bug#25011: Bugs in PTX Utility

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#25011: Bugs in PTX Utility

From:	Pádraig Brady
Subject:	bug#25011: Bugs in PTX Utility
Date:	Thu, 24 Nov 2016 15:04:46 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

On 24/11/16 08:57, Marcel Böhme wrote:
> Dear all,
> 
> The following produces a crash for the version in trunk and preinstalled 
> version 8.21 on Ubuntu 14.04 x86_64.
> Below is also heap-buffer-overflow that doesn’t actually crash but is flagged 
> by ASAN as an invalid read of size 1.
> 
> Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan 
> Pham.
> 
> 
> $ ptx ptx ptx > /dev/null
> Segmentation fault
> 
> ASAN says:
> ==47034==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8
> READ of size 1 at 0x7f2b49433093 thread T0
>     #0 0x407b8a in define_all_fields ../src/ptx.c:1432
>     #1 0x407b8a in generate_all_output ../src/ptx.c:1778
>     #2 0x407b8a in main ../src/ptx.c:2153
>     #3 0x7f2b4db9af44 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
> 
> 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region 
> [0x7f2b49430800,0x7f2b49c307e0)
> freed by thread T0 here:
>     #0 0x7f2b4ed17710 in __interceptor_realloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
>     #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
> 
> previously allocated by thread T0 here:
>     #0 0x7f2b4ed17710 in __interceptor_realloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710)
>     #1 0x414a75 in xrealloc ../lib/xmalloc.c:61
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in 
> define_all_fields
> 
> 
> This is the other one:
> $ echo a > ~/a
> $ ptx -w1 -A ~/a
> =================================================================
> ==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68
> READ of size 1 at 0x60200000e818 thread T0
>     #0 0x4085cc in define_all_fields ../src/ptx.c:1411
>     #1 0x4085cc in generate_all_output ../src/ptx.c:1778
>     #2 0x4085cc in main ../src/ptx.c:2153
>     #3 0x7f9ef7044f44 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #4 0x409379  (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379)
> 
> 0x60200000e818 is located 5 bytes to the right of 3-byte region 
> [0x60200000e810,0x60200000e813)
> allocated by thread T0 here:
>     #0 0x7f9ef81c13a8 in __interceptor_malloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8)
>     #1 0x4121ed in fread_file ../lib/read-file.c:73
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in 
> define_all_fields

Right, line_width can go negative.
I'll clean up something like this and push.

thanks!

diff --git a/src/ptx.c b/src/ptx.c
index c3b60df..d189678 100644
--- a/src/ptx.c
+++ b/src/ptx.c
@@ -1235,6 +1235,8 @@ fix_output_parameters (void)

   if ((auto_reference || input_reference) && !right_reference)
     line_width -= reference_max_width + gap_size;
+  if (line_width < 0)
+    line_width = 0;

   /* The output lines, minimally, will contain from left to right a left
      context, a gap, and a keyword followed by the right context with no

[Prev in Thread]

Current Thread

[Next in Thread]

bug#25011: Bugs in PTX Utility, Marcel Böhme, 2016/11/24
- bug#25011: Bugs in PTX Utility, Pádraig Brady <=

Prev by Date: bug#25011: Bugs in PTX Utility
Next by Date: bug#25023: Bug PR utility with -S option
Previous by thread: bug#25011: Bugs in PTX Utility
Next by thread: bug#25023: Bug PR utility with -S option
Index(es):
- Date
- Thread