PSPP-BUG: [bug #58591] Negative size to memmove

bug-gnu-pspp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #58591] Negative size to memmove

From:	Andrea Fioraldi
Subject:	PSPP-BUG: [bug #58591] Negative size to memmove
Date:	Wed, 17 Jun 2020 03:58:02 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0

URL:
  <https://savannah.gnu.org/bugs/?58591>

                 Summary: Negative size to memmove
                 Project: PSPP
            Submitted by: andreafioraldi
            Submitted on: Wed 17 Jun 2020 07:58:00 AM UTC
                Category: Output Driver
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00

    _______________________________________________________

Details:

In ds_splice_uninit memmove is called with -1 as size paramemter.

./pspp -O format=txt -o /dev/null -b neg_memmove


=================================================================
==115875==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x49942c in __asan_memmove (/home/andreaf/real/pspp/pspp_afl+0x49942c)
    #1 0xba18d8 in ds_splice_uninit
/home/andreaf/real/pspp/src/libpspp/str.c:1513:7
    #2 0xbd9f90 in u8_line_reserve
/home/andreaf/real/pspp/src/libpspp/u8-line.c
    #3 0x943590 in ascii_draw_line
/home/andreaf/real/pspp/src/output/ascii.c:578:17
    #4 0x973867 in render_rule
/home/andreaf/real/pspp/src/output/render.c:963:7
    #5 0x973867 in render_page_draw_cells
/home/andreaf/real/pspp/src/output/render.c:1064:11
    #6 0x9699d7 in render_page_draw
/home/andreaf/real/pspp/src/output/render.c:1080:3
    #7 0x9699d7 in render_pager_draw_next
/home/andreaf/real/pspp/src/output/render.c:1573:7
    #8 0x94589c in ascii_output_table_item
/home/andreaf/real/pspp/src/output/ascii.c:447:30
    #9 0x944df6 in ascii_submit
/home/andreaf/real/pspp/src/output/ascii.c:478:5
    #10 0x80db8b in output_submit__
/home/andreaf/real/pspp/src/output/driver.c:172:9
    #11 0x80db8b in output_submit
/home/andreaf/real/pspp/src/output/driver.c:263:3
    #12 0x829e9a in pivot_table_submit_layer
/home/andreaf/real/pspp/src/output/pivot-output.c:487:3
    #13 0x826415 in pivot_table_submit
/home/andreaf/real/pspp/src/output/pivot-output.c:511:5
    #14 0x640b19 in list_execute
/home/andreaf/real/pspp/src/language/data-io/list.c:129:7
    #15 0x640b19 in cmd_list
/home/andreaf/real/pspp/src/language/data-io/list.c:253:10
    #16 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
    #17 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
    #18 0x4c9df6 in main
/home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
    #19 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)

0x60400000d82a is located 26 bytes inside of 45-byte region
[0x60400000d810,0x60400000d83d)
allocated by thread T0 here:
    #0 0x499ef9 in realloc (/home/andreaf/real/pspp/pspp_afl+0x499ef9)
    #1 0xc83237 in xrealloc /home/andreaf/real/pspp/gl/xmalloc.c:61:7
    #2 0x93f4a6 in text_draw
/home/andreaf/real/pspp/src/output/ascii.c:741:13
    #3 0x93f4a6 in ascii_layout_cell
/home/andreaf/real/pspp/src/output/ascii.c:900:7
    #4 0x9445de in ascii_draw_cell
/home/andreaf/real/pspp/src/output/ascii.c:638:3
    #5 0x970d0a in render_cell
/home/andreaf/real/pspp/src/output/render.c:1033:3
    #6 0x970d0a in render_page_draw_cells
/home/andreaf/real/pspp/src/output/render.c:1050:13
    #7 0x9699d7 in render_page_draw
/home/andreaf/real/pspp/src/output/render.c:1080:3
    #8 0x9699d7 in render_pager_draw_next
/home/andreaf/real/pspp/src/output/render.c:1573:7
    #9 0x94589c in ascii_output_table_item
/home/andreaf/real/pspp/src/output/ascii.c:447:30

SUMMARY: AddressSanitizer: negative-size-param
(/home/andreaf/real/pspp/pspp_afl+0x49942c) in __asan_memmove
==115875==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 17 Jun 2020 07:58:00 AM UTC  Name: neg_memmove  Size: 4KiB   By:
andreafioraldi

<http://savannah.gnu.org/bugs/download.php?file_id=49285>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58591>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

PSPP-BUG: [bug #58591] Negative size to memmove, Andrea Fioraldi <=
- PSPP-BUG: [bug #58591] Negative size to memmove, John Darrington, 2020/06/20

Prev by Date: PSPP-BUG: [bug #58590] Null pointer dereference in cmd_modify_vars
Next by Date: PSPP-BUG: [bug #58592] Use after free in printf_common
Previous by thread: PSPP-BUG: [bug #58590] Null pointer dereference in cmd_modify_vars
Next by thread: PSPP-BUG: [bug #58591] Negative size to memmove
Index(es):
- Date
- Thread