Heap buffer overflow

[ghost]

Build cmark with -fsanitize=address, then

$ echo -e "# 000000[0\x00\x0000000000000000000\x000\x00000000000](p0000\\" | ./cmark

Output:

==7307== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600c0000bf38 at pc 0x4cb8dd bp 0x7ffc3308d950 sp 0x7ffc3308d948
READ of size 1 at 0x600c0000bf38 thread T0
    #0 0x4cb8dc (cmark/build/src/cmark+0x4cb8dc)
    #1 0x4537eb (cmark/build/src/cmark+0x4537eb)
    #2 0x446079 (cmark/build/src/cmark+0x446079)
    #3 0x42e25c (cmark/build/src/cmark+0x42e25c)
    #4 0x403057 (cmark/build/src/cmark+0x403057)
    #5 0x7f515758eaa4 (/lib64/libc-2.20.so+0x21aa4)
    #6 0x404369 (cmark/build/src/cmark+0x404369)
0x600c0000bf38 is located 0 bytes to the right of 56-byte region [0x600c0000bf00,0x600c0000bf38)
allocated by thread T0 here:
    #0 0x7f515791a5df (/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.4/libasan.so.0.0.0+0x155df)
    #1 0x5514bd (cmark/build/src/cmark+0x5514bd)
Shadow bytes around the buggy address:
  0x0c01ffff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c01ffff97e0: 00 00 00 00 00 00 00[fa]fa fa fa fa fd fd fd fd
  0x0c01ffff97f0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c01ffff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7307== ABORTING

afl

[jgm]

Weird thing about this is that if I change just about anything in the input, the error disappears. E.g. a different number of 0s at the beginning. I'll also note that

$ echo -e "# 000000[0\x00\x0000000000000000000\x000\x00000000000](p0000\\" | ./cmark

produces the error with bash, but not with sh, presumably because of differences in treatment of hex escapes?

[ghost]

It's a minimized test case. afl-fuzz -C generated about six thousands different crashing inputs before I stopped it.

[ghost]

None of them seem to crash non-ASan build of cmark, though, so it's probably not exploitable.