[2019-07-29] - Found with American Fuzzy Lop - CVE-2019-14497 Stack-based buffer overflow in ModuleEditor::convertInstrument(), in ModuleEditor.cpp. Issue can be reproduced by running: ``` milkytracker test01.xm ``` ``` ================================================================= ==5552==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00001a340 at pc 0x0000005ad03a bp 0x7fff381b4270 sp 0x7fff381b4268 WRITE of size 8 at 0x62f00001a340 thread T0 #0 0x5ad039 in ModuleEditor::convertInstrument(int) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:250:28 #1 0x5b15e6 in ModuleEditor::buildInstrumentTable() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:520:3 #2 0x5b33bc in ModuleEditor::openSong(char const*, char const*) /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:739:3 #3 0x7a7226 in Tracker::loadTypeFromFile(FileTypes, PPString const&, bool, bool, bool) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2694:43 #4 0x79f10f in Tracker::loadGenericFileType(PPString const&) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:2570:11 #5 0x7978f8 in Tracker::handleEvent(PPObject*, PPEvent*) /home/fcambus/milkytracker/src/tracker/Tracker.cpp:533:3 #6 0xa8fdc3 in PPScreen::raiseEvent(PPEvent*) /home/fcambus/milkytracker/src/ppui/Screen.cpp:97:17 #7 0x815967 in RaiseEventSerialized(PPEvent*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:150:20 #8 0x81be7b in SendFile(char*) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:872:2 #9 0x81c91a in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:974:3 #10 0x7fd445015b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16 #11 0x47b5f9 in _start (/home/fcambus/milkytracker/milkytracker+0x47b5f9) 0x62f00001a340 is located 0 bytes to the right of 48960-byte region [0x62f00000e400,0x62f00001a340) allocated by thread T0 here: #0 0x556652 in operator new[](unsigned long) (/home/fcambus/milkytracker/milkytracker+0x556652) #1 0x5a9f92 in ModuleEditor::ModuleEditor() /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:119:16 #2 0x78b706 in TabManager::createModuleEditor() /home/fcambus/milkytracker/src/tracker/TabManager.cpp:81:35 #3 0x7944f3 in Tracker::Tracker() /home/fcambus/milkytracker/src/tracker/Tracker.cpp:160:29 #4 0x81aaa3 in initTracker(unsigned int, PPDisplayDevice::Orientations, bool, bool) /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:805:18 #5 0x81c8a7 in main /home/fcambus/milkytracker/src/tracker/sdl/SDL_Main.cpp:960:2 #6 0x7fd445015b6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/milkytracker/src/tracker/ModuleEditor.cpp:250:28 in ModuleEditor::convertInstrument(int) Shadow bytes around the buggy address: 0x0c5e7fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5e7fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5e7fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5e7fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c5e7fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c5e7fffb460: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c5e7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5e7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5e7fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5e7fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5e7fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5552==ABORTING ```