AddressSanitizer: heap-buffer-overflow on address 0x631000026a75

[mtowalski]

Repro file available here :
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/new-heap-buffer-overflow-815-a70-b3b-poc
Similar :
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/new-heap-buffer-overflow-0d4-b3b-165-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-afb-165-5b2-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-6d9-633-b3b-poc
https://github.com/mtowalski/radare2_quick_fuzz/tree/master/heap-buffer-overflow-6d9-a70-b3b-poc

OS: Ubuntu 16.04.1 LTS x64
r2_version : master

CMD : radare2 -Acq i [FILE]

ASAN log:

==68909==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000026a75 at pc 0x7fa5a53ed1b4 bp 0x7ffd452bbdb0 sp 0x7ffd452bbda8
READ of size 1 at 0x631000026a75 thread T0
    #0 0x7fa5a53ed1b3 in r_bin_java_read_from_buffer_verification_info_new /home/test/tmp/radare2/shlr/java/class.c:3889
    #1 0x7fa5a53ef970 in r_bin_java_stack_map_frame_new /home/test/tmp/radare2/shlr/java/class.c:4158
    #2 0x7fa5a53f05b3 in r_bin_java_stack_map_table_attr_new /home/test/tmp/radare2/shlr/java/class.c:4310
    #3 0x7fa5a53d953a in r_bin_java_read_next_attr_from_buffer /home/test/tmp/radare2/shlr/java/class.c:1995
    #4 0x7fa5a53d436d in r_bin_java_read_next_attr /home/test/tmp/radare2/shlr/java/class.c:1955
    #5 0x7fa5a53d5bb0 in r_bin_java_read_next_field /home/test/tmp/radare2/shlr/java/class.c:1455
    #6 0x7fa5a53db394 in r_bin_java_parse_fields /home/test/tmp/radare2/shlr/java/class.c:2123
    #7 0x7fa5a53dcc1a in r_bin_java_load_bin /home/test/tmp/radare2/shlr/java/class.c:2271
    #8 0x7fa5a53dc6e4 in r_bin_java_new_bin /home/test/tmp/radare2/shlr/java/class.c:2233
    #9 0x7fa5a53e38d6 in r_bin_java_new_buf /home/test/tmp/radare2/shlr/java/class.c:2943
    #10 0x7fa5a52781ff in load_bytes /home/test/tmp/radare2/libr/..//libr/bin/p/bin_java.c:77
    #11 0x7fa5a516df82 in r_bin_object_new /home/test/tmp/radare2/libr/bin/bin.c:1203
    #12 0x7fa5a516c45d in r_bin_file_new_from_bytes /home/test/tmp/radare2/libr/bin/bin.c:1428
    #13 0x7fa5a516b9fa in r_bin_load_io_at_offset_as_sz /home/test/tmp/radare2/libr/bin/bin.c:974
    #14 0x7fa5a5168da7 in r_bin_load_io_at_offset_as /home/test/tmp/radare2/libr/bin/bin.c:988
    #15 0x7fa5a5168b51 in r_bin_load_io /home/test/tmp/radare2/libr/bin/bin.c:831
    #16 0x7fa5a636ac0b in r_core_file_do_load_for_io_plugin /home/test/tmp/radare2/libr/core/file.c:429
    #17 0x7fa5a6367e07 in r_core_bin_load /home/test/tmp/radare2/libr/core/file.c:552
    #18 0x563b2044b408 in main /home/test/tmp/radare2/binr/radare2/radare2.c:898
    #19 0x7fa59f29d82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #20 0x563b20376f38 in _start ??:?

0x631000026a75 is located 0 bytes to the right of 74357-byte region [0x631000014800,0x631000026a75)
allocated by thread T0 here:
    #0 0x563b20417220 in calloc ??:?
    #1 0x7fa5a53d85f0 in r_bin_java_get_attr_buf /home/test/tmp/radare2/shlr/java/class.c:1876
    #2 0x7fa5a53d4343 in r_bin_java_read_next_attr /home/test/tmp/radare2/shlr/java/class.c:1952
    #3 0x7fa5a53d5bb0 in r_bin_java_read_next_field /home/test/tmp/radare2/shlr/java/class.c:1455
    #4 0x7fa5a53db394 in r_bin_java_parse_fields /home/test/tmp/radare2/shlr/java/class.c:2123
    #5 0x7fa5a53dcc1a in r_bin_java_load_bin /home/test/tmp/radare2/shlr/java/class.c:2271
    #6 0x7fa5a53dc6e4 in r_bin_java_new_bin /home/test/tmp/radare2/shlr/java/class.c:2233
    #7 0x7fa5a53e38d6 in r_bin_java_new_buf /home/test/tmp/radare2/shlr/java/class.c:2943
    #8 0x7fa5a52781ff in load_bytes /home/test/tmp/radare2/libr/..//libr/bin/p/bin_java.c:77
    #9 0x7fa5a516df82 in r_bin_object_new /home/test/tmp/radare2/libr/bin/bin.c:1203
    #10 0x7fa5a516c45d in r_bin_file_new_from_bytes /home/test/tmp/radare2/libr/bin/bin.c:1428
    #11 0x7fa5a516b9fa in r_bin_load_io_at_offset_as_sz /home/test/tmp/radare2/libr/bin/bin.c:974
    #12 0x7fa5a5168da7 in r_bin_load_io_at_offset_as /home/test/tmp/radare2/libr/bin/bin.c:988
    #13 0x7fa5a5168b51 in r_bin_load_io /home/test/tmp/radare2/libr/bin/bin.c:831
    #14 0x7fa5a636ac0b in r_core_file_do_load_for_io_plugin /home/test/tmp/radare2/libr/core/file.c:429
    #15 0x7fa5a6367e07 in r_core_bin_load /home/test/tmp/radare2/libr/core/file.c:552
    #16 0x563b2044b408 in main /home/test/tmp/radare2/binr/radare2/radare2.c:898
    #17 0x7fa59f29d82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (//home/test/tmp/radare2/libr/bin/libr_bin.so+0x3431b3)
Shadow bytes around the buggy address:
  0x0c627fffccf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffcd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffcd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffcd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffcd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffcd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa
  0x0c627fffcd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffcd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffcd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffcd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffcd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==68909==ABORTING`

[radare]

cant reproduce, are you testing against git?

[alvarofe]

I fixed the first one. Check the others

[alvarofe]

This has been fixed in master. Thanks for reporting