Stack-buffer-overflow in matio-1.5.17/src/mat5.c:4856 Mat_VarReadNextInfo5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libmatio (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Stack-buffer-
lbb@lbb: ./bin/matdump poc_m00
InflateRankDims: inflate returned data error
=======
==21267==ERROR: AddressSanitizer: stack-buffer-
READ of size 4 at 0x7ffff3b36320 thread T0
#0 0x7f31a19c7186 in Mat_VarReadNext
#1 0x7f31a1a22911 in Mat_VarReadNextInfo /matio-
#2 0x4dd9b3 in main /matio-
#3 0x7f31a059f82f in __libc_start_main /build/
#4 0x435a28 in _start (/matio-
Address 0x7ffff3b36320 is located in stack of thread T0 at offset 288 in frame
#0 0x7f31a19c4a5f in Mat_VarReadNext
This frame has 22 object(s):
[32, 40) ''
[64, 72) ''
[96, 100) 'err'
[112, 116) 'data_type'
[128, 132) 'nBytes'
[144, 152) 'fpos'
[176, 184) 'matvar'
[208, 212) 'array_flags'
[224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable
[320, 324) 'nbytes'
[336, 344) 'bytesread'
[368, 376) 'dims'
[400, 404) 'do_clean'
[416, 420) 'j'
[432, 436) 'len'
[448, 452) 'len_pad'
[464, 468) 'len1'
[480, 504) 'buf'
[544, 552) 'readresult'
[576, 580) 'len2'
[592, 596) 'len_pad3'
[608, 612) 'len4'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-
Shadow bytes around the buggy address:
0x10007e75ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e75ec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e75ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e75ec40: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2
0x10007e75ec50: 04 f2 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 00 00
=>0x10007e75ec60: 00 00 00 00[f2]f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
0x10007e75ec70: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 f2
0x10007e75ec80: f2 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 04 f3 f3 f3
0x10007e75ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e75eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007e75ecb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21267==ABORTING