[Bug gas/20941] New: AS crashes when resolving an expression

[LpSolit at netscape dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=20941

            Bug ID: 20941
           Summary: AS crashes when resolving an expression
           Product: binutils
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gas
          Assignee: unassigned at sourceware dot org
          Reporter: boehme.marcel at gmail dot com
  Target Milestone: ---

Dear all,

The following bug was found with AFLFast, a fork of AFL, in a 24 hour fuzzing
session on Binutils. Thanks also to Van-Thuan Pham.

The assembler crashes with an invalid read of size 8 for the following
execution on Ubuntu 16.04 x86_64 in Binutils trunk and for preinstalled version
v2.26.1 and on Ubuntu 14.04 x86_64 for Binutils in trunk and preinstalled
version v2.24.

$ printf "\n#0\"\"0\x210+\x2e\x2e>\x2e\x2e+\x2e&" > test
$ as test
test: Assembler messages:
test: Warning: end of file not at end of a line; newline inserted
test:2: Warning: missing operand; zero assumed
Segmentation fault

VALGRIND says:
==43098== Invalid read of size 8
==43098==    at 0x45517C: frag_offset_fixed_p (frags.c:420)
==43098==    by 0x4459CF: resolve_expression (expr.c:2195)
==43098==    by 0x446A87: expr (expr.c:2063)
==43098==    by 0x4D79E5: get_absolute_expr (read.c:488)
==43098==    by 0x4D79E5: get_absolute_expression (read.c:504)
==43098==    by 0x4D79E5: get_linefile_number (read.c:1990)
==43098==    by 0x4D79E5: s_app_line (read.c:2045)
==43098==    by 0x4BB6FF: read_a_source_file (read.c:1146)
==43098==    by 0x40D471: perform_an_assembly_pass (as.c:1172)
==43098==    by 0x40D471: main (as.c:1296)
==43098==  Address 0x20 is not stack'd, malloc'd or (recently) free'd

Best regards,
- Marcel

-- 
You are receiving this mail because:
You are on the CC list for the bug.