A heap-buffer-overflow was dex_descriptorClassToDot vdexExtractor-master/src/dex.c:1282

[Asteriska001]

Description

A heap-buffer-overflow was triggered by dex_descriptorClassToDot vdexExtractor-master/src/dex.c:1282

Version

Ver. 0.6.0 Latest Commit

Environment

Ubuntu 18.04，64bit

Command

./make
./vdexExtractor -i poc -o out -f --deps

ASAN

ASAN log.

=================================================================
==27110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d1 at pc 0x558b9c732dc2 bp 0x7ffcde3dde40 sp 0x7ffcde3dde30
WRITE of size 1 at 0x6020000000d1 thread T0
    #0 0x558b9c732dc1 in dex_descriptorClassToDot /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/dex.c:1282
    #1 0x558b9c73108e in dex_dumpClassInfo /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/dex.c:975
    #2 0x558b9c755779 in vdex_backend_010_process vdex/vdex_backend_010.c:387
    #3 0x558b9c7453f2 in vdex_010_process vdex/vdex_010.c:199
    #4 0x558b9c73fafc in main /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/vdexExtractor.c:257
    #5 0x7fb6dd07d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x558b9c72a94d in _start (/AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/bin/vdexExtractor+0x8c94d)

0x6020000000d1 is located 0 bytes to the right of 1-byte region [0x6020000000d0,0x6020000000d1)
allocated by thread T0 here:
    #0 0x7fb6dd681c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x558b9c73d66a in utils_malloc /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/utils.c:254
    #2 0x558b9c73d6db in utils_calloc /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/utils.c:263
    #3 0x558b9c732d18 in dex_descriptorClassToDot /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/dex.c:1279
    #4 0x558b9c73108e in dex_dumpClassInfo /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/dex.c:975
    #5 0x558b9c755779 in vdex_backend_010_process vdex/vdex_backend_010.c:387
    #6 0x558b9c7453f2 in vdex_010_process vdex/vdex_010.c:199
    #7 0x558b9c73fafc in main /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/vdexExtractor.c:257
    #8 0x7fb6dd07d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /AFLplusplus/my_test/vdexExtractor-master/fuzzVal/vdexExtractor-master/src/dex.c:1282 in dex_descriptorClassToDot
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 00 07 fa fa fd fd fa fa fd fd
=>0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa[01]fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27110==ABORTING

Poc

Poc file.
id_000007,sig_11,src_000000,time_3970,execs_3138,op_havoc,rep_4.zip