Menu

#191 stack-buffer-overflow on read_objects()

fig2dev
pending
nobody
None
2025-04-10
2025-02-11
liuchenyifan
No

version: fig2dev Version 3.2.9a
system: ubuntu22.04

use this command to reproduce: fig2dev -L ge ./poc

message from ASAN:
==1989254==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeeb5323df at pc 0x55b034745461 bp 0x7ffeeb532240 sp 0x7ffeeb532230
READ of size 1 at 0x7ffeeb5323df thread T0
#0 0x55b034745460 in read_objects /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/read.c:242
#1 0x55b034745460 in readfp_fig /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/read.c:152
#2 0x55b03474761e in read_fig /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/read.c:124
#3 0x55b03470463d in main /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/fig2dev.c:469
#4 0x7f720b949d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f720b949e3f in __libc_start_main_impl ../csu/libc-start.c:392
#6 0x55b034705f54 in _start (/home/ubuntu/target_program/fig2dev-3.2.9a/fig2dev/output5/asan_fig2dev+0x6ff54)

Address 0x7ffeeb5323df is located in stack of thread T0 at offset 223 in frame
#0 0x55b03474288f in readfp_fig /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/read.c:129

This frame has 10 object(s):
[48, 52) 'object' (line 178)
[64, 68) 'coord_sys' (line 178)
[80, 84) 'line_no' (line 179)
[96, 100) 'c' (line 573)
[112, 116) 'r' (line 574)
[128, 132) 'g' (line 574)
[144, 148) 'b' (line 574)
[160, 168) 'line' (line 181)
[192, 200) 'line_len' (line 183)
[224, 241) 'buf' (line 182) <== Memory access at offset 223 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/ubuntu/asan_program/fig2dev-3.2.9a/fig2dev/read.c:242 in read_objects
Shadow bytes around the buggy address:
0x10005d69e420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005d69e430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005d69e440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005d69e450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005d69e460: f1 f1 f1 f1 f1 f1 04 f2 04 f2 04 f2 04 f2 04 f2
=>0x10005d69e470: 04 f2 04 f2 00 f2 f2 f2 00 f2 f2[f2]00 00 01 f3
0x10005d69e480: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10005d69e490: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
0x10005d69e4a0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
0x10005d69e4b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10005d69e4c0: f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1989254==ABORTING

1 Attachments
SBO1

Discussion

  • tkl

    tkl - 2025-04-10
    • status: open --> pending
     

  • tkl

    tkl - 2025-04-10

    Fixed with commit [5f2200].

     

    Related

    Commit: [5f2200]

Log in to post a comment.