Found bugs at display.c:1865 in update_line; text.c:108:19 in rl_insert_text; undo.c:188:25 in in rl_do_undo; vi_mode.c:845:22 in _rl_vi_save_insert; display.c:2829:58 in _rl_move_cursor_relative;

minipython Tue, 18 Apr 2023 19:30:29 -0700

Here are my gdb and asan information.
Also poc files is attached and fileman.c is attached.
I test them on devel branch.
Looking forward to your reply , I want some cve ids please.




Readline version: devel
Machine and OS: Ubuntu 20.04.1 x86-64
Compilation flags: "./configure CC=/root/fuzzers/AFLplusplus/afl-clang-fast 
CXX=/root/fuzzers/AFLplusplus/afl-clang-fast++" with ASan and UBSan 
instrumentation.



➜&nbsp; readline git:(devel) ✗ git status&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
On branch devel
Your branch is up to date with 'origin/devel'.


Changes not staged for commit:
&nbsp; (use "git add <file&gt;..." to update what will be committed)
&nbsp; (use "git restore <file&gt;..." to discard changes in working directory)
&nbsp; &nbsp; &nbsp; &nbsp; modified:&nbsp; &nbsp;examples/fileman.c


Untracked files:
&nbsp; (use "git add <file&gt;..." to include in what will be committed)
&nbsp; &nbsp; &nbsp; &nbsp; examples/rl-timeout
&nbsp; &nbsp; &nbsp; &nbsp; examples/rlkeymaps


no changes added to commit (use "git add" and/or "git commit -a")


bug_1
Legend: code, data, rodata, value
Stopped reason: SIGILL
0x0000000000535571 in update_line (old=<optimized out&gt;, old_face=<optimized 
out&gt;, new=<optimized out&gt;, new_face=<optimized out&gt;, 
&nbsp; &nbsp; current_line=<optimized out&gt;, omax=<optimized out&gt;, 
nmax=<optimized out&gt;, inv_botlin=<optimized out&gt;) at display.c:1865
1865&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; memmove (old_face+newbytes, old_face+oldbytes, strlen 
(old+oldbytes) + 1);
gdb-peda$ bt
#0&nbsp; 0x0000000000535571 in update_line (old=<optimized out&gt;, 
old_face=<optimized out&gt;, new=<optimized out&gt;, new_face=<optimized 
out&gt;, 
&nbsp; &nbsp; current_line=<optimized out&gt;, omax=<optimized out&gt;, 
nmax=<optimized out&gt;, inv_botlin=<optimized out&gt;) at display.c:1865
#1&nbsp; 0x0000000000526789 in rl_redisplay () at display.c:1334
#2&nbsp; 0x0000000000538418 in rl_clear_message () at display.c:3081
#3&nbsp; 0x0000000000560757 in _rl_arg_overflow () at misc.c:85
#4&nbsp; 0x00000000004e1405 in rl_digit_loop1 () at vi_mode.c:1109
#5&nbsp; rl_domove_read_callback (m=m@entry=0x6040000001d0) at vi_mode.c:1334
#6&nbsp; 0x00000000004e1b91 in rl_vi_domove (x=<optimized out&gt;, 
ignore=<optimized out&gt;) at vi_mode.c:1389
#7&nbsp; rl_vi_delete_to (count=<optimized out&gt;, key=key@entry=0x64) at 
vi_mode.c:1455
#8&nbsp; 0x00000000004cf1b1 in _rl_dispatch_subseq (key=0x64, map=0x5dece0 
<vi_movement_keymap&gt;, got_subseq=<optimized out&gt;) at readline.c:922
#9&nbsp; 0x00000000004cd71b in _rl_dispatch (key=0x0, map=0xea7160 
<__afl_area_initial&gt;) at readline.c:866
#10 readline_internal_char () at readline.c:680
#11 0x00000000004cbe05 in readline_internal_charloop () at readline.c:727
#12 readline_internal () at readline.c:739
#13 readline (prompt=0x5983e0 <str&gt; "FileMan: ") at readline.c:387
#14 0x00000000004ca806 in main (argc=argc@entry=0x1, argv=<optimized out&gt;, 
argv@entry=0x7fffffffe2a8) at fileman.c:142
#15 0x00007ffff7c1f083 in __libc_start_main (main=0x4ca720 <main&gt;, argc=0x1, 
argv=0x7fffffffe2a8, init=<optimized out&gt;, fini=<optimized out&gt;, 
&nbsp; &nbsp; rtld_fini=<optimized out&gt;, stack_end=0x7fffffffe298) at 
../csu/libc-start.c:308
#16 0x000000000041d5ee in _start ()


bug_2
==1101385==ERROR: AddressSanitizer: heap-use-after-free on address 
0x6030000008c8 at pc 0x000000553dff bp 0x7fffffffe070 sp 0x7fffffffe068
READ of size 4 at 0x6030000008c8 thread T0
[Attaching after Thread 0x7ffff7bf8800 (LWP 1101385) fork to child process 
1101386]
[New inferior 2 (process 1101386)]
[Detaching after fork from parent process 1101385]
[Inferior 1 (process 1101385) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 1101386 is executing new program: /usr/local/bin/llvm-symbolizer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
&nbsp; &nbsp; #0 0x553dfe in rl_insert_text 
/root/target/AFLPLUSPLUS/readline/text.c:108:19
&nbsp; &nbsp; #1 0x55c3ba in rl_insert_comment 
/root/target/AFLPLUSPLUS/readline/text.c
&nbsp; &nbsp; #2 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #3 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #4 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #5 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #6 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #7 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #8 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #9 0x7ffff7c1f082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
&nbsp; &nbsp; #10 0x41d5ed in _start 
(/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)


0x6030000008c8 is located 24 bytes inside of 32-byte region 
[0x6030000008b0,0x6030000008d0)
freed by thread T0 here:
&nbsp; &nbsp; #0 0x4985e2 in free 
/root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
&nbsp; &nbsp; #1 0x5478a8 in _rl_free_undo_list 
/root/target/AFLPLUSPLUS/readline/undo.c:111:7
&nbsp; &nbsp; #2 0x562026 in _rl_free_saved_history_line 
/root/target/AFLPLUSPLUS/readline/misc.c:404:2
&nbsp; &nbsp; #3 0x4eca40 in rl_history_search_forward 
/root/target/AFLPLUSPLUS/readline/search.c:651:5
&nbsp; &nbsp; #4 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #5 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #6 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #7 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #8 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #9 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #10 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #11 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #12 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #13 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #14 0x7ffff7c1f082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16


previously allocated by thread T0 here:
&nbsp; &nbsp; #0 0x49884d in malloc 
/root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
&nbsp; &nbsp; #1 0x580937 in xmalloc 
/root/target/AFLPLUSPLUS/readline/xmalloc.c:59:10
&nbsp; &nbsp; #2 0x5475f0 in alloc_undo_entry 
/root/target/AFLPLUSPLUS/readline/undo.c:75:23
&nbsp; &nbsp; #3 0x5475f0 in rl_add_undo 
/root/target/AFLPLUSPLUS/readline/undo.c:92:10
&nbsp; &nbsp; #4 0x553b1c in rl_insert_text 
/root/target/AFLPLUSPLUS/readline/text.c:113:2
&nbsp; &nbsp; #5 0x558cc7 in _rl_insert_char 
/root/target/AFLPLUSPLUS/readline/text.c:903:7
&nbsp; &nbsp; #6 0x559b78 in rl_insert 
/root/target/AFLPLUSPLUS/readline/text.c:955:42
&nbsp; &nbsp; #7 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #8 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #9 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #10 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #11 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #12 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #13 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #14 0x7ffff7c1f082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16


SUMMARY: AddressSanitizer: heap-use-after-free 
/root/target/AFLPLUSPLUS/readline/text.c:108:19 in rl_insert_text
Shadow bytes around the buggy address:
&nbsp; 0x0c067fff80c0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
&nbsp; 0x0c067fff80d0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
&nbsp; 0x0c067fff80e0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
&nbsp; 0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
&nbsp; 0x0c067fff8100: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=&gt;0x0c067fff8110: fd fd fd fa fa fa fd fd fd[fd]fa fa fd fd fd fa
&nbsp; 0x0c067fff8120: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
&nbsp; 0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
&nbsp; 0x0c067fff8140: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fa
&nbsp; 0x0c067fff8150: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
&nbsp; 0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
&nbsp; Addressable:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00
&nbsp; Partially addressable: 01 02 03 04 05 06 07 
&nbsp; Heap left redzone:&nbsp; &nbsp; &nbsp; &nbsp;fa
&nbsp; Freed heap region:&nbsp; &nbsp; &nbsp; &nbsp;fd
&nbsp; Stack left redzone:&nbsp; &nbsp; &nbsp; f1
&nbsp; Stack mid redzone:&nbsp; &nbsp; &nbsp; &nbsp;f2
&nbsp; Stack right redzone:&nbsp; &nbsp; &nbsp;f3
&nbsp; Stack after return:&nbsp; &nbsp; &nbsp; f5
&nbsp; Stack use after scope:&nbsp; &nbsp;f8
&nbsp; Global redzone:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; f9
&nbsp; Global init order:&nbsp; &nbsp; &nbsp; &nbsp;f6
&nbsp; Poisoned by user:&nbsp; &nbsp; &nbsp; &nbsp; f7
&nbsp; Container overflow:&nbsp; &nbsp; &nbsp; fc
&nbsp; Array cookie:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ac
&nbsp; Intra object redzone:&nbsp; &nbsp; bb
&nbsp; ASan internal:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;fe
&nbsp; Left alloca redzone:&nbsp; &nbsp; &nbsp;ca
&nbsp; Right alloca redzone:&nbsp; &nbsp; cb
&nbsp; Shadow gap:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cc
==1101385==ABORTING
[Inferior 2 (process 1101386) exited normally]
Warning: not running


bug_4
==1101869==ERROR: AddressSanitizer: heap-use-after-free on address 
0x603000000f88 at pc 0x000000548b29 bp 0x7ffe73741350 sp 0x7ffe73741348
READ of size 4 at 0x603000000f88 thread T0
&nbsp; &nbsp; #0 0x548b28 in rl_do_undo 
/root/target/AFLPLUSPLUS/readline/undo.c:188:25
&nbsp; &nbsp; #1 0x5498d4 in rl_revert_line 
/root/target/AFLPLUSPLUS/readline/undo.c:339:2
&nbsp; &nbsp; #2 0x4ccc76 in readline_internal_teardown 
/root/target/AFLPLUSPLUS/readline/readline.c:498:7
&nbsp; &nbsp; #3 0x4cbe39 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:740:11
&nbsp; &nbsp; #4 0x4cbe39 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #5 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #6 0x7f6582f3d082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
&nbsp; &nbsp; #7 0x41d5ed in _start 
(/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)


0x603000000f88 is located 24 bytes inside of 32-byte region 
[0x603000000f70,0x603000000f90)
freed by thread T0 here:
&nbsp; &nbsp; #0 0x4985e2 in free 
/root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
&nbsp; &nbsp; #1 0x5478a8 in _rl_free_undo_list 
/root/target/AFLPLUSPLUS/readline/undo.c:111:7
&nbsp; &nbsp; #2 0x562026 in _rl_free_saved_history_line 
/root/target/AFLPLUSPLUS/readline/misc.c:404:2
&nbsp; &nbsp; #3 0x4eca40 in rl_history_search_forward 
/root/target/AFLPLUSPLUS/readline/search.c:651:5
&nbsp; &nbsp; #4 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #5 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #6 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #7 0x4cfdb8 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:1068:8
&nbsp; &nbsp; #8 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #9 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #10 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #11 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #12 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #13 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #14 0x7f6582f3d082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16


previously allocated by thread T0 here:
&nbsp; &nbsp; #0 0x49884d in malloc 
/root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
&nbsp; &nbsp; #1 0x580937 in xmalloc 
/root/target/AFLPLUSPLUS/readline/xmalloc.c:59:10
&nbsp; &nbsp; #2 0x5475f0 in alloc_undo_entry 
/root/target/AFLPLUSPLUS/readline/undo.c:75:23
&nbsp; &nbsp; #3 0x5475f0 in rl_add_undo 
/root/target/AFLPLUSPLUS/readline/undo.c:92:10
&nbsp; &nbsp; #4 0x554222 in rl_delete_text 
/root/target/AFLPLUSPLUS/readline/text.c:152:5
&nbsp; &nbsp; #5 0x54293e in rl_kill_text 
/root/target/AFLPLUSPLUS/readline/kill.c:177:3
&nbsp; &nbsp; #6 0x54293e in rl_kill_line 
/root/target/AFLPLUSPLUS/readline/kill.c:254:2
&nbsp; &nbsp; #7 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #8 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #9 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #10 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #11 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #12 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #13 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #14 0x7f6582f3d082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16


SUMMARY: AddressSanitizer: heap-use-after-free 
/root/target/AFLPLUSPLUS/readline/undo.c:188:25 in rl_do_undo
Shadow bytes around the buggy address:
&nbsp; 0x0c067fff81a0: 00 00 05 fa fa fa fd fd fd fd fa fa fd fd fd fa
&nbsp; 0x0c067fff81b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
&nbsp; 0x0c067fff81c0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
&nbsp; 0x0c067fff81d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
&nbsp; 0x0c067fff81e0: fa fa 00 00 00 07 fa fa fd fd fd fd fa fa fd fd
=&gt;0x0c067fff81f0: fd[fd]fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
&nbsp; 0x0c067fff8200: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
&nbsp; 0x0c067fff8210: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
&nbsp; 0x0c067fff8220: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
&nbsp; 0x0c067fff8230: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
&nbsp; 0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
&nbsp; Addressable:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;00
&nbsp; Partially addressable: 01 02 03 04 05 06 07 
&nbsp; Heap left redzone:&nbsp; &nbsp; &nbsp; &nbsp;fa
&nbsp; Freed heap region:&nbsp; &nbsp; &nbsp; &nbsp;fd
&nbsp; Stack left redzone:&nbsp; &nbsp; &nbsp; f1
&nbsp; Stack mid redzone:&nbsp; &nbsp; &nbsp; &nbsp;f2
&nbsp; Stack right redzone:&nbsp; &nbsp; &nbsp;f3
&nbsp; Stack after return:&nbsp; &nbsp; &nbsp; f5
&nbsp; Stack use after scope:&nbsp; &nbsp;f8
&nbsp; Global redzone:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; f9
&nbsp; Global init order:&nbsp; &nbsp; &nbsp; &nbsp;f6
&nbsp; Poisoned by user:&nbsp; &nbsp; &nbsp; &nbsp; f7
&nbsp; Container overflow:&nbsp; &nbsp; &nbsp; fc
&nbsp; Array cookie:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ac
&nbsp; Intra object redzone:&nbsp; &nbsp; bb
&nbsp; ASan internal:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;fe
&nbsp; Left alloca redzone:&nbsp; &nbsp; &nbsp;ca
&nbsp; Right alloca redzone:&nbsp; &nbsp; cb
&nbsp; Shadow gap:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cc
==1101869==ABORTING




bug_6
➜&nbsp; uniq /root/target/AFLPLUSPLUS/readline/examples/fileman < bug_6
FileMan: -%�TSme@��Nas
-%�TSme@��Nas: No such command for FileMan.
FileMan: -%�TSme@��Nas
-%�TSme@��Nas: No such command for FileMan.
FileMan: -%�TSme@��Nas[6~l�����
-%�TSme@�
FileMan: =================================================================
==1101976==ERROR: AddressSanitizer: heap-use-after-free on address 
0x603000000688 at pc 0x0000004dbfc2 bp 0x7ffdf2198570 sp 0x7ffdf2198568
READ of size 4 at 0x603000000688 thread T0
&nbsp; &nbsp; #0 0x4dbfc1 in _rl_vi_save_insert 
/root/target/AFLPLUSPLUS/readline/vi_mode.c:845:22
&nbsp; &nbsp; #1 0x4dbb51 in _rl_vi_done_inserting 
/root/target/AFLPLUSPLUS/readline/vi_mode.c:886:2
&nbsp; &nbsp; #2 0x55ac07 in rl_newline 
/root/target/AFLPLUSPLUS/readline/text.c:1116:7
&nbsp; &nbsp; #3 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #4 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #5 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #6 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #7 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #8 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #9 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #10 0x7f3d3e3c9082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
&nbsp; &nbsp; #11 0x41d5ed in _start 
(/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)


bug_7
==1102019==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x619000002ce8 at pc 0x000000536665 bp 0x7ffe321b5710 sp 0x7ffe321b5708
READ of size 4 at 0x619000002ce8 thread T0
&nbsp; &nbsp; #0 0x536664 in _rl_move_cursor_relative 
/root/target/AFLPLUSPLUS/readline/display.c:2829:58
&nbsp; &nbsp; #1 0x53972b in _rl_update_final 
/root/target/AFLPLUSPLUS/readline/display.c:3350:7
&nbsp; &nbsp; #2 0x55ad0a in rl_newline 
/root/target/AFLPLUSPLUS/readline/text.c:1128:5
&nbsp; &nbsp; #3 0x4cf1b0 in _rl_dispatch_subseq 
/root/target/AFLPLUSPLUS/readline/readline.c:922:8
&nbsp; &nbsp; #4 0x4cd71a in _rl_dispatch 
/root/target/AFLPLUSPLUS/readline/readline.c:866:10
&nbsp; &nbsp; #5 0x4cd71a in readline_internal_char 
/root/target/AFLPLUSPLUS/readline/readline.c:680:11
&nbsp; &nbsp; #6 0x4cbe04 in readline_internal_charloop 
/root/target/AFLPLUSPLUS/readline/readline.c:727:11
&nbsp; &nbsp; #7 0x4cbe04 in readline_internal 
/root/target/AFLPLUSPLUS/readline/readline.c:739:18
&nbsp; &nbsp; #8 0x4cbe04 in readline 
/root/target/AFLPLUSPLUS/readline/readline.c:387:11
&nbsp; &nbsp; #9 0x4ca805 in main 
/root/target/AFLPLUSPLUS/readline/examples/fileman.c:142:14
&nbsp; &nbsp; #10 0x7efd1d126082 in __libc_start_main 
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
&nbsp; &nbsp; #11 0x41d5ed in _start 
(/root/target/AFLPLUSPLUS/readline/examples/fileman+0x41d5ed)

<<attachment: uniq.zip>>

fileman.c
Description: Binary data

Found bugs at display.c:1865 in update_line; text.c:108:19 in rl_insert_text; undo.c:188:25 in in rl_do_undo; vi_mode.c:845:22 in _rl_vi_save_insert; display.c:2829:58 in _rl_move_cursor_relative;

Reply via email to