[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #58597] Heap overflow 1-byte-read in u8_mbtouc
From: |
Andrea Fioraldi |
Subject: |
PSPP-BUG: [bug #58597] Heap overflow 1-byte-read in u8_mbtouc |
Date: |
Wed, 17 Jun 2020 04:42:15 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
URL:
<https://savannah.gnu.org/bugs/?58597>
Summary: Heap overflow 1-byte-read in u8_mbtouc
Project: PSPP
Submitted by: andreafioraldi
Submitted on: Wed 17 Jun 2020 08:42:14 AM UTC
Category: Output Driver
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Discussion Lock: Any
Effort: 0.00
_______________________________________________________
Details:
./pspp -O format=txt -o /dev/null -b heap_1
=================================================================
==120928==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400001d8b9 at pc 0x000000bdb2c4 bp 0x7fffffffd150 sp 0x7fffffffd148
READ of size 1 at 0x60400001d8b9 thread T0
#0 0xbdb2c3 in u8_mbtouc /home/andreaf/real/pspp/./gl/unistr.h:221:15
#1 0xbdb2c3 in u8_mb_to_display
/home/andreaf/real/pspp/src/libpspp/u8-line.c:55:9
#2 0xbdb2c3 in u8_line_find_pos
/home/andreaf/real/pspp/src/libpspp/u8-line.c:113:15
#3 0xbd9499 in u8_line_reserve
/home/andreaf/real/pspp/src/libpspp/u8-line.c:152:7
#4 0x943590 in ascii_draw_line
/home/andreaf/real/pspp/src/output/ascii.c:578:17
#5 0x973867 in render_rule
/home/andreaf/real/pspp/src/output/render.c:963:7
#6 0x973867 in render_page_draw_cells
/home/andreaf/real/pspp/src/output/render.c:1064:11
#7 0x9699d7 in render_page_draw
/home/andreaf/real/pspp/src/output/render.c:1080:3
#8 0x9699d7 in render_pager_draw_next
/home/andreaf/real/pspp/src/output/render.c:1573:7
#9 0x94589c in ascii_output_table_item
/home/andreaf/real/pspp/src/output/ascii.c:447:30
#10 0x944df6 in ascii_submit
/home/andreaf/real/pspp/src/output/ascii.c:478:5
#11 0x80db8b in output_submit__
/home/andreaf/real/pspp/src/output/driver.c:172:9
#12 0x80db8b in output_submit
/home/andreaf/real/pspp/src/output/driver.c:263:3
#13 0x829e9a in pivot_table_submit_layer
/home/andreaf/real/pspp/src/output/pivot-output.c:487:3
#14 0x826415 in pivot_table_submit
/home/andreaf/real/pspp/src/output/pivot-output.c:511:5
#15 0x640b19 in list_execute
/home/andreaf/real/pspp/src/language/data-io/list.c:129:7
#16 0x640b19 in cmd_list
/home/andreaf/real/pspp/src/language/data-io/list.c:253:10
#17 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
#18 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
#19 0x4c9df6 in main
/home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
#20 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#21 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)
0x60400001d8b9 is located 0 bytes to the right of 41-byte region
[0x60400001d890,0x60400001d8b9)
allocated by thread T0 here:
#0 0x499ef9 in realloc (/home/andreaf/real/pspp/pspp_afl+0x499ef9)
#1 0xc83237 in xrealloc /home/andreaf/real/pspp/gl/xmalloc.c:61:7
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/andreaf/real/pspp/./gl/unistr.h:221:15 in u8_mbtouc
Shadow bytes around the buggy address:
0x0c087fffbac0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fffbad0: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
0x0c087fffbae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fffbaf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 01
0x0c087fffbb00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fffbb10: fa fa 00 00 00 00 00[01]fa fa fd fd fd fd fd fd
0x0c087fffbb20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fffbb30: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 01
0x0c087fffbb40: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 00 01
0x0c087fffbb50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fffbb60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==120928==ABORTING
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 17 Jun 2020 08:42:14 AM UTC Name: heap_1 Size: 4KiB By:
andreafioraldi
<http://savannah.gnu.org/bugs/download.php?file_id=49292>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58597>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #58597] Heap overflow 1-byte-read in u8_mbtouc,
Andrea Fioraldi <=