[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-readline] Double-free error when readline is fed with specific data
From: |
Tanel Kriik |
Subject: |
[Bug-readline] Double-free error when readline is fed with specific data |
Date: |
Tue, 28 Aug 2018 22:14:09 +0300 |
### GNU Readline version
6.3-8ubuntu2
### OS version
16.04.1-Ubuntu SMP
### compilation
$ gcc -o test test.c -lreadline
### Description
Double-free error when fed with invalid input.
The inputs were found when using AFL to (american fuzzy lop) to
fuzz a program that uses GNU readline.
### Recipe
Compile the program, then pipe either one of the
data file to the program:
$ cat data0 | ./test
Or:
$ cat data1 | ./test
Data files and test source can be found in rlcrash.zip:
```
40 2018-08-28 21:47 Makefile
146 2018-08-28 21:33 test.c
67 2018-08-28 21:28 data0
51 2018-08-28 21:30 data1
```
I have the following output if I run the program (with data0):
```
>> ))\Z��)nu2)null����
*** Error in `./test': double free or corruption (fasttop):
0x0000000001296650 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f36ed27e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f7f36edb37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f36edf53c]
/usr/lib/debug/libreadline.so.6(_rl_free_undo_list+0x1b)[0x7f7f3724dfab]
/usr/lib/debug/libreadline.so.6(rl_free_undo_list+0x19)[0x7f7f3724dff9]
/usr/lib/debug/libreadline.so.6(readline_internal_teardown+0xb9)[0x7f7f372384b9]
/usr/lib/debug/libreadline.so.6(readline+0x62)[0x7f7f37239552]
./test[0x4006e8]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f36e7b830]
./test[0x400609]
======= Memory map: ========
...
```
Regards,
Tanel Kriik
- [Bug-readline] Double-free error when readline is fed with specific data,
Tanel Kriik <=