bug#16171: ptx: heap buffer overrun, when run with two file arguments

[Pádraig Brady]

On 12/17/2013 02:22 AM, Jim Meyering wrote:
> Hi,
> 
> I built like this using just-built 4.9.0 20131216
> (but it probably would work as well with 4.8.x):
> 
>   make check AM_CFLAGS='-ggdb3 -static-libasan -fsanitize=address'
>          AM_LDFLAGS='-fsanitize=address -static-libasan -lpthread -ldl'
> 
> and then I ran this,
> 
>   echo a > a && echo b > b &&
>   ./ptx -g1 -w1 a b 2>&1 | asan_symbolize.py -d
> 
> and include its output below.
> That output shows a heap-read overrun bug that arises
> because ptx was designed to process only one input file, yet
> was later extended to process more than, but without some
> important adjustments.
> 
> The underlying problem is that swallow_file_in_memory (called from main)
> is setting the contents of the global text_buffer for the first file,
> then updating it (clobbering old value) for the second file.
> Yet, some pointers to the initial buffer have been squirreled away
> and later, one of them (keyafter) is presumed to point into
> the new "text_buffer", which it does not.  The subsequent
> SKIP_WHITE_BACKWARDS use backs up "cursor" until it is goes
> out of bounds.

Nice. This is a good illustration how test coverage
can be leveraged by (future) run time checks.

I see it here too (as the only failure in make check with -fsanitize=address

$ rpm -q gcc
gcc-4.8.2-1.fc20.x86_64
$ yum install libasan  # http://bugzilla.redhat.com/991003
$ rm src/ptx.o
$ make check AM_CFLAGS='-fsanitize=address' TESTS=tests/misc/ptx.pl SUBDIRS=. 
VERBOSE=yes
$ failure identified in tests/test-suite.log ...
$ src/ptx -g1 -w1 <(echo a) <(echo b) | asan_symbolize.py -d

thanks!
Pádraig.