Public bug reported:

heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint when we
run ./fuzzers/matio_fuzzer ./crashes/poc.

root@6:/fuzz# ./fuzzers/matio_fuzzer crashes/crash-104
Reading 5045 bytes from crashes/crash-104
      Name: easy
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[6] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
}
      Name: easy
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[6] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
}
      Name: easy_with_sparse_and_tag
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[14] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
      Name: d_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
      Name: sp
      Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
}
      Name: easy_with_sparse_and_tag
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[14] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
      Name: d_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 2 3 4 
}
      Name: s_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
1234
}
      Name: sp
      Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
{
    (1,1)  3.03865e-319
    (2,1)  3.16202e-322
    (3,1)  1.04347e-320
    (4,1)  2.05531e-320
    (5,1)  2.56124e-320
    (1,3)  4.83789e-320
    (2,3)  5.09085e-320
    (3,3)  5.34381e-320
    (4,3)  5.59678e-320
    (5,3)  5.84974e-320
    (1,5)  6.7351e-320
    (2,5)  6.86158e-320
    (3,5)  6.98806e-320
    (4,5)  7.11455e-320
    (5,5)  7.24103e-320
    (1,7)  7.99991e-320
    (2,7)  8.12639e-320
    (3,7)  4.15265e-317
    (4,7)  8.25287e-320
    (5,7)  4.15278e-317
    (1,9)  4.15316e-317
    (2,9)  8.7588e-320
    (3,9)  4.15328e-317
    (4,9)  8.88528e-320
    (5,9)  4.15341e-317
}
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
{
    (1,1)  3.03865e-319
    (2,2)  3.16202e-322
    (3,3)  1.04347e-320
    (4,4)  2.05531e-320
    (5,5)  2.56124e-320
    (6,6)  3.06716e-320
    (7,7)  3.57308e-320
    (8,8)  4.07901e-320
    (9,9)  4.33197e-320
    (10,10)  4.58493e-320
}
}
      Name: struct_nested
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[2] {
      Name: easy
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[6] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
}
      Name: easy_with_sparse_and_tag
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[14] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
      Name: d_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: s_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: i32_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i16_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i8_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: c_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
      Name: sp
      Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
}
}
      Name: struct_nested
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[2] {
      Name: easy
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[6] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
}
      Name: easy_with_sparse_and_tag
      Rank: 2
Dimensions: 1 x 1
Class Type: Structure
 Data Type: Structure
Fields[14] {
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
      Name: d_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 2 3 4 
}
      Name: s_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8_in_tag
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c_in_tag
      Rank: 2
Dimensions: 1 x 4
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
1234
}
      Name: sp
      Rank: 2
Dimensions: 5 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
{
    (1,1)  3.03865e-319
    (2,1)  3.16202e-322
    (3,1)  1.04347e-320
    (4,1)  2.05531e-320
    (5,1)  2.56124e-320
    (1,3)  4.83789e-320
    (2,3)  5.09085e-320
    (3,3)  5.34381e-320
    (4,3)  5.59678e-320
    (5,3)  5.84974e-320
    (1,5)  6.7351e-320
    (2,5)  6.86158e-320
    (3,5)  6.98806e-320
    (4,5)  7.11455e-320
    (5,5)  7.24103e-320
    (1,7)  7.99991e-320
    (2,7)  8.12639e-320
    (3,7)  4.15265e-317
    (4,7)  8.25287e-320
    (5,7)  4.15278e-317
    (1,9)  4.15316e-317
    (2,9)  8.7588e-320
    (3,9)  4.15328e-317
    (4,9)  8.88528e-320
    (5,9)  4.15341e-317
}
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
{
    (1,1)  3.03865e-319
    (2,2)  3.16202e-322
    (3,3)  1.04347e-320
    (4,4)  2.05531e-320
    (5,5)  2.56124e-320
    (6,6)  3.06716e-320
    (7,7)  3.57308e-320
    (8,8)  4.07901e-320
    (9,9)  4.33197e-320
    (10,10)  4.58493e-320
}
}
}
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
      Name: d
      Rank: 2
Dimensions: 5 x 10
Class Type: Double Precision Array
 Data Type: IEEE 754 double-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
      Name: s
      Rank: 2
Dimensions: 5 x 10
Class Type: Single Precision Array
 Data Type: IEEE 754 single-precision
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
      Name: i32
      Rank: 2
Dimensions: 5 x 10
Class Type: 32-bit, signed integer array
 Data Type: 32-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
      Name: i16
      Rank: 2
Dimensions: 5 x 10
Class Type: 16-bit, signed integer array
 Data Type: 16-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
      Name: i8
      Rank: 2
Dimensions: 5 x 10
Class Type: 8-bit, signed integer array
 Data Type: 8-bit, signed integer
{
1 6 11 16 21 26 31 36 41 46 
2 7 12 17 22 27 32 37 42 47 
3 8 13 18 23 28 33 38 43 48 
4 9 14 19 24 29 34 39 44 49 
5 10 15 20 25 30 35 40 45 50 
}
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
      Name: c
      Rank: 2
Dimensions: 2 x 11
Class Type: Character Array
 Data Type: Unicode UTF-8 Encoded Character Data
{
char array1
char array2
}
-E- ossfuzz: InflateData: inflate returned data error
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
      Name: sp_diag
      Rank: 2
Dimensions: 10 x 10
Class Type: Sparse Array
 Data Type: IEEE 754 double-precision
{
    (1,1)  3.03865e-319
    (1,2)  3.16202e-322
=================================================================
==7571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007598 
at pc 0x5dcdd60ed578 bp 0x7fffca418920 sp 0x7fffca418918
READ of size 4 at 0x602000007598 thread T0
    #0 0x5dcdd60ed577 in Mat_VarPrint /fuzz/matio/matio/src/mat.c:2462:69
    #1 0x5dcdd60d6bd9 in MatioRead(char const*) 
/fuzz/matio/matio/ossfuzz/./matio_wrap.h:48:9
    #2 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput 
/fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12
    #3 0x5dcdd60d7571 in ExecuteFilesOnyByOne 
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7
    #4 0x5dcdd60d79ec in LLVMFuzzerRunDriver 
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:377:12
    #5 0x5dcdd60167e6 in main 
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:312:10
    #6 0x7f8a86498d8f in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f8a86498e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x5dcdd6016854 in _start (/fuzz/fuzzers/matio_fuzzer+0x44c854) (BuildId: 
47398e734cfc645e953c20da47ea4b4044050bf5)

0x602000007599 is located 0 bytes to the right of 9-byte region 
[0x602000007590,0x602000007599)
allocated by thread T0 here:
    #0 0x5dcdd6099888 in __interceptor_calloc 
(/fuzz/fuzzers/matio_fuzzer+0x4cf888) (BuildId: 
47398e734cfc645e953c20da47ea4b4044050bf5)
    #1 0x5dcdd6111f45 in ReadSparse /fuzz/matio/matio/src/mat5.c:528:26
    #2 0x5dcdd610be59 in Mat_VarRead5 /fuzz/matio/matio/src/mat5.c:3391:26
    #3 0x5dcdd60d6baa in MatioRead(char const*) 
/fuzz/matio/matio/ossfuzz/./matio_wrap.h:43:9
    #4 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput 
/fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12
    #5 0x5dcdd60d7571 in ExecuteFilesOnyByOne 
/fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint
Shadow bytes around the buggy address:
  0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e90: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8ea0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
=>0x0c047fff8eb0: fa fa 00[01]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7571==ABORTING

** Affects: ubuntu
     Importance: Undecided
         Status: New

** Summary changed:

- heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint
+ heap-buffer-overflow /fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2095070

Title:
  heap-buffer-overflow on matio-1.5.28/src/mat.c:2462:69 in Mat_VarPrint

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2095070/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to