Skip to content

Heap-buffer-overflow in catdoc version 0.95 (numutils.c) #4

Open
Open
Heap-buffer-overflow in catdoc version 0.95 (numutils.c)#4
@nafiez

Description

@nafiez
nafiez
opened on May 4, 2018

There's an buffer overflow found during fuzzing. ASAN output:

john@fuzzing:~/catdoc/out/crashes$ catdoc id:000001,sig:06,src:000001,op:flip1,pos:50
==4172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5f01618 at pc 0x0805f499 bp 0xbfbb1c68 sp 0xbfbb1c58
READ of size 1 at 0xb5f01618 thread T0
0 0x805f498 in getlong /home/john/catdoc/src/numutils.c:22
1 0x8064aae in ole_init /home/john/catdoc/src/ole.c:254
2 0x8050f8b in analyze_format /home/john/catdoc/src/analyze.c:58
3 0x804aab4 in main /home/john/catdoc/src/catdoc.c:180
4 0xb7891636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
5 0x804ba7b (/usr/local/bin/catdoc+0x804ba7b)

0xb5f01618 is located 6 bytes to the right of 2-byte region [0xb5f01610,0xb5f01612)
allocated by thread T0 here:
0 0xb7ac5dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
1 0xb78ee2c5 in __strdup (/lib/i386-linux-gnu/libc.so.6+0x752c5)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/john/catdoc/src/numutils.c:22 getlong
Shadow bytes around the buggy address:
0x36be0270: fa fa 02 fa fa fa 05 fa fa fa 03 fa fa fa 02 fa
0x36be0280: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
0x36be0290: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x36be02a0: fa fa 04 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
0x36be02b0: fa fa 03 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x36be02c0: fa fa 02[fa]fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x36be02d0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x36be02e0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 03 fa
0x36be02f0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x36be0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36be0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4172==ABORTING

Test file:
crashed_file.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions