[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #54685] segfault in extract_numeric_suffix

From: Tianxiao Gu
Subject: PSPP-BUG: [bug #54685] segfault in extract_numeric_suffix
Date: Tue, 18 Sep 2018 19:26:06 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0


                 Summary: segfault in extract_numeric_suffix
                 Project: PSPP
            Submitted by: tianxiaogu
            Submitted on: Tue 18 Sep 2018 11:26:05 PM UTC
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00



We found a crash that can only be reproduced with address sanitizer. We
analyze the code and found that there may be a missing null-check. So we still
report this bug.

1. Build pspp with address sanitizer
2. run `pspp test-case-000020` 

==6383==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc
0x7fa6d915b2ef bp 0x7ffca517ced0 sp 0x7ffca517ce90 T0)
==6383==The signal is caused by a READ memory access.
==6383==Hint: address points to the zero page.
    #0 0x7fa6d915b2ee in extract_numeric_suffix
    #1 0x7fa6d915bb25 in parse_DATA_LIST_vars
    #2 0x7fa6d915c2ee in parse_DATA_LIST_vars_pool
    #3 0x7fa6d923a772 in parse_free src/language/data-io/data-list.c:443
    #4 0x7fa6d923978f in cmd_data_list src/language/data-io/data-list.c:277
    #5 0x7fa6d9141630 in do_parse_command src/language/command.c:233
    #6 0x7fa6d91410d9 in cmd_parse_in_state src/language/command.c:148
    #7 0x7fa6d91411a9 in cmd_parse src/language/command.c:163
    #8 0x557986d1d075 in main src/ui/terminal/main.c:138
    #9 0x7fa6d7dd7b96 in __libc_start_main
    #10 0x557986d1cac9 in _start

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/language/lexer/variable-parser.c:410 in


In `src/language/lexer/variable-parser.c`, name1 is used with null-check (at
line 492) but name2 is used without null-check (at line 506).
A null-check for name2 may be necessary.

490   do
491     {
492       name1 = parse_DATA_LIST_var (lexer, dict);
493       if (!name1)
494         goto exit;
495       if (dict_class_from_id (name1) == DC_SCRATCH && pv_opts &
496   {
497     msg (SE, _("Scratch variables not allowed here."));
498     goto exit;
499   }
500       if (lex_match (lexer, T_TO))
501   {
502     unsigned long int num1, num2;
503           int n_digits1, n_digits2;
504           int root_len1, root_len2;
505           unsigned long int number;
507           char *name2 = parse_DATA_LIST_var (lexer, dict);
509           root_len1 = extract_numeric_suffix (name1, &num1, &n_digits1);
510           if (root_len1 == 0)
511             goto exit;
513           root_len2 = extract_numeric_suffix (name2, &num2, &n_digits2);
514           if (root_len2 == 0)
515       goto exit;


File Attachments:

Date: Tue 18 Sep 2018 11:26:05 PM UTC  Name: test-case-000020  Size: 109B  
By: tianxiaogu



Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]