View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000611fileGeneralpublic2025-01-08 06:592025-01-08 06:59
ReporterYancyLii Assigned To 
PriorityurgentSeveritycrashReproducibilityalways
Status newResolutionopen 
Product Version5.46 
Summary0000611: Heap-buffer-overflow in varexpand Function of softmagic.c
DescriptionA heap-buffer-overflow occurs in the varexpand function within softmagic.c, triggered during the execution of the strstr function. This indicates that the function is reading beyond the allocated memory buffer.
Steps To Reproduce1. Download the attachment tar.gz file and decompress it, then (sudo) execute shell script
2. ./Test_libmagic_4 crash-47d714a3f279c48d5294afd4020f8adad53a6653
3. Observe the error message
Additional InformationThe issue was identified using AddressSanitizer, which flagged the out-of-bounds read operation. It appears that the buffer size is not being correctly managed in the varexpand function, leading to this overflow.

Crash Log:
==67344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51a000000b90 at pc 0x56397c8f4cc4 bp 0x7ffc12063640 sp 0x7ffc12062e00
READ of size 641 at 0x51a000000b90 thread T0
    #0 0x56397c8f4cc3 in StrstrCheck(void*, char*, char const*, char const*) asan_interceptors.cpp.o
    0000001 0x56397c8f49e6 in strstr (.../Test_libmagic_1/Test_libmagic_Id7315+0x819e6) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000002 0x56397c9c6c8e in varexpand .../Test_libmagic_1/file/build/src/../../src/softmagic.c:534:26
    0000003 0x56397c9c6ee5 in handle_annotation .../Test_libmagic_1/file/build/src/../../src/softmagic.c:2505:7
    0000004 0x56397c9c93c5 in match.../Test_libmagic_1/file/build/src/../../src/softmagic.c:295:12
    0000005 0x56397c9cadd7 in file_softmagic .../Test_libmagic_1/file/build/src/../../src/softmagic.c:136:13
    0000006 0x56397c9c3b49 in file_buffer .../Test_libmagic_1/file/build/src/../../src/funcs.c:460:7
    0000007 0x56397c9ba49b in magic_buffer .../Test_libmagic_1/file/build/src/../../src/magic.c:559:6
    0000008 0x56397c9b9993 in LLVMFuzzerTestOneInput (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x146993) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    #9 0x56397c8c1da4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x4eda4) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000010 0x56397c8ab016 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x38016) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000011 0x56397c8b0bb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x3dbb6) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000012 0x56397c8db276 in main (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x68276) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000013 0x7f5df2b2e1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000014 0x7f5df2b2e28a in __libc_start_main csu/../csu/libc-start.c:360:3
    0000015 0x56397c8a5bb4 in _start (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x32bb4) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)

0x51a000000b90 is located 0 bytes after 1296-byte region [0x51a000000680,0x51a000000b90)
allocated by thread T0 here:
    #0 0x56397c9b73e1 in operator new[](unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x1443e1) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000001 0x56397c8c1cb5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x4ecb5) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000002 0x56397c8ab016 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x38016) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000003 0x56397c8b0bb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x3dbb6) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000004 0x56397c8db276 in main (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x68276) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)
    0000005 0x7f5df2b2e1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000006 0x7f5df2b2e28a in __libc_start_main csu/../csu/libc-start.c:360:3
    0000007 0x56397c8a5bb4 in _start (/home/liyan/Test_libmagic_1/Test_libmagic_Id7315+0x32bb4) (BuildId: 4fde7319b4b3c7c2ff72a2f119a14a19e3e5724d)

SUMMARY: AddressSanitizer: heap-buffer-overflow asan_interceptors.cpp.o in StrstrCheck(void*, char*, char const*, char const*)
TagsNo tags attached.

Activities

YancyLii

2025-01-08 06:59

reporter  

Test_libmagic_4.tar.gz (1,299 bytes)

Issue History

Date Modified Username Field Change
2025-01-08 06:59 YancyLii New Issue
2025-01-08 06:59 YancyLii File Added: Test_libmagic_4.tar.gz