buffer-overflow in function PushTSBuf() at src/PayloadBuf.cpp:706

[zhuvensi]

Describe： A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04 Compile the program with address sanitizer with this: first add the command in makefile as follows:

Then: gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn' (gdb) set logging on (gdb) set logging file out.txt (gdb) set logging redirect on (gdb) break main (gdb) run (gdb) step (gdb) print argc (gdb) print argv (gdb) continue (gdb) info signals (gdb) backtrace

GDB Reports:

(gdb) backtrace 
#0  0x00007f29f214a03f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000557574249cdb in CPayloadBuf::PushTSBuf (this=0x557574c02520, idxTSPack=0, pBuf=0x7fffebdc3240 "", offStart=239 '\357', offEnd=192 '\300') at ../../src/PayloadBuf.cpp:706
#2  0x000055757433d8c6 in DumpOneStream () at ../../src/DumpStream.cpp:2884
#3  0x000055757435cd52 in main (argc=4, argv=0x7fffebdc4728) at ../../src/DumpTS.cpp:1312

and this is the command at the bug address:

Poc

Poc file is here

Fuzzer Fuzzer is AFL.