transicc stack buffer overflow in TakeFloatValues > GetLine #43
Description
There is a very simple stack buffer overflow in transicc:
$ ./transicc -i ../../testbed/test1.icc
LittleCMS ColorSpace conversion calculator - 4.3 [LittleCMS 2.07]
Enter values, 'q' to quit
C? 1
=================================================================
==10338==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0e6606f0 at pc 0x7fa6864c31d2 bp 0x7ffc0e660060 sp 0x7ffc0e660018
WRITE of size 4096 at 0x7ffc0e6606f0 thread T0
#0 0x7fa6864c31d1 in scanf_common ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307
#1 0x7fa6864c3911 in __interceptor___isoc99_vscanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:598
#2 0x7fa6864c39f7 in __interceptor___isoc99_scanf ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:630
#3 0x40f38e in GetLine /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:630
#4 0x40f994 in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:746
#5 0x40b55d in main /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:1274
#6 0x7fa685bd7ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#7 0x40e52c (/home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc+0x40e52c)
Address 0x7ffc0e6606f0 is located in stack of thread T0 at offset 928 in frame
#0 0x40f7af in TakeFloatValues /home/mikispag/Downloads/lcms2-2.7/utils/transicc/transicc.c:719
This frame has 7 object(s):
[32, 34) 'index'
[96, 136) 'Name'
[192, 232) 'Prefix'
[288, 328) 'Suffix'
[384, 640) 'ChannelName'
[672, 928) 'Buffer'
[960, 5056) 'Buffer' <== Memory access at offset 928 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../.././libsanitizer/sanitizer_common/sanitizer_common_interceptors_scanf.inc:307 scanf_common
Shadow bytes around the buggy address:
0x100001cc4080: f2 f2 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00
0x100001cc4090: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
0x100001cc40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001cc40b0: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
0x100001cc40c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100001cc40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2
0x100001cc40e0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001cc40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001cc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001cc4110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100001cc4120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==10338==ABORTING
This is because in TakeFloatValues (transicc.c:746) a:
char Buffer[cmsMAX_PATH];
with cmsMAX_PATH = 256 is declared and passed to GetLine, and then, in transicc.c:630, a:
res = scanf("%4095s", Buffer);
overflows it.