View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000608fileGeneralpublic2025-01-08 06:342025-01-08 06:34
ReporterYancyLii Assigned To 
PriorityhighSeveritycrashReproducibilityalways
Status newResolutionopen 
OSubuntuOS Version22.04 
Product Version5.46 
Summary0000608: Heap Buffer Overflow in file_vprintf Function of libmagic
DescriptionA heap-buffer-overflow error occurs in the file_vprintf function when processing certain inputs via the libmagic library. This overflow is triggered within a read operation, which can potentially lead to a crash or unintended behavior.
Steps To Reproduce1. Download the attachment tar.gz file and decompress it, then (sudo) execute shell script
2. ./Test_libmagic_1 crash-2636fc31146b3c76e7d911e2b1c1580d7269e820
3. Observe the error message
Additional Informationlibmagic crashes due to a heap-buffer-overflow when processing specific malformed or unexpected inputs.

==60588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a000001190 at pc 0x5641da4f9cc4 bp 0x7ffdd3fb3fd0 sp 0x7ffdd3fb3790
READ of size 705 at 0x51a000001190 thread T0
    #0 0x5641da4f9cc3 in StrstrCheck(void*, char*, char const*, char const*) asan_interceptors.cpp.o
    0000001 0x5641da4f99e6 in strstr (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x819e6) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000002 0x5641da5cbc9e in varexpand /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:534:26
    0000003 0x5641da5cd318 in mprint /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:593:6
    0000004 0x5641da5ce851 in match /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:317:9
    0000005 0x5641da5cfde7 in file_softmagic /home/liyan/Test_libmagic_1/file/build/src/../../src/softmagic.c:136:13
    0000006 0x5641da5c8b59 in file_buffer /home/liyan/Test_libmagic_1/file/build/src/../../src/funcs.c:460:7
    0000007 0x5641da5bf4ab in magic_buffer /home/liyan/Test_libmagic_1/file/build/src/../../src/magic.c:559:6
    0000008 0x5641da5be9de in LLVMFuzzerTestOneInput (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x1469de) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    #9 0x5641da4c6da4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x4eda4) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000010 0x5641da4c7939 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x4f939) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000011 0x5641da4b005e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x3805e) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000012 0x5641da4b5bb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x3dbb6) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000013 0x5641da4e0276 in main (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x68276) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000014 0x7ffa4bc061c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000015 0x7ffa4bc0628a in __libc_start_main csu/../csu/libc-start.c:360:3
    0000016 0x5641da4aabb4 in _start (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x32bb4) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)

0x51a000001190 is located 0 bytes after 1296-byte region [0x51a000000c80,0x51a000001190)
allocated by thread T0 here:
    #0 0x5641da5bc3e1 in operator new[](unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x1443e1) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000001 0x5641da4c6cb5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x4ecb5) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000002 0x5641da4c7939 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x4f939) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000003 0x5641da4b005e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x3805e) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000004 0x5641da4b5bb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x3dbb6) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000005 0x5641da4e0276 in main (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x68276) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)
    0000006 0x7ffa4bc061c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000007 0x7ffa4bc0628a in __libc_start_main csu/../csu/libc-start.c:360:3
    0000008 0x5641da4aabb4 in _start (/home/liyan/Test_libmagic_1/Test_libmagic_Id485+0x32bb4) (BuildId: 68cf63bdd7af5e4700731e5b8720830cdc2f6474)

SUMMARY: AddressSanitizer: heap-buffer-overflow asan_interceptors.cpp.o in StrstrCheck(void*, char*, char const*, char const*)
Tagslibmagic

Activities

YancyLii

2025-01-08 06:34

reporter  

Test_libmagic_1.tar.gz (1,217 bytes)

Issue History

Date Modified Username Field Change
2025-01-08 06:34 YancyLii New Issue
2025-01-08 06:34 YancyLii Tag Attached: libmagic
2025-01-08 06:34 YancyLii File Added: Test_libmagic_1.tar.gz