Vulnerability 30 – AddressSanitizer: heap-buffer-overflow lib/common/routespl.c:751 in checkpath

Vulnerability 30 – AddressSanitizer: heap-buffer-overflow lib/common/routespl.c:751 in checkpath

Summary

AddressSanitizer: heap-buffer-overflow lib/common/routespl.c:751 in checkpath

Versions

Tested commit: 730974fb9ac4c73eb6ba83b32ea69e532ab1b31d

Build and Test Platform

Ubuntu 24.04.3

Test Case

ASAN_OPTIONS='abort_on_error=1:symbolize=1:detect_leaks=0' LSAN_OPTIONS='detect_leaks=0' /htp/graphviz/graphviz-git/cmd/dot/.libs/dot_static -Kdot -Tdot /htp/graphviz/graphviz/afl/crashes/dedup/min/crash_30.dot

digraph{{{0[0=0][0=0]}[0=0]}[0=0]0->d0[0=0]d0->9[label=0fontsize=4000000000000000000]}

Latest git master

Confirmed by ASAN:

Warning: syntax ambiguity - badly delimited number '0f' in line 1 of /htp/graphviz/graphviz/afl/crashes/dedup/min/crash_30.dot splits into two tokens
=================================================================
==2019206==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5260000000e0 at pc 0x62c0e3642ae0 bp 0x7ffe44da14d0 sp 0x7ffe44da14c0
READ of size 8 at 0x5260000000e0 thread T0
    #0 0x62c0e3642adf in checkpath /htp/graphviz/graphviz-git/lib/common/routespl.c:751
    #1 0x62c0e3642adf in routesplines_ /htp/graphviz/graphviz-git/lib/common/routespl.c:324
    #2 0x62c0e364689c in routesplines /htp/graphviz/graphviz-git/lib/common/routespl.c:604
    #3 0x62c0e34a9265 in make_regular_edge /htp/graphviz/graphviz-git/lib/dotgen/dotsplines.c:1893
    #4 0x62c0e34a9265 in dot_splines_ /htp/graphviz/graphviz-git/lib/dotgen/dotsplines.c:425
    #5 0x62c0e34b5e73 in dot_splines /htp/graphviz/graphviz-git/lib/dotgen/dotsplines.c:485
    #6 0x62c0e3495884 in dotLayout /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:327
    #7 0x62c0e3496896 in doDot /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:449
    #8 0x62c0e3496896 in dot_layout /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:513
    #9 0x62c0e35ca408 in gvLayoutJobs /htp/graphviz/graphviz-git/lib/gvc/gvlayout.c:84
    #10 0x62c0e3493834 in main /htp/graphviz/graphviz-git/cmd/dot/dot.c:72
    #11 0x7383d622a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7383d622a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x62c0e3493604 in _start (/htp/graphviz/graphviz-git/cmd/dot/.libs/dot_static+0xca604) (BuildId: 5c82ba8b3599aa975efddde03f8b07d16c52fede)

0x5260000000e0 is located 32 bytes before 11680-byte region [0x526000000100,0x526000002ea0)
allocated by thread T0 here:
    #0 0x7383d70fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x62c0e34a33da in gv_calloc ../../lib/util/alloc.h:36
    #2 0x62c0e34a33da in dot_splines_ /htp/graphviz/graphviz-git/lib/dotgen/dotsplines.c:335
    #3 0x62c0e34b5e73 in dot_splines /htp/graphviz/graphviz-git/lib/dotgen/dotsplines.c:485
    #4 0x62c0e3495884 in dotLayout /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:327
    #5 0x62c0e3496896 in doDot /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:449
    #6 0x62c0e3496896 in dot_layout /htp/graphviz/graphviz-git/lib/dotgen/dotinit.c:513
    #7 0x62c0e35ca408 in gvLayoutJobs /htp/graphviz/graphviz-git/lib/gvc/gvlayout.c:84
    #8 0x62c0e3493834 in main /htp/graphviz/graphviz-git/cmd/dot/dot.c:72
    #9 0x7383d622a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7383d622a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x62c0e3493604 in _start (/htp/graphviz/graphviz-git/cmd/dot/.libs/dot_static+0xca604) (BuildId: 5c82ba8b3599aa975efddde03f8b07d16c52fede)

SUMMARY: AddressSanitizer: heap-buffer-overflow /htp/graphviz/graphviz-git/lib/common/routespl.c:751 in checkpath
Shadow bytes around the buggy address:
  0x525ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x526000000000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x526000000080: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x526000000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x526000000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x526000000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x526000000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x526000000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2019206==ABORTING

Vulnerability input

ZGlncmFwaHt7ezBbMD0wXVswPTBdfVswPTBdfVswPTBdMC0+ZDBbMD0wXWQwLT45W2xhYmVsPTBm
b250c2l6ZT00MDAwMDAwMDAwMDAwMDAwMDAwXX0=