Invalid memory reads / heap overflows in indent

Hanno Böck Thu, 07 May 2015 14:09:01 -0700

Hi,

When compiling indent with address sanitizer (add -fsanitize=address to
CFLAGS) it shows several invalid memory accesses / heap overflows.


The simplest one is on an empty file:
==8614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef2f 
at pc 0x0000004f8074 bp 0x7fff09efcd10 sp 0x7fff09efcd08
READ of size 1 at 0x60200000ef2f thread T0
    #0 0x4f8073 in read_file /f/indent-2.2.11/src/code_io.c:342:9
    #1 0x4de558 in indent_single_file /f/indent-2.2.11/src/indent.c:937:25
    #2 0x4de558 in indent_all /f/indent-2.2.11/src/indent.c:992
    #3 0x4de558 in main /f/indent-2.2.11/src/indent.c:1054
    #4 0x7f60c65b2f9f in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x4375e6 in _start (/mnt/ram/indent/indent+0x4375e6)



Also on a file simply containing a closing }:
==13768==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000efcc at pc 0x0000004f51a4 bp 0x7fff213e2930 sp 0x7fff213e2928
READ of size 4 at 0x60200000efcc thread T0
    #0 0x4f51a3 in parse /f/indent-2.2.11/src/parse.c:465:17
    #1 0x510220 in handle_token_rbrace /f/indent-2.2.11/src/handletoken.c:1262:9
    #2 0x510220 in handle_the_token /f/indent-2.2.11/src/handletoken.c:2238
    #3 0x4e1da3 in indent_main_loop /f/indent-2.2.11/src/indent.c:628:9
    #4 0x4e1da3 in indent /f/indent-2.2.11/src/indent.c:715
    #5 0x4de75f in indent_single_file /f/indent-2.2.11/src/indent.c:960:19
    #6 0x4de75f in indent_all /f/indent-2.2.11/src/indent.c:992
    #7 0x4de75f in main /f/indent-2.2.11/src/indent.c:1054
    #8 0x7f256664bf9f in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #9 0x4375e6 in _start (/mnt/ram/indent/indent+0x4375e6)

I've attached a sample file and full address sanitizer output.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: [email protected]
GPG: BBB51E42

=================================================================
==13768==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000efcc at pc 0x0000004f51a4 bp 0x7fff213e2930 sp 0x7fff213e2928
READ of size 4 at 0x60200000efcc thread T0
    #0 0x4f51a3 in parse /f/indent-2.2.11/src/parse.c:465:17
    #1 0x510220 in handle_token_rbrace /f/indent-2.2.11/src/handletoken.c:1262:9
    #2 0x510220 in handle_the_token /f/indent-2.2.11/src/handletoken.c:2238
    #3 0x4e1da3 in indent_main_loop /f/indent-2.2.11/src/indent.c:628:9
    #4 0x4e1da3 in indent /f/indent-2.2.11/src/indent.c:715
    #5 0x4de75f in indent_single_file /f/indent-2.2.11/src/indent.c:960:19
    #6 0x4de75f in indent_all /f/indent-2.2.11/src/indent.c:992
    #7 0x4de75f in main /f/indent-2.2.11/src/indent.c:1054
    #8 0x7f256664bf9f in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #9 0x4375e6 in _start (/mnt/ram/indent/indent+0x4375e6)

0x60200000efcc is located 4 bytes to the left of 8-byte region 
[0x60200000efd0,0x60200000efd8)
allocated by thread T0 here:
    #0 0x4be72b in calloc (/mnt/ram/indent/indent+0x4be72b)
    #1 0x4f691e in xmalloc /f/indent-2.2.11/src/globs.c:45:26
    #2 0x7f256664bf9f in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/f/indent-2.2.11/src/parse.c:465 parse
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa 03 fa fa fa 00 fa fa fa 00 00
=>0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa[fa]00 fa fa fa 07 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13768==ABORTING

indent: empty.c:0: Error:Zero-length file empty.c
=================================================================
==8614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef2f 
at pc 0x0000004f8074 bp 0x7fff09efcd10 sp 0x7fff09efcd08
READ of size 1 at 0x60200000ef2f thread T0
    #0 0x4f8073 in read_file /f/indent-2.2.11/src/code_io.c:342:9
    #1 0x4de558 in indent_single_file /f/indent-2.2.11/src/indent.c:937:25
    #2 0x4de558 in indent_all /f/indent-2.2.11/src/indent.c:992
    #3 0x4de558 in main /f/indent-2.2.11/src/indent.c:1054
    #4 0x7f60c65b2f9f in __libc_start_main 
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x4375e6 in _start (/mnt/ram/indent/indent+0x4375e6)

0x60200000ef2f is located 1 bytes to the left of 2-byte region 
[0x60200000ef30,0x60200000ef32)
allocated by thread T0 here:
    #0 0x4be72b in calloc (/mnt/ram/indent/indent+0x4be72b)
    #1 0x4f691e in xmalloc /f/indent-2.2.11/src/globs.c:45:26
    #2 0xfff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/f/indent-2.2.11/src/code_io.c:342 read_file
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa 00 fa fa[fa]02 fa fa fa 00 fa fa fa 00 00
  0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 07 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8614==ABORTING

pgpCfhLR_I3Lx.pgp
Description: OpenPGP digital signature

_______________________________________________
bug-indent mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-indent

Invalid memory reads / heap overflows in indent

Reply via email to