bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #58597] Heap overflow 1-byte-read in u8_mbtouc

From: Andrea Fioraldi
Subject: PSPP-BUG: [bug #58597] Heap overflow 1-byte-read in u8_mbtouc
Date: Wed, 17 Jun 2020 04:42:15 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 
URL:
  <https://savannah.gnu.org/bugs/?58597>

                 Summary: Heap overflow 1-byte-read in u8_mbtouc
                 Project: PSPP
            Submitted by: andreafioraldi
            Submitted on: Wed 17 Jun 2020 08:42:14 AM UTC
                Category: Output Driver
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00

    _______________________________________________________

Details:

./pspp -O format=txt -o /dev/null -b heap_1


=================================================================
==120928==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60400001d8b9 at pc 0x000000bdb2c4 bp 0x7fffffffd150 sp 0x7fffffffd148
READ of size 1 at 0x60400001d8b9 thread T0
    #0 0xbdb2c3 in u8_mbtouc /home/andreaf/real/pspp/./gl/unistr.h:221:15
    #1 0xbdb2c3 in u8_mb_to_display
/home/andreaf/real/pspp/src/libpspp/u8-line.c:55:9
    #2 0xbdb2c3 in u8_line_find_pos
/home/andreaf/real/pspp/src/libpspp/u8-line.c:113:15
    #3 0xbd9499 in u8_line_reserve
/home/andreaf/real/pspp/src/libpspp/u8-line.c:152:7
    #4 0x943590 in ascii_draw_line
/home/andreaf/real/pspp/src/output/ascii.c:578:17
    #5 0x973867 in render_rule
/home/andreaf/real/pspp/src/output/render.c:963:7
    #6 0x973867 in render_page_draw_cells
/home/andreaf/real/pspp/src/output/render.c:1064:11
    #7 0x9699d7 in render_page_draw
/home/andreaf/real/pspp/src/output/render.c:1080:3
    #8 0x9699d7 in render_pager_draw_next
/home/andreaf/real/pspp/src/output/render.c:1573:7
    #9 0x94589c in ascii_output_table_item
/home/andreaf/real/pspp/src/output/ascii.c:447:30
    #10 0x944df6 in ascii_submit
/home/andreaf/real/pspp/src/output/ascii.c:478:5
    #11 0x80db8b in output_submit__
/home/andreaf/real/pspp/src/output/driver.c:172:9
    #12 0x80db8b in output_submit
/home/andreaf/real/pspp/src/output/driver.c:263:3
    #13 0x829e9a in pivot_table_submit_layer
/home/andreaf/real/pspp/src/output/pivot-output.c:487:3
    #14 0x826415 in pivot_table_submit
/home/andreaf/real/pspp/src/output/pivot-output.c:511:5
    #15 0x640b19 in list_execute
/home/andreaf/real/pspp/src/language/data-io/list.c:129:7
    #16 0x640b19 in cmd_list
/home/andreaf/real/pspp/src/language/data-io/list.c:253:10
    #17 0x4d048b in do_parse_command
/home/andreaf/real/pspp/src/language/command.c:233:16
    #18 0x4d048b in cmd_parse_in_state
/home/andreaf/real/pspp/src/language/command.c:148:12
    #19 0x4c9df6 in main
/home/andreaf/real/pspp/src/ui/terminal/main.c:138:20
    #20 0x7ffff61a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x421499 in _start (/home/andreaf/real/pspp/pspp_afl+0x421499)

0x60400001d8b9 is located 0 bytes to the right of 41-byte region
[0x60400001d890,0x60400001d8b9)
allocated by thread T0 here:
    #0 0x499ef9 in realloc (/home/andreaf/real/pspp/pspp_afl+0x499ef9)
    #1 0xc83237 in xrealloc /home/andreaf/real/pspp/gl/xmalloc.c:61:7

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/andreaf/real/pspp/./gl/unistr.h:221:15 in u8_mbtouc
Shadow bytes around the buggy address:
  0x0c087fffbac0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffbad0: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fd
  0x0c087fffbae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fffbaf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 01
  0x0c087fffbb00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fffbb10: fa fa 00 00 00 00 00[01]fa fa fd fd fd fd fd fd
  0x0c087fffbb20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffbb30: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 01
  0x0c087fffbb40: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 00 01
  0x0c087fffbb50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fffbb60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==120928==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 17 Jun 2020 08:42:14 AM UTC  Name: heap_1  Size: 4KiB   By:
andreafioraldi

<http://savannah.gnu.org/bugs/download.php?file_id=49292>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58597>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]