Created
June 5, 2015 21:49
-
-
Save epmatsw/60b9306b38dbea4454bc to your computer and use it in GitHub Desktop.
zlib-ng buffer overflow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
================================================================= | |
==2893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000007ff at pc 0x41fd88 bp 0x7ffeb0001900 sp 0x7ffeb00018f0 | |
READ of size 1 at 0x6310000007ff thread T0 | |
#0 0x41fd87 in fizzle_matches /home/will/zlib-ng/deflate_medium.c:114 | |
#1 0x41fd87 in deflate_medium /home/will/zlib-ng/deflate_medium.c:259 | |
#2 0x426a02 in deflate /home/will/zlib-ng/deflate.c:885 | |
#3 0x406642 in gzwrite /home/will/zlib-ng/test/minigzip.c:165 | |
#4 0x406642 in gz_compress /home/will/zlib-ng/test/minigzip.c:290 | |
#5 0x408127 in file_compress /home/will/zlib-ng/test/minigzip.c:382 | |
#6 0x402ce4 in main /home/will/zlib-ng/test/minigzip.c:525 | |
#7 0x7fd5dcffaa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) | |
#8 0x403c68 in _start (/home/will/zlib-ng/minigzip+0x403c68) | |
0x6310000007ff is located 1 bytes to the left of 65552-byte region [0x631000000800,0x631000010810) | |
allocated by thread T0 here: | |
#0 0x7fd5dd3fb985 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x57985) | |
#1 0x439714 in deflateInit2_ /home/will/zlib-ng/deflate.c:319 | |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/will/zlib-ng/deflate_medium.c:114 fizzle_matches | |
Shadow bytes around the buggy address: | |
0x0c627fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c627fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c627fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c627fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c627fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
=>0x0c627fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] | |
0x0c627fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c627fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c627fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c627fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c627fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
Shadow byte legend (one shadow byte represents 8 application bytes): | |
Addressable: 00 | |
Partially addressable: 01 02 03 04 05 06 07 | |
Heap left redzone: fa | |
Heap right redzone: fb | |
Freed heap region: fd | |
Stack left redzone: f1 | |
Stack mid redzone: f2 | |
Stack right redzone: f3 | |
Stack partial redzone: f4 | |
Stack after return: f5 | |
Stack use after scope: f8 | |
Global redzone: f9 | |
Global init order: f6 | |
Poisoned by user: f7 | |
Contiguous container OOB:fc | |
ASan internal: fe | |
==2893==ABORTING |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I presume that happens when either n.match_start or n.strstart is zero, because the resulting pointer goes beyond start of allocated memory range. I would add checks after lines 130 and 131 to see which one is the culprit, but I assume the actual error is somewhere in the calling function though.