|
From: | 乐泰 |
Subject: | Bug: A heap-buffer-overflow bug in function _nc_captoinfo of ncurses-6.1 |
Date: | Sat, 1 Aug 2020 12:54:02 +0800 (GMT+08:00) |
==27302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x000000555733 bp 0x7ffd18fb9910 sp 0x7ffd18fb9908
READ of size 1 at 0x621000002500 thread T0
#0 0x555732 in _nc_captoinfo /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/captoinfo.c:318:12
#1 0x56ce32 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:503:13
#2 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6
#3 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5
#4 0x7efcb69c5b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a029 in _start (/home/ubuntu/kxd_ncurses-6.1/ncurses-install/bin/tic+0x41a029)
0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x4cf670 in malloc /home/ubuntu/kxd/tools/llvm-4.0/llvm-4.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x5667f0 in _nc_get_token /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_scan.c:447:16
#2 0x56a579 in _nc_parse_entry /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/parse_entry.c:231:18
#3 0x563942 in _nc_read_entry_source /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/comp_parse.c:225:6
#4 0x50ac8c in main /home/ubuntu/kxd_ncurses-6.1/build/progs/../../progs/tic.c:961:5
#5 0x7efcb69c5b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/kxd_ncurses-6.1/build/ncurses/../../ncurses/tinfo/captoinfo.c:318:12 in _nc_captoinfo
Shadow bytes around the buggy address:
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27302==ABORTING
id:000344,sig:11,src:005756,op:havoc,rep:2
Description: Binary data
[Prev in Thread] | Current Thread | [Next in Thread] |