Invalid-allocation-size bug in function `store_versioninfo_gnu_verdef()`

[skorpion98]

Describe the bug

We found a invalid-allocation-size bug after testing one of the harnesses provided on the OSS-Fuzz repository (ia_fuzz).
More specifically, function store_versioninfo_gnu_verdef() invokes the calloc() function with a huge requested size of 0x64000022000000 with the provided input.

radare2/libr/bin/format/elf/elf.c

Line 1166 in 36946c4

Elf_(Verdef) *defs = calloc (shdr->sh_size, 1);

To Reproduce

In the attached archive you will find:

• the input file that caused the bug
• the output of ASan confirming our finding

Unfortunately, we could not share the binary we used for testing in the zip archive as its size is greater than the maximum size allowed for attachments on this report. We ran our tests on the fuzzing harness you made available for OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=address.

To reproduce the errors, simply run the fuzzing harness on the provided testcase files with a command like ./ia_fuzz /path_to_testcases/input.

The hash commit used to perform the tests is 2e2f7aa.

Environment

• OS: Linux
• Version/Distribution: Ubuntu 20.04
• Architecture: x86_64