Public bug reported:
heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint when we
run ./fuzzers/matio_fuzzer ./crashes/poc.
root@6:/fuzz# ./fuzzers/matio_fuzzer crashes/crash-104
Reading 5045 bytes from crashes/crash-104
Name: easy
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[6] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
}
Name: easy
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[6] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
}
Name: easy_with_sparse_and_tag
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[14] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
Name: d_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
Name: sp
Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
}
Name: easy_with_sparse_and_tag
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[14] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
Name: d_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 2 3 4
}
Name: s_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
1234
}
Name: sp
Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
{
(1,1) 3.03865e-319
(2,1) 3.16202e-322
(3,1) 1.04347e-320
(4,1) 2.05531e-320
(5,1) 2.56124e-320
(1,3) 4.83789e-320
(2,3) 5.09085e-320
(3,3) 5.34381e-320
(4,3) 5.59678e-320
(5,3) 5.84974e-320
(1,5) 6.7351e-320
(2,5) 6.86158e-320
(3,5) 6.98806e-320
(4,5) 7.11455e-320
(5,5) 7.24103e-320
(1,7) 7.99991e-320
(2,7) 8.12639e-320
(3,7) 4.15265e-317
(4,7) 8.25287e-320
(5,7) 4.15278e-317
(1,9) 4.15316e-317
(2,9) 8.7588e-320
(3,9) 4.15328e-317
(4,9) 8.88528e-320
(5,9) 4.15341e-317
}
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
{
(1,1) 3.03865e-319
(2,2) 3.16202e-322
(3,3) 1.04347e-320
(4,4) 2.05531e-320
(5,5) 2.56124e-320
(6,6) 3.06716e-320
(7,7) 3.57308e-320
(8,8) 4.07901e-320
(9,9) 4.33197e-320
(10,10) 4.58493e-320
}
}
Name: struct_nested
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[2] {
Name: easy
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[6] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
}
Name: easy_with_sparse_and_tag
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[14] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
Name: d_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: s_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: i32_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i16_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i8_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: c_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
Name: sp
Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
}
}
Name: struct_nested
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[2] {
Name: easy
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[6] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
}
Name: easy_with_sparse_and_tag
Rank: 2
Dimensions: 1 x 1
Class Type: Structure
Data Type: Structure
Fields[14] {
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
Name: d_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 2 3 4
}
Name: s_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8_in_tag
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c_in_tag
Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
1234
}
Name: sp
Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
{
(1,1) 3.03865e-319
(2,1) 3.16202e-322
(3,1) 1.04347e-320
(4,1) 2.05531e-320
(5,1) 2.56124e-320
(1,3) 4.83789e-320
(2,3) 5.09085e-320
(3,3) 5.34381e-320
(4,3) 5.59678e-320
(5,3) 5.84974e-320
(1,5) 6.7351e-320
(2,5) 6.86158e-320
(3,5) 6.98806e-320
(4,5) 7.11455e-320
(5,5) 7.24103e-320
(1,7) 7.99991e-320
(2,7) 8.12639e-320
(3,7) 4.15265e-317
(4,7) 8.25287e-320
(5,7) 4.15278e-317
(1,9) 4.15316e-317
(2,9) 8.7588e-320
(3,9) 4.15328e-317
(4,9) 8.88528e-320
(5,9) 4.15341e-317
}
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
{
(1,1) 3.03865e-319
(2,2) 3.16202e-322
(3,3) 1.04347e-320
(4,4) 2.05531e-320
(5,5) 2.56124e-320
(6,6) 3.06716e-320
(7,7) 3.57308e-320
(8,8) 4.07901e-320
(9,9) 4.33197e-320
(10,10) 4.58493e-320
}
}
}
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
Name: d
Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
Name: s
Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
Name: i32
Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
Name: i16
Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
Name: i8
Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46
2 7 12 17 22 27 32 37 42 47
3 8 13 18 23 28 33 38 43 48
4 9 14 19 24 29 34 39 44 49
5 10 15 20 25 30 35 40 45 50
}
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
Name: c
Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
-E- ossfuzz: InflateData: inflate returned data error
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
Name: sp_diag
Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
Data Type: IEEE 754 double-precision
{
(1,1) 3.03865e-319
(1,2) 3.16202e-322
=================================================================
==7571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007598
at pc 0x5dcdd60ed578 bp 0x7fffca418920 sp 0x7fffca418918
READ of size 4 at 0x602000007598 thread T0
#0 0x5dcdd60ed577 in Mat_VarPrint /fuzz/matio/matio/src/mat.c:2462:69
#1 0x5dcdd60d6bd9 in MatioRead(char const*)
/fuzz/matio/matio/ossfuzz/./matio_wrap.h:48:9
#2 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput
/fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12
#3 0x5dcdd60d7571 in ExecuteFilesOnyByOne
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7
#4 0x5dcdd60d79ec in LLVMFuzzerRunDriver
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:377:12
#5 0x5dcdd60167e6 in main
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:312:10
#6 0x7f8a86498d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7f8a86498e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#8 0x5dcdd6016854 in _start (/fuzz/fuzzers/matio_fuzzer+0x44c854) (BuildId:
47398e734cfc645e953c20da47ea4b4044050bf5)
0x602000007599 is located 0 bytes to the right of 9-byte region
[0x602000007590,0x602000007599)
allocated by thread T0 here:
#0 0x5dcdd6099888 in __interceptor_calloc
(/fuzz/fuzzers/matio_fuzzer+0x4cf888) (BuildId:
47398e734cfc645e953c20da47ea4b4044050bf5)
#1 0x5dcdd6111f45 in ReadSparse /fuzz/matio/matio/src/mat5.c:528:26
#2 0x5dcdd610be59 in Mat_VarRead5 /fuzz/matio/matio/src/mat5.c:3391:26
#3 0x5dcdd60d6baa in MatioRead(char const*)
/fuzz/matio/matio/ossfuzz/./matio_wrap.h:43:9
#4 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput
/fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12
#5 0x5dcdd60d7571 in ExecuteFilesOnyByOne
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7
SUMMARY: AddressSanitizer: heap-buffer-overflow
/fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint
Shadow bytes around the buggy address:
0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8e80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8e90: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8ea0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
=>0x0c047fff8eb0: fa fa 00[01]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7571==ABORTING
** Affects: ubuntu
Importance: Undecided
Status: New
** Summary changed:
- heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint
+ heap-buffer-overflow /fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2095070
Title:
heap-buffer-overflow on matio-1.5.28/src/mat.c:2462:69 in Mat_VarPrint
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2095070/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
