Public bug reported:

Stack-buffer-overflow while running motio-1.5.17. I can not confirm if
this bug is needed to patch. Deatil log as follow: (POC in attachment)

lbb@lbb: ./bin/matdump poc_m00

InflateRankDims: inflate returned data error
=================================================================
==21267==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffff3b36320 at pc 0x7f31a19c7187 bp 0x7ffff3b357f0 sp 0x7ffff3b357e8
READ of size 4 at 0x7ffff3b36320 thread T0
    #0 0x7f31a19c7186 in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4856:47
    #1 0x7f31a1a22911 in Mat_VarReadNextInfo /matio-1.5.17/src/mat.c:2311:22
    #2 0x4dd9b3 in main /matio-1.5.17/tools/matdump.c:942:31
    #3 0x7f31a059f82f in __libc_start_main 
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x435a28 in _start (/matio-1.5.17/build/bin/matdump+0x435a28)

Address 0x7ffff3b36320 is located in stack of thread T0 at offset 288 in frame
    #0 0x7f31a19c4a5f in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4753

  This frame has 22 object(s):
    [32, 40) ''
    [64, 72) ''
    [96, 100) 'err'
    [112, 116) 'data_type'
    [128, 132) 'nBytes'
    [144, 152) 'fpos'
    [176, 184) 'matvar'
    [208, 212) 'array_flags'
    [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this 
variable
    [320, 324) 'nbytes'
    [336, 344) 'bytesread'
    [368, 376) 'dims'
    [400, 404) 'do_clean'
    [416, 420) 'j'
    [432, 436) 'len'
    [448, 452) 'len_pad'
    [464, 468) 'len1'
    [480, 504) 'buf'
    [544, 552) 'readresult'
    [576, 580) 'len2'
    [592, 596) 'len_pad3'
    [608, 612) 'len4'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /matio-1.5.17/src/mat5.c:4856 
Mat_VarReadNextInfo5
Shadow bytes around the buggy address:
  0x10007e75ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec40: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2
  0x10007e75ec50: 04 f2 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 00 00
=>0x10007e75ec60: 00 00 00 00[f2]f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
  0x10007e75ec70: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 f2
  0x10007e75ec80: f2 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 04 f3 f3 f3
  0x10007e75ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ecb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21267==ABORTING

** Affects: libmatio (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1859149

Title:
  Stack-buffer-overflow in matio-1.5.17/src/mat5.c:4856
  Mat_VarReadNextInfo5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libmatio/+bug/1859149/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to