Heap-based buffer overflow in the yylex() function

[fcambus]

Hi,

While fuzzing yabasic 2.86.1 with Honggfuzz, I found a heap-based buffer overflow in the yylex() function, in flex.c.

Attaching a reproducer (gzipped so GitHub accepts it): test01.yab.gz

Issue can be reproduced by running:

yabasic test01.yab

=================================================================
==20945==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000223 at pc 0x0000005a1a77 bp 0x7ffd03025cb0 sp 0x7ffd03025ca8
WRITE of size 1 at 0x603000000223 thread T0
    #0 0x5a1a76 in yylex /home/fcambus/yabasic-2.86.1/flex.c:3100:27
    #1 0x5aad98 in yyparse /home/fcambus/yabasic-2.86.1/bison.c:3338:16
    #2 0x4f9497 in main /home/fcambus/yabasic-2.86.1/main.c:293:6
    #3 0x7f5abf9cab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16
    #4 0x41da49 in _start (/home/fcambus/yabasic-2.86.1/yabasic+0x41da49)

Address 0x603000000223 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/yabasic-2.86.1/flex.c:3100:27 in yylex
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 07 fa fa 00 00 00 04 fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
  0x0c067fff8020: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff8030: fa fa 00 00 01 fa fa fa 00 00 00 05 fa fa fa fa
=>0x0c067fff8040: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20945==ABORTING

[marcIhm]

Confirmed. I see the same error (and some more warnings too ...). Will fix this. Please stand by.

[fcambus]

This issue has been assigned CVE-2019-19720.

[marcIhm]

Fixed with 2.86.2.
Thanx for pointing me at address-sanitizer !

[fcambus]

Thanks for the fix, 2.86.2 solves the issue for me as well.

In the future, it would be nice if you could mention the CVE in the ChangeLog and in the release notes, as it helps distribution packagers who track the CVE database to figure out which issues were fixed by a particular release.

[marcIhm]

Hi, I see. Unfortunately I read your suggestion only after releasing 2.86.3 :-/  But I will follow you with the next patch (if you happen to find another vulnerability ...) regards Marc On 13.12.2019 20:11:35, Frederic Cambus <notifications@github.com> wrote: Thanks for the fix, 2.86.2 solves the issue for me as well. In the future, it would be nice if you could mention the CVE in the ChangeLog and in the release notes, as it helps distribution packagers who track the CVE database to figure out which issues were fixed by a particular release. — You are receiving this because you commented. Reply to this email directly, view it on GitHub [#36?email_source=notifications&amp;email_token=AC5EZHXHCV5UUHDCYJAYI2LQYPM6JA5CNFSM4JY6GXE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG26WZI#issuecomment-565570405], or unsubscribe [https://github.com/notifications/unsubscribe-auth/AC5EZHSCXFN2TBOQRJENEKLQYPM6JANCNFSM4JY6GXEQ].