#195 heap-buffer-overflow on StrstrCheck()

[GritLilan]

==3222891==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000280 at pc 0x7f9143307938 bp 0x7ffe4a78de40 sp 0x7ffe4a78d5e8
READ of size 214 at 0x611000000280 thread T0
#0 0x7f9143307937 in StrstrCheck ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:580
#1 0x7f9143361c90 in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:597
#2 0x7f9143361c90 in __interceptor_strstr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:590
#3 0x5631981f3df2 in find_end /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:1652
#4 0x5631981f3df2 in read_textobject /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:1691
#5 0x5631982075ff in read_objects /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:518
#6 0x5631982075ff in readfp_fig /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:152
#7 0x56319820b019 in read_fig /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:124
#8 0x5631981c1638 in main /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/fig2dev.c:469
#9 0x7f9142f90d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#10 0x7f9142f90e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#11 0x5631981c2e74 in _start (/usr/local/bin/fig2dev+0x6fe74)

0x611000000280 is located 0 bytes to the right of 256-byte region [0x611000000180,0x611000000280)
allocated by thread T0 here:
#0 0x7f9143382887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x563198207071 in read_objects /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:259
#2 0x563198207071 in readfp_fig /root/afl_proj/progs/apps/mcj-fig2dev/fig2dev/read.c:152

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:580 in StrstrCheck
Shadow bytes around the buggy address:
0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8020: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8050:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3222891==ABORTING

This issue was submitted by QUTSec team of Qingdao University of Technology.

[tkl]

Fixed with commit [818cc1].