Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=750
The following crash due to a static memory out-of-bounds write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==28209==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fde2f36bfc4 at pc 0x7fde25b1332c bp 0x7fffe48bc670 sp 0x7fffe48bc668
WRITE of size 4 at 0x7fde2f36bfc4 thread T0
#0 0x7fde25b1332b in dissect_ber_integer epan/dissectors/packet-ber.c:2001:16
#1 0x7fde27f46621 in dissect_kerberos_ADDR_TYPE epan/dissectors/../../asn1/kerberos/kerberos.cnf:351:12
#2 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17
#3 0x7fde27f4656f in dissect_kerberos_HostAddress epan/dissectors/../../asn1/kerberos/kerberos.cnf:233:12
#4 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17
#5 0x7fde27f4badf in dissect_kerberos_EncKrbPrivPart epan/dissectors/../../asn1/kerberos/kerberos.cnf:407:12
#6 0x7fde25b040f7 in dissect_ber_tagged_type epan/dissectors/packet-ber.c:695:18
#7 0x7fde27f42384 in dissect_kerberos_ENC_KRB_PRIV_PART epan/dissectors/../../asn1/kerberos/kerberos.cnf:417:12
#8 0x7fde25b1f100 in dissect_ber_choice epan/dissectors/packet-ber.c:2917:21
#9 0x7fde27f4139a in dissect_kerberos_Applications epan/dissectors/../../asn1/kerberos/kerberos.cnf:185:12
#10 0x7fde27f3f7b2 in dissect_kerberos_common epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2103:10
#11 0x7fde27f3e22f in dissect_kerberos_main epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2134:10
#12 0x7fde26f3c34f in dissect_pktc_mtafqdn epan/dissectors/packet-pktc.c:566:15
#13 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
#14 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
#15 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
#16 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9
#17 0x7fde277709e5 in decode_udp_ports epan/dissectors/packet-udp.c:583:7
#18 0x7fde2777fa80 in dissect epan/dissectors/packet-udp.c:1081:5
#19 0x7fde27773840 in dissect_udplite epan/dissectors/packet-udp.c:1094:3
#20 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
#21 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
#22 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
#23 0x7fde267660bb in ip_try_dissect epan/dissectors/packet-ip.c:1978:7
#24 0x7fde26770de8 in dissect_ip_v4 epan/dissectors/packet-ip.c:2472:10
#25 0x7fde26766819 in dissect_ip epan/dissectors/packet-ip.c:2495:5
#26 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
#27 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
#28 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
#29 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9
#30 0x7fde26f6e380 in dissect_ppp_common epan/dissectors/packet-ppp.c:4344:10
#31 0x7fde26f6db3c in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5337:5
#32 0x7fde26f65df5 in dissect_ppp_hdlc epan/dissectors/packet-ppp.c:5378:5
#33 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
#34 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
#35 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
#36 0x7fde2634fe55 in dissect_frame epan/dissectors/packet-frame.c:493:11
#37 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
#38 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
#39 0x7fde25610a7e in call_dissector_only epan/packet.c:2674:8
#40 0x7fde2560243f in call_dissector_with_data epan/packet.c:2687:8
#41 0x7fde25601814 in dissect_record epan/packet.c:509:3
#42 0x7fde255b4bb9 in epan_dissect_run_with_taps epan/epan.c:376:2
#43 0x52f11b in process_packet tshark.c:3748:5
#44 0x52840c in load_cap_file tshark.c:3504:11
#45 0x51e71c in main tshark.c:2213:13
0x7fde2f36bfc4 is located 4 bytes to the right of global variable 'cb' defined in 'packet-pktc.c:539:27' (0x7fde2f36bfa0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow epan/dissectors/packet-ber.c:2001:16 in dissect_ber_integer
Shadow bytes around the buggy address:
0x0ffc45e657a0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ffc45e657b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0ffc45e657c0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffc45e657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc45e657e0: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
=>0x0ffc45e657f0: f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0ffc45e65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc45e65810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc45e65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc45e65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc45e65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28209==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12206. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39604.zip