[ https://issues.apache.org/jira/browse/PROTON-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Ross updated PROTON-1414: -------------------------------- Fix Version/s: proton-c-0.20.0 > heap-buffer-overflow in pni_decoder_decode_value when invoking > pn_message_decode > -------------------------------------------------------------------------------- > > Key: PROTON-1414 > URL: https://issues.apache.org/jira/browse/PROTON-1414 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c > Affects Versions: proton-c-0.18.0 > Reporter: Jiri Daněk > Assignee: Andrew Stitcher > Labels: codec > Fix For: proton-c-0.20.0 > > Attachments: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba > > > {noformat} > [jdanek@e530 fuzz]$ ./fuzz-message-decode > minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba > INFO: Seed: 3671742454 > INFO: Loaded 2 modules (7259 guards): [0x7f20793b8c80, 0x7f20793bfdd4), > [0x74ad60, 0x74ad78), > ./fuzz-message-decode: Running 1 inputs 1 time(s) each. > Running: minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba > ================================================================= > ==29686==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x602000000033 at pc 0x7f20790bf3de bp 0x7ffc0d69a970 sp 0x7ffc0d69a968 > READ of size 1 at 0x602000000033 thread T0 > #0 0x7f20790bf3dd in pni_decoder_decode_value > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24 > #1 0x7f20790bcfa4 in pni_decoder_single > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:477:9 > #2 0x7f20790bccc1 in pn_decoder_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:491:13 > #3 0x7f20790b84c5 in pn_data_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/codec.c:1437:10 > #4 0x7f207911160b in pn_message_decode > /home/jdanek/Work/qpid-proton/proton-c/src/core/message.c:635:20 > #5 0x4f90c1 in LLVMFuzzerTestOneInput > /home/jdanek/Work/qpid-proton/proton-c/src/tests/fuzz/fuzz-message-decode.c:12:15 > #6 0x501427 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:515:13 > #7 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3 > #8 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6 > #9 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char > const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9 > #10 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10 > #11 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) > #12 0x423889 in _start > (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x423889) > 0x602000000033 is located 0 bytes to the right of 3-byte region > [0x602000000030,0x602000000033) > allocated by thread T0 here: > #0 0x4f608b in operator new[](unsigned long) > (/home/jdanek/Work/qpid-proton/build/proton-c/src/tests/fuzz/fuzz-message-decode+0x4f608b) > #1 0x50136a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:506:23 > #2 0x501615 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerLoop.cpp:469:3 > #3 0x4f930c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned > long) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:272:6 > #4 0x4fb0ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char > const*, unsigned long)) /home/jdanek/Work/./Fuzzer/FuzzerDriver.cpp:482:9 > #5 0x4f9200 in main /home/jdanek/Work/./Fuzzer/FuzzerMain.cpp:20:10 > #6 0x7f20772d2290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/jdanek/Work/qpid-proton/proton-c/src/core/decoder.c:389:24 in > pni_decoder_decode_value > Shadow bytes around the buggy address: > 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0c047fff8000: fa fa 03 fa fa fa[03]fa fa fa 00 00 fa fa 00 00 > 0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 > 0x0c047fff8040: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==29686==ABORTING > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org