Ubuntu
libmatio package

stack-buffer-overflow in /matio-1.5.17/src/mat5.c:1369 ReadNextStructField

Bug #1859264 reported by Binbin Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libmatio (Ubuntu)
New
Undecided
Unassigned

Bug Description

stack-buffer-overflow in /matio-1.5.17/src/mat5.c:1369 ReadNextStructField. Deatil log as follow: (POC in attachment)

lbb@lbb: /matio-1.5.17/build/bin/matdump POC_m010

InflateRankDims: inflate returned data error
=================================================================
==16263==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8f062b80 at pc 0x7ff86a7a097c bp 0x7ffe8f0629f0 sp 0x7ffe8f0629e8
READ of size 4 at 0x7ffe8f062b80 thread T0
    #0 0x7ff86a7a097b in ReadNextStructField /matio-1.5.17/src/mat5.c:1369:50
    #1 0x7ff86a79cdca in Mat_VarReadNextInfo5 /matio-1.5.17/src/mat5.c:4895:27
    #2 0x4dc498 in main /matio-1.5.17/tools/matdump.c:942:31
    #3 0x7ff8695b582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x435b18 in _start (/matio-1.5.17/build/bin/matdump+0x435b18)

Address 0x7ffe8f062b80 is located in stack of thread T0 at offset 160 in frame
    #0 0x7ff86a79d60f in ReadNextStructField /matio-1.5.17/src/mat5.c:1188

  This frame has 5 object(s):
    [32, 40) 'nelems'
    [64, 72) 'nelems_x_nfields'
    [96, 160) 'uncomp_buf' <== Memory access at offset 160 overflows this variable
    [192, 200) 'dims'
    [224, 248) 'buf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /matio-1.5.17/src/mat5.c:1369 ReadNextStructField
Shadow bytes around the buggy address:
  0x100051e04520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100051e04530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100051e04540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100051e04550: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x100051e04560: 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x100051e04570:[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3
  0x100051e04580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100051e04590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100051e045a0: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f2 00 00 00 00
  0x100051e045b0: 00 00 00 00 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f3
  0x100051e045c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==16263==ABORTING

Revision history for this message
Binbin Li (libbin) wrote :
  • POC Edit (202 bytes, application/octet-stream)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.