bug report

[乐泰]

I have found a heap buffer overflow on program "infotocap".

enviroment: ncurses 6.1.20180127 on centos linux 7.7.1908

command:  infotocap  poc

I get these information with  AddressSanitizer:

==6728== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60620000e900 at pc 0x4d5f2b bp 0x7fffe0a29300 sp 0x7fffe0a292f0

READ of size 1 at 0x60620000e900 thread T0

    #0 0x4d5f2a (/root/uniafl_evaluation/asan_program/infotocap+0x4d5f2a)

    #1 0x4e0e10 (/root/uniafl_evaluation/asan_program/infotocap+0x4e0e10)

    #2 0x4c927a (/root/uniafl_evaluation/asan_program/infotocap+0x4c927a)

    #3 0x404176 (/root/uniafl_evaluation/asan_program/infotocap+0x404176)

    #4 0x7fe36ac3b554 (/usr/lib64/libc-2.17.so+0x22554)

    #5 0x407935 (/root/uniafl_evaluation/asan_program/infotocap+0x407935)

0x60620000e900 is located 0 bytes to the right of 4096-byte region [0x60620000d900,0x60620000e900)

allocated by thread T0 here:

    #0 0x7fe36affcef9 (/usr/lib64/libasan.so.0.0.0+0x15ef9)

    #1 0x51a609 (/root/uniafl_evaluation/asan_program/infotocap+0x51a609)

Shadow bytes around the buggy address:

  0x0c0cbfff9cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c0cbfff9ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c0cbfff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c0cbfff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c0cbfff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c0cbfff9d20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0cbfff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0cbfff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0cbfff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0cbfff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c0cbfff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:     fa

  Heap righ redzone:     fb

  Freed Heap region:     fd

  Stack left redzone:    f1

  Stack mid redzone:     f2

  Stack right redzone:   f3

  Stack partial redzone: f4

  Stack after return:    f5

  Stack use after scope: f8

  Global redzone:        f9

  Global init order:     f6

  Poisoned by user:      f7

  ASan internal:         fe

==6728== ABORTING

I will be very grateful if you check this vulnerability. Hope get your reply ASAP.

 

infotocap_HBO
Description: Binary data