** Description changed: - heap-buffer-overflow on matio-1.5.28/src/mat.c:2462 Mat_VarPrint when we - run ./fuzzers/matio_fuzzer ./crashes/poc. - - root@6:/fuzz# ./fuzzers/matio_fuzzer crashes/crash-104 - Reading 5045 bytes from crashes/crash-104 - Name: easy - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[6] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - } - Name: easy - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[6] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - char array1 - char array2 - } - } - Name: easy_with_sparse_and_tag - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[14] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - Name: d_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - Name: sp - Rank: 2 - Dimensions: 5 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - } - Name: easy_with_sparse_and_tag - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[14] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - char array1 - char array2 - } - Name: d_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 2 3 4 - } - Name: s_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - 1234 - } - Name: sp - Rank: 2 - Dimensions: 5 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - { - (1,1) 3.03865e-319 - (2,1) 3.16202e-322 - (3,1) 1.04347e-320 - (4,1) 2.05531e-320 - (5,1) 2.56124e-320 - (1,3) 4.83789e-320 - (2,3) 5.09085e-320 - (3,3) 5.34381e-320 - (4,3) 5.59678e-320 - (5,3) 5.84974e-320 - (1,5) 6.7351e-320 - (2,5) 6.86158e-320 - (3,5) 6.98806e-320 - (4,5) 7.11455e-320 - (5,5) 7.24103e-320 - (1,7) 7.99991e-320 - (2,7) 8.12639e-320 - (3,7) 4.15265e-317 - (4,7) 8.25287e-320 - (5,7) 4.15278e-317 - (1,9) 4.15316e-317 - (2,9) 8.7588e-320 - (3,9) 4.15328e-317 - (4,9) 8.88528e-320 - (5,9) 4.15341e-317 - } - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - { - (1,1) 3.03865e-319 - (2,2) 3.16202e-322 - (3,3) 1.04347e-320 - (4,4) 2.05531e-320 - (5,5) 2.56124e-320 - (6,6) 3.06716e-320 - (7,7) 3.57308e-320 - (8,8) 4.07901e-320 - (9,9) 4.33197e-320 - (10,10) 4.58493e-320 - } - } - Name: struct_nested - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[2] { - Name: easy - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[6] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - } - Name: easy_with_sparse_and_tag - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[14] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - Name: d_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: s_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: i32_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i16_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i8_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: c_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - Name: sp - Rank: 2 - Dimensions: 5 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - } - } - Name: struct_nested - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[2] { - Name: easy - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[6] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - char array1 - char array2 - } - } - Name: easy_with_sparse_and_tag - Rank: 2 - Dimensions: 1 x 1 - Class Type: Structure - Data Type: Structure - Fields[14] { - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - char array1 - char array2 - } - Name: d_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 2 3 4 - } - Name: s_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8_in_tag - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c_in_tag - Rank: 2 - Dimensions: 1 x 4 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - 1234 - } - Name: sp - Rank: 2 - Dimensions: 5 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - { - (1,1) 3.03865e-319 - (2,1) 3.16202e-322 - (3,1) 1.04347e-320 - (4,1) 2.05531e-320 - (5,1) 2.56124e-320 - (1,3) 4.83789e-320 - (2,3) 5.09085e-320 - (3,3) 5.34381e-320 - (4,3) 5.59678e-320 - (5,3) 5.84974e-320 - (1,5) 6.7351e-320 - (2,5) 6.86158e-320 - (3,5) 6.98806e-320 - (4,5) 7.11455e-320 - (5,5) 7.24103e-320 - (1,7) 7.99991e-320 - (2,7) 8.12639e-320 - (3,7) 4.15265e-317 - (4,7) 8.25287e-320 - (5,7) 4.15278e-317 - (1,9) 4.15316e-317 - (2,9) 8.7588e-320 - (3,9) 4.15328e-317 - (4,9) 8.88528e-320 - (5,9) 4.15341e-317 - } - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - { - (1,1) 3.03865e-319 - (2,2) 3.16202e-322 - (3,3) 1.04347e-320 - (4,4) 2.05531e-320 - (5,5) 2.56124e-320 - (6,6) 3.06716e-320 - (7,7) 3.57308e-320 - (8,8) 4.07901e-320 - (9,9) 4.33197e-320 - (10,10) 4.58493e-320 - } - } - } - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - Name: d - Rank: 2 - Dimensions: 5 x 10 - Class Type: Double Precision Array - Data Type: IEEE 754 double-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - Name: s - Rank: 2 - Dimensions: 5 x 10 - Class Type: Single Precision Array - Data Type: IEEE 754 single-precision - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - Name: i32 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 32-bit, signed integer array - Data Type: 32-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - Name: i16 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 16-bit, signed integer array - Data Type: 16-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - Name: i8 - Rank: 2 - Dimensions: 5 x 10 - Class Type: 8-bit, signed integer array - Data Type: 8-bit, signed integer - { - 1 6 11 16 21 26 31 36 41 46 - 2 7 12 17 22 27 32 37 42 47 - 3 8 13 18 23 28 33 38 43 48 - 4 9 14 19 24 29 34 39 44 49 - 5 10 15 20 25 30 35 40 45 50 - } - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - Name: c - Rank: 2 - Dimensions: 2 x 11 - Class Type: Character Array - Data Type: Unicode UTF-8 Encoded Character Data - { - char array1 - char array2 - } - -E- ossfuzz: InflateData: inflate returned data error - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - Name: sp_diag - Rank: 2 - Dimensions: 10 x 10 - Class Type: Sparse Array - Data Type: IEEE 754 double-precision - { - (1,1) 3.03865e-319 - (1,2) 3.16202e-322 - ================================================================= - ==7571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007598 at pc 0x5dcdd60ed578 bp 0x7fffca418920 sp 0x7fffca418918 - READ of size 4 at 0x602000007598 thread T0 - #0 0x5dcdd60ed577 in Mat_VarPrint /fuzz/matio/matio/src/mat.c:2462:69 - #1 0x5dcdd60d6bd9 in MatioRead(char const*) /fuzz/matio/matio/ossfuzz/./matio_wrap.h:48:9 - #2 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput /fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12 - #3 0x5dcdd60d7571 in ExecuteFilesOnyByOne /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7 - #4 0x5dcdd60d79ec in LLVMFuzzerRunDriver /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:377:12 - #5 0x5dcdd60167e6 in main /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:312:10 - #6 0x7f8a86498d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 - #7 0x7f8a86498e3f in __libc_start_main csu/../csu/libc-start.c:392:3 - #8 0x5dcdd6016854 in _start (/fuzz/fuzzers/matio_fuzzer+0x44c854) (BuildId: 47398e734cfc645e953c20da47ea4b4044050bf5) - - 0x602000007599 is located 0 bytes to the right of 9-byte region [0x602000007590,0x602000007599) - allocated by thread T0 here: - #0 0x5dcdd6099888 in __interceptor_calloc (/fuzz/fuzzers/matio_fuzzer+0x4cf888) (BuildId: 47398e734cfc645e953c20da47ea4b4044050bf5) - #1 0x5dcdd6111f45 in ReadSparse /fuzz/matio/matio/src/mat5.c:528:26 - #2 0x5dcdd610be59 in Mat_VarRead5 /fuzz/matio/matio/src/mat5.c:3391:26 - #3 0x5dcdd60d6baa in MatioRead(char const*) /fuzz/matio/matio/ossfuzz/./matio_wrap.h:43:9 - #4 0x5dcdd60d6ee0 in LLVMFuzzerTestOneInput /fuzz/matio/matio/ossfuzz/./matio_fuzzer.cpp:30:12 - #5 0x5dcdd60d7571 in ExecuteFilesOnyByOne /fuzz/tools/afl-build/utils/aflpp_driver/aflpp_driver.c:256:7 - - SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzz/matio/matio/src/mat.c:2462:69 in Mat_VarPrint - Shadow bytes around the buggy address: - 0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd - 0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd - 0x0c047fff8e80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd - 0x0c047fff8e90: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd - 0x0c047fff8ea0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00 - =>0x0c047fff8eb0: fa fa 00[01]fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c047fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c047fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - ==7571==ABORTING + tset
** Summary changed: - heap-buffer-overflow on matio-1.5.28/src/mat.c:2462:69 in Mat_VarPrint + test ** Attachment removed: "crash-104" https://bugs.launchpad.net/ubuntu/+bug/2095070/+attachment/5852015/+files/crash-104 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095070 Title: test To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2095070/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs