Memory corruption bugs

[hgarrereyn]

Hi, I'm not sure if this library is still maintained but there are a few memory OOB issues in smaz_decompress. In particular, it takes both an input buffer and length, but it will read out of bounds on the input in the following cases:

1. Ending with 0xff

The byte 0xff marks a verbatim string, smaz_decompress unconditionally reads the next input character to find the length.

2. Ending with 0xfe

Similarly byte 0xfe marks a verbatim byte, the next character is unconditionally written to the output.

E.g. see the following testcase:

testcase.cpp

#include <cstdio>
#include <cstdint>
#include <cstring>
extern "C" {
#include "smaz.h"
}
int main(){
    const char input[1] = {(char)0xFF}; // malformed SMAZ: 0xFF verbatim marker but no length byte follows
    char out[16];
    // OOB read occurs in smaz_decompress when it reads *(c+1) with inlen==1
    int ret = smaz_decompress((char*)input, 1, out, (int)sizeof(out));
    printf("ret=%d\n", ret);
    return 0;
}

crash report

==12==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fea1be00021 at pc 0x55d1c068a2b4 bp 0x7ffc0ba41e80 sp 0x7ffc0ba41e78
READ of size 1 at 0x7fea1be00021 thread T0
    #0 0x55d1c068a2b3 in smaz_decompress /fuzz/src/smaz.c:173:24
    #1 0x55d1c06894c7 in main /fuzz/workspace/test.cpp:11:15
    #2 0x7fea1dad8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fea1dad8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x55d1c05ae2e4 in _start (/fuzz/workspace/test+0x362e4) (BuildId: 7062a534da1f8ed21167ac5d16ee4b9523676d2f)

Address 0x7fea1be00021 is located in stack of thread T0 at offset 33 in frame
    #0 0x55d1c06893ef in main /fuzz/workspace/test.cpp:7

  This frame has 2 object(s):
    [32, 33) 'input' (line 8) <== Memory access at offset 33 overflows this variable
    [48, 64) 'out' (line 9)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /fuzz/src/smaz.c:173:24 in smaz_decompress
Shadow bytes around the buggy address:
  0x7fea1bdffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1bdffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1bdffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1bdfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1bdfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7fea1be00000: f1 f1 f1 f1[01]f2 00 00 f3 f3 f3 f3 00 00 00 00
  0x7fea1be00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1be00100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1be00180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1be00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fea1be00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb