Skip to content
Snippets Groups Projects
Commit 1a3cb25a authored by alvaro's avatar alvaro Committed by Serge Lamikhov-Center
Browse files

Fix oob read terminating data with 0 

Fix crash e3c41070342cf84dea077356ddbb8ebf4326a601

==12073==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000003bb at pc 0x0000004c234c bp 0x7fcf6359ec30 sp 0x7fcf6359e3
e0
READ of size 11 at 0x6110000003bb thread T0
    #0 0x4c234b in __interceptor_strlen.part.30 /home/alvaro/tools/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitize
r_common_interceptors.inc:301
    #1 0x7165e6579d87 in std::char_traits<char>::length(char const*) /build/gcc-multilib/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3
/include/bits/char_traits.h:269
    #2 0x7165e6579d87 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std
::allocator<char> const&) /build/gcc-multilib/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.h:495
    #3 0x5c3333 in ELFIO::elfio::load_sections(std::istream&) /home/alvaro/fuzzers/elfio/ELFIO/examples/libfuzzer/../../elfio/elfio.hpp
:413:44
parent 39f8614f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 13 deletions
elfio/elfio_section.hpp
+ 14
13
View file @ 1a3cb25a
...@@ -243,19 +243,20 @@ class section_impl : public section ...@@ -243,19 +243,20 @@ class section_impl : public section
Elf_Xword size = get_size(); Elf_Xword size = get_size();
if ( 0 == data && SHT_NULL != get_type() && SHT_NOBITS != get_type() && size < get_stream_size()) { if ( 0 == data && SHT_NULL != get_type() && SHT_NOBITS != get_type() && size < get_stream_size()) {
try { try {
data = new char[size]; data = new char[size + 1];
} catch (const std::bad_alloc&) { } catch (const std::bad_alloc&) {
data = 0; data = 0;
data_size = 0; data_size = 0;
} }
if ( 0 != size ) { if ( 0 != size ) {
stream.seekg( (*convertor)( header.sh_offset ) ); stream.seekg( (*convertor)( header.sh_offset ) );
stream.read( data, size ); stream.read( data, size );
data_size = size; data[size] = 0; //ensure data is ended with 0 to avoid oob read
} data_size = size;
} }
}
} }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment