[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#16171: ptx: heap buffer overrun, when run with two file arguments
From: |
Pádraig Brady |
Subject: |
bug#16171: ptx: heap buffer overrun, when run with two file arguments |
Date: |
Mon, 28 Apr 2014 14:52:23 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 12/17/2013 10:29 AM, Pádraig Brady wrote:
> On 12/17/2013 02:22 AM, Jim Meyering wrote:
>> Hi,
>>
>> I built like this using just-built 4.9.0 20131216
>> (but it probably would work as well with 4.8.x):
>>
>> make check AM_CFLAGS='-ggdb3 -static-libasan -fsanitize=address'
>> AM_LDFLAGS='-fsanitize=address -static-libasan -lpthread -ldl'
>>
>> and then I ran this,
>>
>> echo a > a && echo b > b &&
>> ./ptx -g1 -w1 a b 2>&1 | asan_symbolize.py -d
>>
>> and include its output below.
>> That output shows a heap-read overrun bug that arises
>> because ptx was designed to process only one input file, yet
>> was later extended to process more than, but without some
>> important adjustments.
>>
>> The underlying problem is that swallow_file_in_memory (called from main)
>> is setting the contents of the global text_buffer for the first file,
>> then updating it (clobbering old value) for the second file.
>> Yet, some pointers to the initial buffer have been squirreled away
>> and later, one of them (keyafter) is presumed to point into
>> the new "text_buffer", which it does not. The subsequent
>> SKIP_WHITE_BACKWARDS use backs up "cursor" until it is goes
>> out of bounds.
>
> Nice. This is a good illustration how test coverage
> can be leveraged by (future) run time checks.
>
> I see it here too (as the only failure in make check with -fsanitize=address
The attached should address this.
I'll push later.
thanks,
Pádraig.
ptx-whitespace-heap-overflow.patch
Description: Text Data
- bug#16171: ptx: heap buffer overrun, when run with two file arguments,
Pádraig Brady <=