[jira] [Created] (PROTON-1414) heap-buffer-overflow in pni_decoder_decode_value

Tue, 21 Feb 2017 13:56:20 -0800 

Jiri Danek created PROTON-1414:
----------------------------------

             Summary: heap-buffer-overflow in pni_decoder_decode_value
                 Key: PROTON-1414
                 URL: https://issues.apache.org/jira/browse/PROTON-1414
             Project: Qpid Proton
          Issue Type: Bug
          Components: proton-c
    Affects Versions: 0.18.0
            Reporter: Jiri Danek
         Attachments: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba

{noformat}
[jdanek@e530 fuzz]$ ./fuzz-message-decode 
minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba 
INFO: Seed: 3671742454
INFO: Loaded 2 modules (7259 guards): [0x7f20793b8c80, 0x7f20793bfdd4), 
[0x74ad60, 0x74ad78), 
./fuzz-message-decode: Running 1 inputs 1 time(s) each.
Running: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
=================================================================
==29686==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000033 at pc 0x7f20790bf3de bp 0x7ffc0d69a970 sp 0x7ffc0d69a968
READ of size 1 at 0x602000000033 thread T0
    #0 0x7f20790bf3dd in pni_decoder_decode_value 
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24
    #1 0x7f20790bcfa4 in pni_decoder_single 
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:477:9
    #2 0x7f20790bccc1 in pn_decoder_decode 
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:491:13
    #3 0x7f20790b84c5 in pn_data_decode 
/home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10
    #4 0x7f207911160b in pn_message_decode 
/home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20
    #5 0x4f90c1 in LLVMFuzzerTestOneInput 
/home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz/fuzz-message-decode.c:12:15
    #6 0x501427 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13
    #7 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) 
/home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
    #8 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
    #9 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
    #10 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #12 0x423889 in _start 
(/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x423889)

0x602000000033 is located 0 bytes to the right of 3-byte region 
[0x602000000030,0x602000000033)
allocated by thread T0 here:
    #0 0x4f608b in operator new[](unsigned long) 
(/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x4f608b)
    #1 0x50136a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:506:23
    #2 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) 
/home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3
    #3 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned 
long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6
    #4 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9
    #5 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10
    #6 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24 in 
pni_decoder_decode_value
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 03 fa fa fa[03]fa fa fa 00 00 fa fa 00 00
  0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29686==ABORTING
{noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to