fuzzgoat icon indicating copy to clipboard operation
fuzzgoat copied to clipboard

Published 20 hours ago verified publisher icon fuzzstati0n

OOB read in main:150

Open andreafioraldi opened this issue 5 years ago • 1 comments 

        file_size = filestatus.st_size;
        file_contents = (char*)malloc(filestatus.st_size);
        if ( file_contents == NULL) {
                fprintf(stderr, "Memory error: unable to allocate %d bytes\n", file_size);
                return 1;
        }

        fp = fopen(filename, "rt");
        if (fp == NULL) {
                fprintf(stderr, "Unable to open %s\n", filename);
                fclose(fp);
                free(file_contents);
                return 1;
        }
        if ( fread(file_contents, file_size, 1, fp) != 1 ) {
                fprintf(stderr, "Unable t read content of %s\n", filename);
                fclose(fp);
                free(file_contents);
                return 1;
        }
        fclose(fp);

        printf("%s\n", file_contents);

You read the file in file_contents and the print it. file_contents is not a string, if the file doen't contain a NUL byte at the end this will trigger a OOB read heap overflow. This is not one of the artificial vulns and prevents the fuzzing using ASan cause it crashes even with the initial seed.

andreafioraldi avatar Feb 08 '20 12:02 andreafioraldi

Btw I found all the bugs using the dumb mode of afl-fuzz (-n) + ASan (commenting out printf("%s\n", file_contents);) so, unless you insert hard to reach vulns, this is really useless if you want to evaluate modern fuzzers

andreafioraldi avatar Feb 08 '20 13:02 andreafioraldi