This file will trigger a heap overflow in chmlib (test with enum_chmLib):
https://crashes.fuzzing-project.org/chmlib-heapoverflow-_chm_parse_UTF8.chm
To see this chmlib needs to be run with valgrind or compiled with address sanitizer. Found with the help of american fuzzy lop.
Address Sanitizer output:
==6072==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a100 at pc 0x0000004e6218 bp 0x7fff56b17050 sp 0x7fff56b17048
READ of size 1 at 0x62100001a100 thread T0
#0 0x4e6217 in _chm_parse_UTF8 /f/chmlib-0.40/src/chm_lib.c:1133:26
#1 0x4e6217 in _chm_parse_PMGL_entry /f/chmlib-0.40/src/chm_lib.c:1152
#2 0x4e6217 in chm_enumerate /f/chmlib-0.40/src/chm_lib.c:1675
#3 0x4dcc8e in main /f/chmlib-0.40/src/enum_chmLib.c:80:15
#4 0x7faa8bb3ef9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#5 0x4363d6 in _start (/mnt/ram/chmlib/enum_chmLib+0x4363d6)
0x62100001a100 is located 0 bytes to the right of 4096-byte region [0x621000019100,0x62100001a100)
allocated by thread T0 here:
#0 0x4bd3a2 in __interceptor_malloc (/mnt/ram/chmlib/enum_chmLib+0x4bd3a2)
#1 0x4e4d5d in chm_enumerate /f/chmlib-0.40/src/chm_lib.c:1628:23
#2 0x4dcc8e in main /f/chmlib-0.40/src/enum_chmLib.c:80:15
SUMMARY: AddressSanitizer: heap-buffer-overflow /f/chmlib-0.40/src/chm_lib.c:1133 _chm_parse_UTF8
Shadow bytes around the buggy address:
0x0c427fffb3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6072==ABORTING
This file will trigger a heap overflow in chmlib (test with enum_chmLib):
https://crashes.fuzzing-project.org/chmlib-heapoverflow-_chm_parse_UTF8.chm
To see this chmlib needs to be run with valgrind or compiled with address sanitizer. Found with the help of american fuzzy lop.
Address Sanitizer output:
==6072==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a100 at pc 0x0000004e6218 bp 0x7fff56b17050 sp 0x7fff56b17048
READ of size 1 at 0x62100001a100 thread T0
#0 0x4e6217 in _chm_parse_UTF8 /f/chmlib-0.40/src/chm_lib.c:1133:26
#1 0x4e6217 in _chm_parse_PMGL_entry /f/chmlib-0.40/src/chm_lib.c:1152
#2 0x4e6217 in chm_enumerate /f/chmlib-0.40/src/chm_lib.c:1675
#3 0x4dcc8e in main /f/chmlib-0.40/src/enum_chmLib.c:80:15
#4 0x7faa8bb3ef9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#5 0x4363d6 in _start (/mnt/ram/chmlib/enum_chmLib+0x4363d6)
0x62100001a100 is located 0 bytes to the right of 4096-byte region [0x621000019100,0x62100001a100)
allocated by thread T0 here:
#0 0x4bd3a2 in __interceptor_malloc (/mnt/ram/chmlib/enum_chmLib+0x4bd3a2)
#1 0x4e4d5d in chm_enumerate /f/chmlib-0.40/src/chm_lib.c:1628:23
#2 0x4dcc8e in main /f/chmlib-0.40/src/enum_chmLib.c:80:15
SUMMARY: AddressSanitizer: heap-buffer-overflow /f/chmlib-0.40/src/chm_lib.c:1133 _chm_parse_UTF8
Shadow bytes around the buggy address:
0x0c427fffb3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6072==ABORTING