*** This bug is a security vulnerability *** Public security bug reported:
environment $ uname -a Linux 6176901723ae 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux build setting $ git clone https://git.launchpad.net/ubuntu/+source/midicsv ( also possible https://www.fourmilab.ch/webtools/midicsv/#Download ) $ head Makefile CC = clang CFLAGS = -g -Wall -fsanitize=address INSTALL_DEST = /usr/local # You shouldn't need to change anything after this line VERSION = 1.1 PROGRAMS = midicsv csvmidi ( edit Makefile for address sanitizer ) When I run the attached poc file, a heap buffer overflow error occurs as follows. The following is the ASAN crash log that occurred when I ran the poc. Filename: poc0 Sink : if (*trk & 0x80) { //midicsv.c:123:6 ASAN crash log ================================================================= ==17==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002721 at pc 0x0000004ef7cb bp 0x7ffc7c4be3f0 sp 0x7ffc7c4be3e8 READ of size 1 at 0x621000002721 thread T0 #0 0x4ef7ca in trackcsv /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:123:6 #1 0x4ef7ca in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:505:2 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #3 0x41c35d in _start (/benchmark/bin/INST_DYNAMIC/midicsv-topuzz+0x41c35d) 0x621000002721 is located 0 bytes to the right of 4641-byte region [0x621000001500,0x621000002721) allocated by thread T0 here: #0 0x4bb16d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x4eba26 in main /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:493:17 #2 0x7f89f9f1d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-buffer-overflow /benchmark/RUNDIR-midicsv/tiff-4.0.10/midicsv.c:123:6 in trackcsv Shadow bytes around the buggy address: ... ==17==ABORTING ** Affects: midicsv (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc.tar.gz" https://bugs.launchpad.net/bugs/2087775/+attachment/5836111/+files/poc.tar.gz ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2087775 Title: heap-buffer overflow in midicsv.c:123 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/midicsv/+bug/2087775/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
