Public bug reported: heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint when we run ./fuzzers/matio_fuzzer ./crashes/poc.
root@6:/fuzz# ./fuzzers/matio_fuzzer crashes/crash-104 Reading 5045 bytes from crashes/crash-104 Name: easy Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[6] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data } Name: easy Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[6] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { char array1 char array2 } } Name: easy_with_sparse_and_tag Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[14] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data Name: d_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data Name: sp Rank: 2 Dimensions: 5 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision } Name: easy_with_sparse_and_tag Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[14] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { char array1 char array2 } Name: d_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 2 3 4 } Name: s_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { 1234 } Name: sp Rank: 2 Dimensions: 5 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision { (1,1) 3.03865e-319 (2,1) 3.16202e-322 (3,1) 1.04347e-320 (4,1) 2.05531e-320 (5,1) 2.56124e-320 (1,3) 4.83789e-320 (2,3) 5.09085e-320 (3,3) 5.34381e-320 (4,3) 5.59678e-320 (5,3) 5.84974e-320 (1,5) 6.7351e-320 (2,5) 6.86158e-320 (3,5) 6.98806e-320 (4,5) 7.11455e-320 (5,5) 7.24103e-320 (1,7) 7.99991e-320 (2,7) 8.12639e-320 (3,7) 4.15265e-317 (4,7) 8.25287e-320 (5,7) 4.15278e-317 (1,9) 4.15316e-317 (2,9) 8.7588e-320 (3,9) 4.15328e-317 (4,9) 8.88528e-320 (5,9) 4.15341e-317 } Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision { (1,1) 3.03865e-319 (2,2) 3.16202e-322 (3,3) 1.04347e-320 (4,4) 2.05531e-320 (5,5) 2.56124e-320 (6,6) 3.06716e-320 (7,7) 3.57308e-320 (8,8) 4.07901e-320 (9,9) 4.33197e-320 (10,10) 4.58493e-320 } } Name: struct_nested Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[2] { Name: easy Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[6] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data } Name: easy_with_sparse_and_tag Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[14] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data Name: d_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: s_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: i32_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i16_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i8_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: c_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data Name: sp Rank: 2 Dimensions: 5 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision } } Name: struct_nested Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[2] { Name: easy Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[6] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { char array1 char array2 } } Name: easy_with_sparse_and_tag Rank: 2 Dimensions: 1 x 1 Class Type: Structure Data Type: Structure Fields[14] { Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { char array1 char array2 } Name: d_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 2 3 4 } Name: s_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8_in_tag Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c_in_tag Rank: 2 Dimensions: 1 x 4 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { 1234 } Name: sp Rank: 2 Dimensions: 5 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision { (1,1) 3.03865e-319 (2,1) 3.16202e-322 (3,1) 1.04347e-320 (4,1) 2.05531e-320 (5,1) 2.56124e-320 (1,3) 4.83789e-320 (2,3) 5.09085e-320 (3,3) 5.34381e-320 (4,3) 5.59678e-320 (5,3) 5.84974e-320 (1,5) 6.7351e-320 (2,5) 6.86158e-320 (3,5) 6.98806e-320 (4,5) 7.11455e-320 (5,5) 7.24103e-320 (1,7) 7.99991e-320 (2,7) 8.12639e-320 (3,7) 4.15265e-317 (4,7) 8.25287e-320 (5,7) 4.15278e-317 (1,9) 4.15316e-317 (2,9) 8.7588e-320 (3,9) 4.15328e-317 (4,9) 8.88528e-320 (5,9) 4.15341e-317 } Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision { (1,1) 3.03865e-319 (2,2) 3.16202e-322 (3,3) 1.04347e-320 (4,4) 2.05531e-320 (5,5) 2.56124e-320 (6,6) 3.06716e-320 (7,7) 3.57308e-320 (8,8) 4.07901e-320 (9,9) 4.33197e-320 (10,10) 4.58493e-320 } } } Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision Name: d Rank: 2 Dimensions: 5 x 10 Class Type: Double Precision Array Data Type: IEEE 754 double-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision Name: s Rank: 2 Dimensions: 5 x 10 Class Type: Single Precision Array Data Type: IEEE 754 single-precision { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer Name: i32 Rank: 2 Dimensions: 5 x 10 Class Type: 32-bit, signed integer array Data Type: 32-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer Name: i16 Rank: 2 Dimensions: 5 x 10 Class Type: 16-bit, signed integer array Data Type: 16-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer Name: i8 Rank: 2 Dimensions: 5 x 10 Class Type: 8-bit, signed integer array Data Type: 8-bit, signed integer { 1 6 11 16 21 26 31 36 41 46 2 7 12 17 22 27 32 37 42 47 3 8 13 18 23 28 33 38 43 48 4 9 14 19 24 29 34 39 44 49 5 10 15 20 25 30 35 40 45 50 } Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data Name: c Rank: 2 Dimensions: 2 x 11 Class Type: Character Array Data Type: Unicode UTF-8 Encoded Character Data { char array1 char array2 } -E- ossfuzz: InflateData: inflate returned data error Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision Name: sp_diag Rank: 2 Dimensions: 10 x 10 Class Type: Sparse Array Data Type: IEEE 754 double-precision { (1,1) 3.03865e-319 (1,2) 3.16202e-322 ================================================================= ==7571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007598 at pc 0x5dcdd60ed578 bp 0x7fffca418920 sp 0x7fffca418918 READ of size 4 at 0x602000007598 thread T0 #0 0x5dcdd60ed577 in Mat_VarPrint /fuzz/matio/matio/src/mat.c:2462:69 #1 0x5dcdd60d6bd9 in MatioRead(char const*) /fuzz/matio/matio/ossfuzz/./matio_wrap.h:48:9 #2 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput /fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12 #3 0x5dcdd60d7571 in ExecuteFilesOnyByOne /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7 #4 0x5dcdd60d79ec in LLVMFuzzerRunDriver /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:377:12 #5 0x5dcdd60167e6 in main /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:312:10 #6 0x7f8a86498d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x7f8a86498e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #8 0x5dcdd6016854 in _start (/fuzz/fuzzers/matio_fuzzer+0x44c854) (BuildId: 47398e734cfc645e953c20da47ea4b4044050bf5) 0x602000007599 is located 0 bytes to the right of 9-byte region [0x602000007590,0x602000007599) allocated by thread T0 here: #0 0x5dcdd6099888 in __interceptor_calloc (/fuzz/fuzzers/matio_fuzzer+0x4cf888) (BuildId: 47398e734cfc645e953c20da47ea4b4044050bf5) #1 0x5dcdd6111f45 in ReadSparse /fuzz/matio/matio/src/mat5.c:528:26 #2 0x5dcdd610be59 in Mat_VarRead5 /fuzz/matio/matio/src/mat5.c:3391:26 #3 0x5dcdd60d6baa in MatioRead(char const*) /fuzz/matio/matio/ossfuzz/./matio_wrap.h:43:9 #4 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput /fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12 #5 0x5dcdd60d7571 in ExecuteFilesOnyByOne /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7 SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint Shadow bytes around the buggy address: 0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fff8e80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fff8e90: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fff8ea0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00 =>0x0c047fff8eb0: fa fa 00[01]fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7571==ABORTING ** Affects: ubuntu Importance: Undecided Status: New ** Summary changed: - heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint + heap-buffer-overflow /fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095070 Title: heap-buffer-overflow on matio-1.5.28/src/mat.c:2462:69 in Mat_VarPrint To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2095070/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs