[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#25023: Bug PR utility with -S option
|
From: |
Marcel Böhme |
|
Subject: |
bug#25023: Bug PR utility with -S option |
|
Date: |
Fri, 25 Nov 2016 10:36:47 +0800 |
Dear all,
The following input to PR does not crash the program but ASAN reports a buffer
overflow.
The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham.
$ echo a > a
$ pr "-S$(printf "\t\t\t")" a -m a > /dev/null
=================================================================
==102438==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158
READ of size 1 at 0x00000041b622 thread T0
#0 0x40506a in print_sep_string ../src/pr.c:2241
#1 0x407ec4 in read_line ../src/pr.c:2493
#2 0x40985c in print_page ../src/pr.c:1802
#3 0x40985c in print_files ../src/pr.c:1618
#4 0x4036e0 in main ../src/pr.c:1136
#5 0x7ff29fa67f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x404209
(/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209)
0x00000041b622 is located 62 bytes to the left of global variable '*.LC12'
defined in '../src/pr.c' (0x41b660) of size 4
'*.LC12' is ascii string '%*d'
0x00000041b622 is located 0 bytes to the right of global variable '*.LC11'
defined in '../src/pr.c' (0x41b620) of size 2
'*.LC11' is ascii string ' '
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in
print_sep_string
Best regards,
- Marcel
- bug#25023: Bug PR utility with -S option,
Marcel Böhme <=