#8 Heap-based buffer overflow in the define_array() function

[Frederic Cambus]

Hi,

While fuzzing Brandy with American Fuzzy Lop, I found a heap-based buffer overflow in the define_array() function, in src/variables.c L414. It also happens L407.

Attaching a reproducer, issue can be reproduced by running:

brandy test03

=================================================================
==10340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5661b307f8 at pc 0x55e4c2ebc4c1 bp 0x7fff817778b0 sp 0x7fff817778a0
WRITE of size 16 at 0x7f5661b307f8 thread T0
    #0 0x55e4c2ebc4c0 in define_array src/variables.c:414
    #1 0x55e4c2ed9c12 in exec_dim src/mainstate.c:462
    #2 0x55e4c2eccb35 in exec_statements src/statement.c:397
    #3 0x55e4c2eccead in run_program src/statement.c:436
    #4 0x55e4c2f2ee9e in run_interpreter src/brandy.c:326
    #5 0x55e4c2f2df6c in main src/brandy.c:71
    #6 0x7f56602c9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x55e4c2eb9799 in _start (/home/fcambus/brandy03/tbrandy+0x1d799)

0x7f5661b30800 is located 0 bytes to the right of 524288-byte region [0x7f5661ab0800,0x7f5661b30800)
allocated by thread T0 here:
    #0 0x7f5660b15b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55e4c2efba61 in init_workspace src/heap.c:70
    #2 0x55e4c2f2e240 in init2 src/brandy.c:148
    #3 0x55e4c2f2df67 in main src/brandy.c:70
    #4 0x7f56602c9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/variables.c:414 in define_array
Shadow bytes around the buggy address:
  0x0feb4c35e0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb4c35e0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb4c35e0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb4c35e0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb4c35e0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb4c35e0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00]
  0x0feb4c35e100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb4c35e110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb4c35e120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb4c35e130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb4c35e140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10340==ABORTING

[Frederic Cambus]

This issue has been assigned CVE-2019-14665.

[Michael McConnell]

This bug has long since been fixed on the Matrix Brandy fork.

[Jericho]

Can you link to that please Michael?

[Michael McConnell]

Website http://brandy.matrixnetwork.co.uk and on github at https://github.com/stardot/MatrixBrandy/