#39 Heap Out-Of-Bounds Memory Access (122005605)

[Google-Autofuzz]

Hello InChI team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.04, September 2011).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_122005605.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-InChI-122005605 autofuzz_122005605
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_122005605/poc-d7fe6c25f22fc8c060ca2a0957e918f1bb26fb1b2ab7c6cd14ed59907d1116fc_min:/tmp/poc autofuzz-InChI-122005605 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_122005605/poc-d7fe6c25f22fc8c060ca2a0957e918f1bb26fb1b2ab7c6cd14ed59907d1116fc_min:/tmp/poc -it autofuzz-InChI-122005605

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

INFO: Seed: 3031277568
INFO: Loaded 0 modules (0 guards): 
/fuzzing/fuzzer: Running 1 inputs 500 time(s) each.
Running: /tmp/poc-d7fe6c25f22fc8c060ca2a0957e918f1bb26fb1b2ab7c6cd14ed59907d1116fc
=================================================================
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000158 at pc 0x00000066be1b bp 0x7fff4372c190 sp 0x7fff4372c188
READ of size 8 at 0x60e000000158 thread T0
    #0 0x66be1a in CopySegment(tagINChI*, tagINChI*, int, int, int) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c
    #1 0x677bb3 in ParseSegmentSp2(char const*, int, tagINChI**, int*, int, int*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:5990:23
    #2 0x669496 in ReadInChILine(tagOutputStream*, tagLine*, char**, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:4598:19
    #3 0x65b3f7 in InChILine2Data(tagOutputStream*, tagLine*, char**, int*, int*, tagINChI* (*) [2], int (*) [2], tagRemovedAndExchangeableH (*) [2], int (*) [2][2], int, int, unsigned long, int*, int*, unsigned char*) /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:2327:11
    #4 0x658fa5 in ReadWriteInChI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c:571:23
    #5 0x53dd6b in GetINCHIfromINCHI /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/inchi_dll.c:1953:16
    #6 0x518735 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:23:3
    #7 0x523ede in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x523ede)
    #8 0x51903e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x51903e)
    #9 0x51d547 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x51d547)
    #10 0x518d5b in main (/fuzzing/fuzzer+0x518d5b)
    #11 0x7f227ab4b2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #12 0x41ff89 in _start (/fuzzing/fuzzer+0x41ff89)

Address 0x60e000000158 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/INCHI-1-API/INCHI_API/inchi_dll/ichiread.c in CopySegment(tagINChI*, tagINChI*, int, int, int)
Shadow bytes around the buggy address:
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team