Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer overflow found in common_kernels.c #37

Open
fCorleone opened this issue Jul 6, 2018 · 3 comments
Open

Stack buffer overflow found in common_kernels.c #37

fCorleone opened this issue Jul 6, 2018 · 3 comments

Comments

@fCorleone
Copy link

==2602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc4f3617c at pc 0x0000004b23dd bp 0x7ffdc4f35270 sp 0x7ffdc4f35260
READ of size 4 at 0x7ffdc4f3617c thread T0
#0 0x4b23dc in scale_frame_down2x2_simd_lbd common/common_kernels.c:1849
#1 0x4e57b7 in interpolate_frames_lbd common/temporal_interp.c:950
#2 0x4273b0 in decode_frame dec/decode_frame.c:110
#3 0x402934 in main dec/maindec.c:179
#4 0x7f16740a582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x406ce8 in _start (/home/mfc_fuzz/thor/build/Thordec+0x406ce8)

Address 0x7ffdc4f3617c is located in stack of thread T0 at offset 2492 in frame
#0 0x4020af in main dec/maindec.c:97

This frame has 9 object(s):
[32, 40) 'infile'
[96, 104) 'outfile'
[160, 172) 'tot_bits'
[224, 352) 'rec_available'
[384, 2472) 'stream' <== Memory access at offset 2492 overflows this variable
[2528, 5696) 'rec'
[5728, 8896) 'ref'
[8928, 33992) 'bit_count'
[34048, 63424) 'decoder_info'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow common/common_kernels.c:1849 scale_frame_down2x2_simd_lbd
Shadow bytes around the buggy address:
0x1000389debd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389debe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389debf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000389dec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4[f4]
0x1000389dec30: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2602==ABORTING
The input file has been put at :https://github.com/fCorleone/fuzz_programs/blob/master/thor/test2.bit
The command line is ./Thordec test2.bit out
the program was compiled by afl-gcc with ASAN mode.

@stemidts
Copy link
Contributor

Thanks for the report. Can you specify the commit id you're using to decode?

@fCorleone
Copy link
Author

I have checked the commit id, it's commit e42047d.It's strange that I cloned the code from the https://github.com/cisco/thor.git 12 days ago. Does it mean that I would get the latest version of the code? But when I check the commit id using command line:

git reflog

I got this :

e42047d HEAD@{0}: clone: from https://github.com/cisco/thor.git

@stemidts
Copy link
Contributor

Duplicate of #36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants