Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0 READ of size 16385 at 0x61b00001335c thread T0 #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65) #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32 #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21 #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13 #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21 #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9 #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10 #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8 #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9 #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9 #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11 #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8 #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9 #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8 #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8 #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3 #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2 #18 0x52eebb in process_packet wireshark/tshark.c:3748:5 #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11 #20 0x51e4bc in main wireshark/tshark.c:2213:13 0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c) allocated by thread T0 here: #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2 #3 0x5244dd in cf_open wireshark/tshark.c:4215:9 #4 0x51decd in main wireshark/tshark.c:2204:9 SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy Shadow bytes around the buggy address: 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==8910==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39812.zip