[2019-09-17] - Found with Honggfuzz - CVE-2019-16395 Stack-based buffer overflow in the cb_name() function, in cobc/tree.c. Issue can be reproduced by running: ``` cobc test05.cob ``` ``` ================================================================= ==30185==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6f8a6040 at pc 0x0000004432fe bp 0x7ffc6f8a5230 sp 0x7ffc6f8a49b8 WRITE of size 8194 at 0x7ffc6f8a6040 thread T0 attempt to reference unallocated memory (signal SIGSEGV) cobc: aborting compile of issue05.cob at line 50 (PROGRAM-ID: tutorial) cobc: Please report this! ``` ``` ==10264== Memcheck, a memory error detector ==10264== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==10264== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==10264== Command: cobc issue05.cob ==10264== issue05.cob:51: error: continuation character expected issue05.cob:224: error: invalid indicator 'f' at column 7 issue05.cob:248: warning: line not terminated by a newline issue05.cob:45: error: PROCEDURE DIVISION header missing issue05.cob: in section 'set-keydefinitions': issue05.cob:50: error: invalid literal: 'vove length of ex-keydef to key2len...' issue05.cob:50: error: literal length exceeds 8191 characters *** stack smashing detected ***: terminated ==10264== ==10264== Process terminating with default action of signal 6 (SIGABRT) ==10264== at 0x491BED7: raise (raise.c:51) ==10264== by 0x48FD534: abort (abort.c:79) ==10264== by 0x4964725: __libc_message (libc_fatal.c:181) ==10264== by 0x4A07260: __fortify_fail_abort (fortify_fail.c:33) ==10264== by 0x4A07221: __stack_chk_fail (stack_chk_fail.c:29) ==10264== by 0x174B55: cb_name (tree.c:1170) ==10264== by 0x6C617620326C6F61: ??? ==10264== by 0x37200A2E33206574: ??? ==10264== by 0x662D2D6463662037: ??? ==10264== by 0x64692D74616D726E: ??? ==10264== by 0x65756C6176203477: ??? ==10264== by 0x203837200A2E341F: ??? ==10264== ==10264== HEAP SUMMARY: ==10264== in use at exit: 538,364 bytes in 4,182 blocks ==10264== total heap usage: 6,646 allocs, 2,464 frees, 973,995 bytes allocated ==10264== ==10264== LEAK SUMMARY: ==10264== definitely lost: 0 bytes in 0 blocks ==10264== indirectly lost: 0 bytes in 0 blocks ==10264== possibly lost: 0 bytes in 0 blocks ==10264== still reachable: 538,364 bytes in 4,182 blocks ==10264== suppressed: 0 bytes in 0 blocks ==10264== Rerun with --leak-check=full to see details of leaked memory ==10264== ==10264== For counts of detected and suppressed errors, rerun with: -v ==10264== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ```