2018-12-13 07:16 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005493libextractorextractpublic2018-12-04 09:08
ReporterJin 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformLinuxOSUbuntuOS Version16.04 x64
Product Version1.8 
Target VersionFixed in Version 
Summary0005493: Out of Bound Read in function history_extract of ole2_extractor.c
DescriptionDescription:
Function history_extract() in ole2_extractor.c contains an out of bound read problem.
Details with asan output is as below:

=================================================================
==3258==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000013f8c at pc 0x00000044393f bp 0x7ffec17b3570 sp 0x7ffec17b2d20
READ of size 1030 at 0x619000013f8c thread T0
    #0 0x44393e in __strdup /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:461
    #1 0x7f3adcfea704 in EXTRACTOR_common_convert_to_utf8 /src/libextractor/src/common/convert.c
    #2 0x7f3add1f7448 in history_extract /src/libextractor/src/plugins/ole2_extractor.c:576:16
    #3 0x7f3add1f5cf6 in EXTRACTOR_ole2_extract_method /src/libextractor/src/plugins/ole2_extractor.c:993:10
    #4 0x7f3ae1e70475 in handle_start_message /src/libextractor/src/main/extractor_plugin_main.c:481:3
    #5 0x7f3ae1e6fb38 in process_requests /src/libextractor/src/main/extractor_plugin_main.c:532:13
    #6 0x7f3ae1e6f753 in EXTRACTOR_plugin_main_ /src/libextractor/src/main/extractor_plugin_main.c:633:3
    #7 0x7f3ae1e6ac18 in EXTRACTOR_IPC_channel_create_ /src/libextractor/src/main/extractor_ipc_gnu.c:355:7
    #8 0x7f3ae1e71ce6 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:658:17
    #9 0x52aaf4 in main /src/libextractor/src/main/extract.c:983:2
    #10 0x7f3ae0f5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41acf8 in _start (/usr/local/bin/extract+0x41acf8)

0x619000013f8c is located 0 bytes to the right of 1036-byte region [0x619000013b80,0x619000013f8c)
allocated by thread T0 here:
    #0 0x4e9a2f in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x7f3add1f7330 in history_extract /src/libextractor/src/plugins/ole2_extractor.c:560:26
    #2 0x7f3add1f5cf6 in EXTRACTOR_ole2_extract_method /src/libextractor/src/plugins/ole2_extractor.c:993:10
    #3 0x7f3ae1e70475 in handle_start_message /src/libextractor/src/main/extractor_plugin_main.c:481:3
    #4 0x7f3ae1e6fb38 in process_requests /src/libextractor/src/main/extractor_plugin_main.c:532:13
    #5 0x7f3ae1e6f753 in EXTRACTOR_plugin_main_ /src/libextractor/src/main/extractor_plugin_main.c:633:3
    #6 0x7f3ae1e6ac18 in EXTRACTOR_IPC_channel_create_ /src/libextractor/src/main/extractor_ipc_gnu.c:355:7
    #7 0x7f3ae1e71ce6 in EXTRACTOR_extract /src/libextractor/src/main/extractor.c:658:17
    #8 0x52aaf4 in main /src/libextractor/src/main/extract.c:983:2
    #9 0x7f3ae0f5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:461 in __strdup
Shadow bytes around the buggy address:
  0x0c327fffa7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffa7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffa7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffa7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffa7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fffa7f0: 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==3258==ABORTING

credit:ADLab of Venustech
Steps To Reproduceextract ole2-crash-ole2_extractor.c_576

TagsNo tags attached.
Attached Files

-Relationships Relation Graph ] Dependency Graph ]
+Relationships

-Notes

~0013383

Jin (reporter)

file ole2-crash-ole2_extractor.c_588 can also trigger it.
+Notes

-Issue History
Date Modified Username Field Change
2018-12-04 09:07 Jin New Issue
2018-12-04 09:07 Jin File Added: ole2-crash-ole2_extractor.c_576
2018-12-04 09:08 Jin File Added: ole2-crash-ole2_extractor.c_588
2018-12-04 09:08 Jin Note Added: 0013383
+Issue History