#49 stack overflow in 1.6.2 version

[Youngjooko]

Hello.
I am a security researcher and I tried to explore fuzzing.
During fuzzing, I found a crash in 1.6.2 version.
The crashes were caused by WriteMp3GainAPETag (apetag.c 592 lines)
The WriteMp3APETag function is called by WriteMP3GainTag.

In the 1.6.2 version, the crash occurred, and unlike the previous ticket, it was called from the writeMp3GainTag function.

I used the following command to reproduce the crash

mp3gain pocfile

The following is backtrace log by ASAN.

=================================================================
==18511==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5e275f04 at pc 0x000000452a5e bp 0x7ffc5e275d80 sp 0x7ffc5e275530
WRITE of size 148 at 0x7ffc5e275f04 thread T0
    #0 0x452a5d in vsprintf /home/yjgo/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1666
    #1 0x452bc2 in sprintf /home/yjgo/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1709
    #2 0x514ec9 in WriteMP3GainAPETag /home/yjgo/server_fuzz/benchmark/mp3gain-mem/apetag.c:592:3
    #3 0x50b823 in WriteMP3GainTag /home/yjgo/server_fuzz/benchmark/mp3gain-mem/mp3gain.c:1141:3
    #4 0x50b823 in main /home/yjgo/server_fuzz/benchmark/mp3gain-mem/mp3gain.c:2723:6
    #5 0x7f141046cc86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41c368 in _start (/home/yjgo/mem_fuzz/benchmark/mp3gain+0x41c368)

Address 0x7ffc5e275f04 is located in stack of thread T0 at offset 132 in frame
    #0 0x5134df in WriteMP3GainAPETag /home/yjgo/server_fuzz/benchmark/mp3gain-mem/apetag.c:404

  This frame has 3 object(s):
    [32, 132) 'valueString' (line 411)
    [176, 208) 'newFooter' (line 413) <== Memory access at offset 132 partially underflows this variable
    [240, 272) 'newHeader' (line 414) <== Memory access at offset 132 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/yjgo/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1666 in vsprintf
Shadow bytes around the buggy address:
  0x10000bc46b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46bd0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000bc46be0:[04]f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00
  0x10000bc46bf0: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10000bc46c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000bc46c20: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f2 f2 f2 f2 f2
  0x10000bc46c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==18511==ABORTING