Multiple heap out-of-bounds reads in ne.c

[m4drat]

Hi! We've been fuzzing your project and found the following errors in librz/bin/format/ne/ne.c

Work environment

OS: Ubuntu 20.04
File format: -
rizin version: 4b38597

Bug description

1. Heap out-of-bounds read of size 1 in ne.c:432:18, Crash file: crash-e9f3e4a94499c6730196fbf356896c5811edad4b.zip

2. Heap out-of-bounds read of size 2 in ne.c:434:19, Crash file: crash-5d9928f9030dab40fd42c604c140ac3b76dc2fb8.zip

3. Heap out-of-bounds read of size 2 in ne.c:439:59, Crash file: crash-sydr_afl_s13-id_009903_time_0_execs_0_orig_id_010279_sync_afl_main-worker_src_010857_out_of_bounds_0.zip

4. Heap out-of-bounds read of size 2 in ne.c:446:91, Crash file: crash-9074584bd1bcaabeced6d7060c96538c5017f400.zip

Steps to reproduce

1. Build docker container from https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/rizin: sudo docker build -t oss-sydr-fuzz-rizin .

2. Run docker container: sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-rizin /bin/bash

3. Execute rizin with crashing input: /rizin-fuzzing/libfuzzer-asan/bin/rizin -qq crash-e9f3e4a94499c6730196fbf356896c5811edad4b

4. You will see the following output:

   =================================================================
   ==2549429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ae8c3 at pc 0x000000c86e85 bp 0x7fff038cb090 sp 0x7fff038cb088
   READ of size 1 at 0x6020001ae8c3 thread T0
       #0 0xc86e84 in rz_bin_ne_get_entrypoints /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/ne/ne.c:441:18
       #1 0xae779d in rz_bin_object_set_items /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:428:16
       #2 0xae706b in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:319:2
       #3 0xad7d31 in rz_bin_file_new_from_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:150:19
       #4 0xadf3c7 in rz_bin_open_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:272:8
       #5 0xadec27 in rz_bin_open_io /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:330:18
       #6 0x1003353 in core_file_do_load_for_io_plugin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:727:23
       #7 0x1003353 in rz_core_bin_load /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/cfile.c:974:4
       #8 0x5b9af8 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1119:14
       #9 0x7f4b9643a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
       #10 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)
   
   0x6020001ae8c3 is located 3 bytes to the right of 16-byte region [0x6020001ae8b0,0x6020001ae8c0)
   allocated by thread T0 here:
       #0 0x498e12 in calloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498e12)
       #1 0xc8a9bc in rz_bin_ne_buf_init /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/ne/ne.c:709:21
       #2 0xc8becc in rz_bin_ne_new_buf /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/ne/ne.c:737:7
   
   SUMMARY: AddressSanitizer: heap-buffer-overflow /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/format/ne/ne.c:441:18 in rz_bin_ne_get_entrypoints
   Shadow bytes around the buggy address:
   0x0c048002dcc0: fa fa 06 fa fa fa fd fd fa fa fd fd fa fa fd fd
   0x0c048002dcd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
   0x0c048002dce0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
   0x0c048002dcf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
   0x0c048002dd00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
   =>0x0c048002dd10: fa fa 00 00 fa fa 00 00[fa]fa 07 fa fa fa 05 fa
   0x0c048002dd20: fa fa 04 fa fa fa 00 fa fa fa 00 00 fa fa 00 03
   0x0c048002dd30: fa fa 00 00 fa fa 06 fa fa fa 00 00 fa fa 07 fa
   0x0c048002dd40: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 01
   0x0c048002dd50: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
   0x0c048002dd60: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
   Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
   Shadow gap:              cc
   ==2549429==ABORTING
   

5. The remaining crashes are similar