Stack-based Buffer Overflow in the wfloat() function
Hi,
While fuzzing dpic with American Fuzzy Lop, I found a Stack-based Buffer Overflow in the wfloat() function, in main.c.
Attaching a reproducer, issue can be reproduced by running:
dpic test01
=================================================================
==28531==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc1bb894d9 at pc 0x0000004471fa bp 0x7ffc1bb893a0 sp 0x7ffc1bb88b50
WRITE of size 91 at 0x7ffc1bb894d9 thread T0
#0 0x4471f9 in vsprintf (/home/fcambus/dpic/dpic+0x4471f9)
#1 0x447526 in __interceptor_sprintf (/home/fcambus/dpic/dpic+0x447526)
#2 0x512a85 in wfloat /home/fcambus/dpic/main.c
#3 0x528554 in yyparse /home/fcambus/dpic/dpic.y:739:13
#4 0x521c41 in main /home/fcambus/dpic/main.c:2354:13
#5 0x7ffa9110ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a369 in _start (/home/fcambus/dpic/dpic+0x41a369)
Address 0x7ffc1bb894d9 is located in stack of thread T0 at offset 57 in frame
#0 0x51296f in wfloat /home/fcambus/dpic/main.c:213
This frame has 1 object(s):
[32, 57) 'buf' (line 214) <== Memory access at offset 57 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/dpic/dpic+0x4471f9) in vsprintf
Shadow bytes around the buggy address:
0x100003769240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003769250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003769260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003769270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003769280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100003769290: 00 00 00 00 f1 f1 f1 f1 00 00 00[01]f3 f3 f3 f3
0x1000037692a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000037692b0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f2 f2
0x1000037692c0: f8 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f8 f2 f2 f2
0x1000037692d0: f8 f2 f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x1000037692e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28531==ABORTING