## EXTRACTOR_dvi_extract_method@dvi_extractor.c:264-5___heap-buffer-overflow ### description An issue was discovered in libextractor 1.1, There is a/an heap-buffer-overflow in function EXTRACTOR_dvi_extract_method at dvi_extractor.c:264-5 ### commandline extract -i @@ /dev/null ### source ```c 260 { 261 char comment[klen + 1]; 262 263 comment[klen] = '\0'; > 264 memcpy (comment, &data[15], klen); 265 if (0 != ec->proc (ec->cls, 266 "dvi", 267 EXTRACTOR_METATYPE_COMMENT, 268 EXTRACTOR_METAFORMAT_C_STRING, 269 "text/plain", ``` ### debug ``` pwndbg> malloc_chunk data-0x10 0x6072a0 FASTBIN { prev_size = 0, size = 129, fd = 0xf914f9f9fffe02f7, bk = 0xf9f9f9f9f9f9f9f9, fd_nextsize = 0xe8f9f9fffffffff8, bk_nextsize = 0xf9f9f9f9f9f9f903 } pwndbg> p klen $4 = 249 ``` ### bug report ```txt ================================================================= ==4645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000007220 at pc 0x0000004a2e3d bp 0x7fffec7aa230 sp 0x7fffec7a99e0 READ of size 249 at 0x60b000007220 thread T0 #0 0x4a2e3c in __asan_memcpy (/src/aflbuild/installed/bin/extract+0x4a2e3c) #1 0x7fb9d56bcd59 in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:264:5 #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7 #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3 #4 0x4ec5b3 in main /src/libextractor/src/main/extract.c:983:2 #5 0x7fb9d97c282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 #6 0x418fd8 in _start (/src/aflbuild/installed/bin/extract+0x418fd8) 0x60b000007220 is located 0 bytes to the right of 112-byte region [0x60b0000071b0,0x60b000007220) allocated by thread T0 here: #0 0x4b9108 in __interceptor_malloc (/src/aflbuild/installed/bin/extract+0x4b9108) #1 0x7fb9d56bc53c in EXTRACTOR_dvi_extract_method /src/libextractor/src/plugins/dvi_extractor.c:185:23 #2 0x7fb9da6dc97f in do_extract /src/libextractor/src/main/extractor.c:582:7 #3 0x7fb9da6da8c9 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:661:3 SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/aflbuild/installed/bin/extract+0x4a2e3c) in __asan_memcpy Shadow bytes around the buggy address: 0x0c167fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff8e00: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c167fff8e10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c167fff8e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c167fff8e30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 =>0x0c167fff8e40: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00 0x0c167fff8e50: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa 0x0c167fff8e60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c167fff8e70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c167fff8e80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd 0x0c167fff8e90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4645==ABORTING ``` ![image](https://note.youdao.com/yws/public/resource/3b7c0127c9c4c2ad0e78cdd349059ec8/xmlnote/64AAF5527F764EC5BFAE55B65EAE74B1/22386) ### others from fuzz project pwd-libextractor-extract-00 crash name pwd-libextractor-extract-00-00000016-20190817 Auto-generated by pyspider at 2019-08-17 14:51:38 please send email to teamseri0us360@gmail.com if you have any questions.