[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Tinycc-devel] Out of Bounds Write in gsym_addr
From: |
Michael Matz |
Subject: |
Re: [Tinycc-devel] Out of Bounds Write in gsym_addr |
Date: |
Thu, 30 May 2019 21:38:07 +0200 (CEST) |
User-agent: |
Alpine 2.21 (LSU 202 2017-01-01) |
Hello,
On Tue, 28 May 2019, Bugs SysSec wrote:
While fuzzing tcc, an out of bounds write was found in the gsym_addr
function.
Attached are a file producing a crash when compiled, the output of the
clang address sanitizer and valgrind.
You might want to check your outgoing mail filters, the attachment
contained a question mark as function name, ala:
--------------------
?()
{
for(;"";)
asm(".section");
--------------------
With that input TCC doesn't even enter the gen_function routine, and
hence doesn't expose the wild read. Fixing the testcase to use a normal
function name like 'x' allows to reproduce the problem, which is now fixed
in mob. Thanks for the report.
Ciao,
Michael.