Another Heap Buffer Overflow on bchunk v1.2.1 and v1.2.0

[kongwenbin]

This issue is a heap-related error similar to https://github.com/extramaster/bchunk/issues/2 but when replicated using gdb exploitable, it has a hash value that is different. There were 10 different payloads that produces the same hash value as https://github.com/extramaster/bchunk/issues/2 but only 1 other payload produces the following hash value, which makes it evident that this heap-related error is caused by a different part of the code.

• v1.2.0: dee2679e6e5af60ee000eb3acd6a6521.9ed6687229c36ed4f3b6957d8de6f879

(gdb) exploitable
__main__:99: UserWarning: GDB v7.11 may not support required Python API
Description: Heap error
Short description: HeapError (10/22)
Hash: dee2679e6e5af60ee000eb3acd6a6521.9ed6687229c36ed4f3b6957d8de6f879
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)

• v1.2.1: 7dabe720a577c556f3502bc14a09e494.5f6e27cabe9c5ab0e08ffc984674d095

(gdb) exploitable
__main__:99: UserWarning: GDB v7.11 may not support required Python API
Description: Heap error
Short description: HeapError (10/22)
Hash: 7dabe720a577c556f3502bc14a09e494.5f6e27cabe9c5ab0e08ffc984674d095
Exploitability Classification: EXPLOITABLE
Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
Other tags: AbortSignal (20/22)

The following is the stack trace output from gdb:

2147483647: /dev/null2147483647.ugh    0/0    MB  [********************]  -0 %*** Error in `/opt/targetApps/bchunk-1.2.1/bchunk': free(): invalid next size (normal): 0x08051b40 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb7e6e377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb7e742f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xb7e74c31]
/lib/i386-linux-gnu/libc.so.6(fclose+0x177)[0xb7e64b57]
/opt/targetApps/bchunk-1.2.1/bchunk[0x804b6c4]
/opt/targetApps/bchunk-1.2.1/bchunk[0x80494c8]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb7e1f637]
/opt/targetApps/bchunk-1.2.1/bchunk[0x80498a5]

[kongwenbin]

As mentioned earlier, this is related to #2 but has a different (gdb exploitable) hash value compared to many other payloads. It should be fixed along with the commit that fixed #2 and #4.

Just to be sure, please try the following payload for verification as well:
poc.zip