PSPP-BUG: [bug #54685] segfault in extract_numeric_suffix

[Tianxiao Gu]

URL:
  <https://savannah.gnu.org/bugs/?54685>

                 Summary: segfault in extract_numeric_suffix
                 Project: PSPP
            Submitted by: tianxiaogu
            Submitted on: Tue 18 Sep 2018 11:26:05 PM UTC
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00

    _______________________________________________________

Details:

We found a crash that can only be reproduced with address sanitizer. We
analyze the code and found that there may be a missing null-check. So we still
report this bug.

1. Build pspp with address sanitizer
2. run `pspp test-case-000020` 


ASAN:DEADLYSIGNAL
=================================================================
==6383==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc
0x7fa6d915b2ef bp 0x7ffca517ced0 sp 0x7ffca517ce90 T0)
==6383==The signal is caused by a READ memory access.
==6383==Hint: address points to the zero page.
    #0 0x7fa6d915b2ee in extract_numeric_suffix
src/language/lexer/variable-parser.c:410
    #1 0x7fa6d915bb25 in parse_DATA_LIST_vars
src/language/lexer/variable-parser.c:513
    #2 0x7fa6d915c2ee in parse_DATA_LIST_vars_pool
src/language/lexer/variable-parser.c:611
    #3 0x7fa6d923a772 in parse_free src/language/data-io/data-list.c:443
    #4 0x7fa6d923978f in cmd_data_list src/language/data-io/data-list.c:277
    #5 0x7fa6d9141630 in do_parse_command src/language/command.c:233
    #6 0x7fa6d91410d9 in cmd_parse_in_state src/language/command.c:148
    #7 0x7fa6d91411a9 in cmd_parse src/language/command.c:163
    #8 0x557986d1d075 in main src/ui/terminal/main.c:138
    #9 0x7fa6d7dd7b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x557986d1cac9 in _start
(/home/t/Projects/fuzzing/pspp/pspp/src/ui/terminal/.libs/pspp+0x4ac9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/language/lexer/variable-parser.c:410 in
extract_numeric_suffix
==6383==ABORTING

Analysis:

In `src/language/lexer/variable-parser.c`, name1 is used with null-check (at
line 492) but name2 is used without null-check (at line 506).
A null-check for name2 may be necessary.

490   do
491     {
492       name1 = parse_DATA_LIST_var (lexer, dict);
493       if (!name1)
494         goto exit;
495       if (dict_class_from_id (name1) == DC_SCRATCH && pv_opts &
PV_NO_SCRATCH)
496   {
497     msg (SE, _("Scratch variables not allowed here."));
498     goto exit;
499   }
500       if (lex_match (lexer, T_TO))
501   {
502     unsigned long int num1, num2;
503           int n_digits1, n_digits2;
504           int root_len1, root_len2;
505           unsigned long int number;
506
507           char *name2 = parse_DATA_LIST_var (lexer, dict);
508
509           root_len1 = extract_numeric_suffix (name1, &num1, &n_digits1);
510           if (root_len1 == 0)
511             goto exit;
512
513           root_len2 = extract_numeric_suffix (name2, &num2, &n_digits2);
514           if (root_len2 == 0)
515       goto exit;




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 18 Sep 2018 11:26:05 PM UTC  Name: test-case-000020  Size: 109B  
By: tianxiaogu

<http://savannah.gnu.org/bugs/download.php?file_id=45043>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?54685>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/