been assigned for this issue.