Headline
CVE-2019-19918: Heap-based buffer overflow in the srcnext() function
Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Frederic Cambus
Subject:
Heap-based buffer overflow in the srcnext() function
Date:
Fri, 20 Dec 2019 19:00:59 +0100
Hi,
While fuzzing lout 3.40 with Honggfuzz, I found a heap-based buffer overflow in the srcnext() function, in z02.c.
Attaching a reproducer (gzipped so it doesn’t get mangled).
Issue can be reproduced by running:
``` lout test01 ```
```
==30030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6260000000ff at pc 0x0000004d9b84 bp 0x7fff16458220 sp 0x7fff16458218 WRITE of size 1 at 0x6260000000ff thread T0 #0 0x4d9b83 in srcnext /home/fcambus/lout-3.40/z02.c:381:26 #1 0x4d37b2 in LexGetToken /home/fcambus/lout-3.40/z02.c:491:15 #2 0x4f75fd in Parse /home/fcambus/lout-3.40/z06.c:819:7 #3 0x4ce4b5 in run /home/fcambus/lout-3.40/z01.c:898:9 #4 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5 #5 0x7f11f51731e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/…/csu/libc-start.c:308:16 #6 0x41b45d in _start (/home/fcambus/lout-3.40/lout+0x41b45d)
0x6260000000ff is located 1 bytes to the left of 10243-byte region [0x626000000100,0x626000002903) allocated by thread T0 here: #0 0x49335d in malloc (/home/fcambus/lout-3.40/lout+0x49335d) #1 0x4d1c2d in LexPush /home/fcambus/lout-3.40/z02.c:240:29
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/lout-3.40/z02.c:381:26 in srcnext Shadow bytes around the buggy address: 0x0c4c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4c7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==30030==ABORTING ```
test01.gz
Description: application/gunzip
Heap-based buffer overflow in the srcnext() function, Frederic Cambus <=
- Re: Heap-based buffer overflow in the srcnext() function, Frederic Cambus, 2019/12/21
Prev by Date: Re: Experiments with @Graph
Next by Date: Buffer overflow in the StringQuotedWord() function
Previous by thread: Re: Experiments with @Graph
Next by thread: Re: Heap-based buffer overflow in the srcnext() function
Index(es):
- Date
- Thread