Ubuntu
libmatio package

Stack-buffer-overflow in matio-1.5.17/src/mat5.c:4856 Mat_VarReadNextInfo5

Bug #1859149 reported by Binbin Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libmatio (Ubuntu)
New
Undecided
Unassigned

Bug Description

Stack-buffer-overflow while running motio-1.5.17. I can not confirm if this bug is needed to patch. Deatil log as follow: (POC in attachment)

lbb@lbb: ./bin/matdump poc_m00

InflateRankDims: inflate returned data error
=================================================================
==21267==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff3b36320 at pc 0x7f31a19c7187 bp 0x7ffff3b357f0 sp 0x7ffff3b357e8
READ of size 4 at 0x7ffff3b36320 thread T0
    #0 0x7f31a19c7186 in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4856:47
    #1 0x7f31a1a22911 in Mat_VarReadNextInfo /matio-1.5.17/src/mat.c:2311:22
    #2 0x4dd9b3 in main /matio-1.5.17/tools/matdump.c:942:31
    #3 0x7f31a059f82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x435a28 in _start (/matio-1.5.17/build/bin/matdump+0x435a28)

Address 0x7ffff3b36320 is located in stack of thread T0 at offset 288 in frame
    #0 0x7f31a19c4a5f in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4753

  This frame has 22 object(s):
    [32, 40) ''
    [64, 72) ''
    [96, 100) 'err'
    [112, 116) 'data_type'
    [128, 132) 'nBytes'
    [144, 152) 'fpos'
    [176, 184) 'matvar'
    [208, 212) 'array_flags'
    [224, 288) 'uncomp_buf' <== Memory access at offset 288 overflows this variable
    [320, 324) 'nbytes'
    [336, 344) 'bytesread'
    [368, 376) 'dims'
    [400, 404) 'do_clean'
    [416, 420) 'j'
    [432, 436) 'len'
    [448, 452) 'len_pad'
    [464, 468) 'len1'
    [480, 504) 'buf'
    [544, 552) 'readresult'
    [576, 580) 'len2'
    [592, 596) 'len_pad3'
    [608, 612) 'len4'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /matio-1.5.17/src/mat5.c:4856 Mat_VarReadNextInfo5
Shadow bytes around the buggy address:
  0x10007e75ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ec40: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2
  0x10007e75ec50: 04 f2 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 00 00
=>0x10007e75ec60: 00 00 00 00[f2]f2 f2 f2 04 f2 00 f2 f2 f2 00 f2
  0x10007e75ec70: f2 f2 04 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 f2
  0x10007e75ec80: f2 f2 f2 f2 00 f2 f2 f2 04 f2 04 f2 04 f3 f3 f3
  0x10007e75ec90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75eca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e75ecb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==21267==ABORTING

See original description
Revision history for this message
Binbin Li (libbin) wrote :
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.