Menu

#55 AddressSanitizer: stack-buffer-overflow in mp3gain

v1.0 (example)
open
nobody
None
5
2024-09-09
2024-09-09
secrookie
No

Describe the bug

AddressSanitizer: stack-buffer-overflow in mp3gain.

To Reproduce

Built mp3gain version 1.6.2 using the provided Makefile file.

ASAN Output

==11200==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff1aaaacc4 at pc 0x7fa36f94104f bp 0x7fff1aaaaa00 sp 0x7fff1aaaa190
WRITE of size 148 at 0x7fff1aaaacc4 thread T0
    #0 0x7fa36f94104e in __interceptor_vsprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1687
    #1 0x7fa36f94127e in __interceptor_sprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1730
    #2 0x559b8033db84 in WriteMP3GainAPETag /experiments/programs_AFLplusplus/unibench/mp3gain-newest/apetag.c:592
    #3 0x559b8033078d in main_impl /experiments/programs_AFLplusplus/unibench/mp3gain-newest/mp3gain.c:2722
    #4 0x7fa36f59fd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #5 0x7fa36f59fe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #6 0x559b80318d44 in _start (/experiments/programs_AFLplusplus/aflasan/mp3gain+0x9d44)

Address 0x7fff1aaaacc4 is located in stack of thread T0 at offset 276 in frame
    #0 0x559b8033abdf in WriteMP3GainAPETag /experiments/programs_AFLplusplus/unibench/mp3gain-newest/apetag.c:404

  This frame has 3 object(s):
    [48, 80) 'newFooter' (line 413)
    [112, 144) 'newHeader' (line 414)
    [176, 276) 'valueString' (line 411) <== Memory access at offset 276 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1687 in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x10006354d540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d570: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00
  0x10006354d580: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
=>0x10006354d590: 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3 f3 00 00
  0x10006354d5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006354d5d0: 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 01 f2 04 f2
  0x10006354d5e0: 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11200==ABORTING
1 Attachments

Discussion


Log in to post a comment.