out of bounds access in fy_utf8_get

[rivit98]

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>

int main() {
  char s[8] = "\x3e\x20\x23\x01\xdc\x93\xd1\x00"; //simulate string read
  fy_document_destroy(fy_document_build_from_string(NULL, s, strlen(s)));
}

compile & link with fuzzer support. Run and observe ASAN output:

==505107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x71d730209028 at pc 0x60278e5ee46c bp 0x7fffd4ae8c10 sp 0x7fffd4ae8c08
READ of size 1 at 0x71d730209028 thread T0
    #0 0x60278e5ee46b in fy_utf8_get /home/rivit/workspace/fuzzing/libfyaml/src/util/fy-utf8.h:81:8
    #1 0x60278e5f14b7 in fy_reader_advance_octets /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:632:19
    #2 0x60278e5f14b7 in fy_reader_advance_slow_path /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.c:978:2
    #3 0x60278e666b14 in fy_reader_advance /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:651:3
    #4 0x60278e666b14 in fy_advance /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-parse.h:498:2
    #5 0x60278e666b14 in fy_fetch_block_scalar /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-parse.c:3401:2
    #6 0x60278e69aaf5 in fy_fetch_tokens /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-parse.c:5139:8
    #7 0x60278e69cb06 in fy_scan_peek /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-parse.c:5234:8
    #8 0x60278e69ef20 in fy_parse_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-parse.c:5707:8
    #9 0x60278e59efca in fy_document_builder_load_document /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-docbuilder.c:560:11
    #10 0x60278e55f40f in fy_parse_load_document_with_builder /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:1918:8
    #11 0x60278e56c2b2 in fy_document_build_internal /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3283:8
    #12 0x60278e559d18 in fy_document_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-doc.c:3340:9
    #13 0x60278e516977 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:6:23
    #14 0x71d73222a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x71d73222a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #16 0x60278e43d4c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1114c4) (BuildId: 05862c3415991ffc6ea085038da016542931c6b0)

Address 0x71d730209028 is located in stack of thread T0 at offset 40 in frame
    #0 0x60278e5168c7 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:4

  This frame has 1 object(s):
    [32, 40) 's' (line 5) <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/rivit/workspace/fuzzing/libfyaml/src/util/fy-utf8.h:81:8 in fy_utf8_get

[rivit98]

@pantoniou sorry for juggling issues, I managed to reproduce the problem of OOB access in the case of data that is null terminated.

[pantoniou]

No problem,

I am aware of the reported issues. Will find some time to fix them shortly.

Thanks for reporting btw.