Steps to reproduce: info -f reproduce_bug.info
Expected behavior: info exits with an error. Actual behavior: info stuck in an infinite loop Comments:The bug does not seem to be reproducible with info version 6.5. It is reproducible with the latest git revision; I'm not sure when it was introduced.
The file was generated with afl-fuzz and then hand-edited. The only addition to the original file is a misplaced index tag:
^@^H[index^@^H]When run on the gzipped version, the result is a segmentation fault in utf8_internal_loop() instead of an infinite loop in text_buffer_iconv().
Sincerely, Nathaniel Beaver P.S. Version information: $ git describe --tags texinfo-6.6-700-g97eb358ee3 $ git rev-parse HEAD 97eb358ee34966dd1dbc80a78bd5bac77748e112 $ info/ginfo --version info (GNU texinfo) 6.7dev Copyright (C) 2019 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
=================================================================
==17908==ERROR: AddressSanitizer: negative-size-param: (size=-9)
#0 0x7f2440500fa2 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xa1fa2)
#1 0x555f49124bf9 in text_buffer_iconv
/home/nathaniel/src/git/gnu.org/texinfo/info/info-utils.c:1951
#2 0x555f491207c8 in copy_converting
/home/nathaniel/src/git/gnu.org/texinfo/info/info-utils.c:838
#3 0x555f49121056 in copy_input_to_output
/home/nathaniel/src/git/gnu.org/texinfo/info/info-utils.c:1006
#4 0x555f491212c4 in skip_input
/home/nathaniel/src/git/gnu.org/texinfo/info/info-utils.c:1045
#5 0x555f4912392d in scan_node_contents
/home/nathaniel/src/git/gnu.org/texinfo/info/info-utils.c:1727
#6 0x555f4913da14 in info_node_of_tag_ext
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:1284
#7 0x555f4913de08 in info_node_of_tag
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:1324
#8 0x555f4913c6ed in info_get_node_of_file_buffer
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:1069
#9 0x555f4913c25b in info_get_node_with_defaults
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:991
#10 0x555f4913c325 in info_get_node
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:1014
#11 0x555f49151484 in dump_node_to_stream
/home/nathaniel/src/git/gnu.org/texinfo/info/session.c:3768
#12 0x555f491512f7 in dump_nodes_to_file
/home/nathaniel/src/git/gnu.org/texinfo/info/session.c:3731
#13 0x555f4912990a in main
/home/nathaniel/src/git/gnu.org/texinfo/info/info.c:1065
#14 0x7f243fe65bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#15 0x555f491097e9 in _start
(/home/nathaniel/src/git/gnu.org/texinfo/info/ginfo+0x237e9)
0x613000000075 is located 53 bytes inside of 339-byte region
[0x613000000040,0x613000000193)
allocated by thread T0 here:
#0 0x7f244053db40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555f4916b5ec in xmalloc
/home/nathaniel/src/git/gnu.org/texinfo/gnulib/lib/xmalloc.c:53
#2 0x555f491175c8 in filesys_read_info_file
/home/nathaniel/src/git/gnu.org/texinfo/info/filesys.c:342
#3 0x555f4913a6f9 in info_load_file
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:702
#4 0x555f4913a148 in info_find_file
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:636
#5 0x555f4913c23d in info_get_node_with_defaults
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:986
#6 0x555f4913c325 in info_get_node
/home/nathaniel/src/git/gnu.org/texinfo/info/nodes.c:1014
#7 0x555f49151484 in dump_node_to_stream
/home/nathaniel/src/git/gnu.org/texinfo/info/session.c:3768
#8 0x555f491512f7 in dump_nodes_to_file
/home/nathaniel/src/git/gnu.org/texinfo/info/session.c:3731
#9 0x555f4912990a in main
/home/nathaniel/src/git/gnu.org/texinfo/info/info.c:1065
#10 0x7f243fe65bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: negative-size-param
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xa1fa2)
==17908==ABORTING
Starting program: /home/nathaniel/local/texinfo/info/ginfo -f ./reproduce_bug.info Program received signal SIGINT, Interrupt. __gconv (cd=0x5555557d0d40, inbuf=inbuf@entry=0x5555557ae8b0 <inptr>, inbufend=0x5555557cfa8c "[index", outbuf=outbuf@entry=0x7fffffffd298, outbufend=0x5555557e1060 "", irreversible=irreversible@entry=0x7fffffffd220) at gconv.c:47 47 gconv.c: No such file or directory. #0 __gconv (cd=0x5555557d0d40, inbuf=inbuf@entry=0x5555557ae8b0 <inptr>, inbufend=0x5555557cfa8c "[index", outbuf=outbuf@entry=0x7fffffffd298, outbufend=0x5555557e1060 "", irreversible=irreversible@entry=0x7fffffffd220) at gconv.c:47 #1 0x00007ffff77da446 in iconv (cd=<optimized out>, inbuf=0x5555557ae8b0 <inptr>, inbytesleft=0x7fffffffd2e0, outbuf=0x7fffffffd298, outbytesleft=0x7fffffffd290) at iconv.c:52 #2 0x000055555556703e in text_buffer_iconv (buf=0x5555557af5d0 <output_buf>, iconv_state=0x5555557d0d40, inbuf=0x5555557ae8b0 <inptr>, inbytesleft=0x7fffffffd2e0) at info-utils.c:1951 #3 0x0000555555565060 in copy_converting (n=-9) at info-utils.c:838 #4 0x0000555555565424 in copy_input_to_output (n=8) at info-utils.c:1006 #5 0x000055555556556b in skip_input (n=8) at info-utils.c:1045 #6 0x0000555555566930 in scan_node_contents (node=0x5555557d0bf0, fb=0x5555557cfbc0, tag_ptr=0x5555557cfdc0) at info-utils.c:1727 #7 0x0000555555572510 in info_node_of_tag_ext (fb=0x5555557cfbc0, tag_ptr=0x5555557cfdc0, fast=0) at nodes.c:1284 #8 0x0000555555572698 in info_node_of_tag (fb=0x5555557cfbc0, tag_ptr=0x5555557cfdc0) at nodes.c:1324 #9 0x0000555555571e6d in info_get_node_of_file_buffer (file_buffer=0x5555557cfbc0, nodename=0x5555557cf4f0 "Top") at nodes.c:1069 #10 0x0000555555571c16 in info_get_node_with_defaults (filename_in=0x5555557cc420 "./reproduce_bug.info", nodename_in=0x5555557cc4b0 "Top", defaults=0x0) at nodes.c:991 #11 0x000055555557748a in info_select_reference (window=0x5555557ccb60, entry=0x5555557b1d90) at session.c:2063 #12 0x0000555555573e5f in begin_multiple_window_info_session (references=0x5555557cc480, error=0x0) at session.c:123 #13 0x000055555557406d in info_session (ref_list=0x5555557cc480, user_filename=0x0, error=0x0) at session.c:211 #14 0x0000555555569684 in main (argc=0, argv=0x7fffffffd820) at info.c:1079 quit
#0 utf8_internal_loop (irreversible=0x7fffffffd2f0, outend=0x5555557d8a90 "",
outptrp=<synthetic pointer>, inend=0x7ffff7fd003c "[index",
inptrp=0x5555557ae8b0 <inptr>, step_data=0x5555557d0aa0,
step=0x5555557d09b0)
at ../iconv/loop.c:325
#1 __gconv_transform_utf8_internal (step=0x5555557d09b0,
data=data@entry=0x5555557d0aa0, inptrp=inptrp@entry=0x5555557ae8b0 <inptr>,
inend=inend@entry=0x7ffff7fd003c "[index",
outbufstart=outbufstart@entry=0x0,
irreversible=irreversible@entry=0x7fffffffd3c0, do_flush=0,
consume_incomplete=0)
at ../iconv/skeleton.c:609
#2 0x00007ffff77dabff in __gconv (cd=0x5555557d0a90,
inbuf=inbuf@entry=0x5555557ae8b0 <inptr>, inbufend=0x7ffff7fd003c "[index",
outbuf=outbuf@entry=0x7fffffffd438, outbufend=<optimized out>,
irreversible=irreversible@entry=0x7fffffffd3c0) at gconv.c:78
#3 0x00007ffff77da446 in iconv (cd=<optimized out>, inbuf=0x5555557ae8b0
<inptr>,
inbytesleft=0x7fffffffd480, outbuf=0x7fffffffd438,
outbytesleft=0x7fffffffd430)
at iconv.c:52
#4 0x000055555556703e in text_buffer_iconv (buf=0x5555557af5d0 <output_buf>,
iconv_state=0x5555557d0a90, inbuf=0x5555557ae8b0 <inptr>,
inbytesleft=0x7fffffffd480) at info-utils.c:1951
#5 0x0000555555565060 in copy_converting (n=-9) at info-utils.c:838
#6 0x0000555555565424 in copy_input_to_output (n=8) at info-utils.c:1006
#7 0x000055555556556b in skip_input (n=8) at info-utils.c:1045
#8 0x0000555555566930 in scan_node_contents (node=0x5555557cf740,
fb=0x5555557cf9c0, tag_ptr=0x5555557cfb80) at info-utils.c:1727
#9 0x0000555555572510 in info_node_of_tag_ext (fb=0x5555557cf9c0,
tag_ptr=0x5555557cfb80, fast=0) at nodes.c:1284
#10 0x0000555555572698 in info_node_of_tag (fb=0x5555557cf9c0,
tag_ptr=0x5555557cfb80) at nodes.c:1324
#11 0x0000555555571e6d in info_get_node_of_file_buffer
(file_buffer=0x5555557cf9c0,
nodename=0x5555557cef50 "Top") at nodes.c:1069
#12 0x0000555555571c16 in info_get_node_with_defaults (
filename_in=0x5555557cc4a0 "./reproduce_bug.info.gz",
nodename_in=0x5555557cc520 "Top", defaults=0x0) at nodes.c:991
#13 0x000055555557748a in info_select_reference (window=0x5555557ccbd0,
entry=0x5555557b1d90) at session.c:2063
#14 0x0000555555573e5f in begin_multiple_window_info_session (
references=0x5555557cc4f0, error=0x0) at session.c:123
#15 0x000055555557406d in info_session (ref_list=0x5555557cc4f0,
user_filename=0x0,
error=0x0) at session.c:211
#16 0x0000555555569684 in main (argc=0, argv=0x7fffffffd9c0) at info.c:1079
quit
original.info
Description: application/gnuinfo
original.info.gz
Description: application/gzip
reproduce_bug.info
Description: application/gnuinfo
reproduce_bug.info.gz
Description: application/gzip
==1635== Memcheck, a memory error detector ==1635== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1635== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==1635== Command: /home/nathaniel/local/texinfo/info/ginfo -f reproduce_bug.info ==1635== Parent PID: 1634 ==1635== ==1635== Invalid read of size 1 ==1635== at 0x5090503: utf8_internal_loop (loop.c:325) ==1635== by 0x5090503: __gconv_transform_utf8_internal (skeleton.c:609) ==1635== by 0x508ABFE: __gconv (gconv.c:78) ==1635== by 0x508A445: iconv (iconv.c:52) ==1635== by 0x11B03D: text_buffer_iconv (info-utils.c:1951) ==1635== by 0x11905F: copy_converting (info-utils.c:838) ==1635== by 0x119423: copy_input_to_output (info-utils.c:1006) ==1635== by 0x11956A: skip_input (info-utils.c:1045) ==1635== by 0x11A92F: scan_node_contents (info-utils.c:1727) ==1635== by 0x12650F: info_node_of_tag_ext (nodes.c:1284) ==1635== by 0x126697: info_node_of_tag (nodes.c:1324) ==1635== by 0x125E6C: info_get_node_of_file_buffer (nodes.c:1069) ==1635== by 0x125C15: info_get_node_with_defaults (nodes.c:991) ==1635== Address 0x5485c13 is 0 bytes after a block of size 339 alloc'd ==1635== at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1635== by 0x1397E1: xmalloc (xmalloc.c:53) ==1635== by 0x11518C: filesys_read_info_file (filesys.c:342) ==1635== by 0x125208: info_load_file (nodes.c:702) ==1635== by 0x124FAE: info_find_file (nodes.c:636) ==1635== by 0x125BF7: info_get_node_with_defaults (nodes.c:986) ==1635== by 0x12B489: info_select_reference (session.c:2063) ==1635== by 0x127E5E: begin_multiple_window_info_session (session.c:123) ==1635== by 0x12806C: info_session (session.c:211) ==1635== by 0x11D683: main (info.c:1079) ==1635== ==1635== Invalid read of size 1 ==1635== at 0x5090503: utf8_internal_loop (loop.c:325) ==1635== by 0x5090503: __gconv_transform_utf8_internal (skeleton.c:609) ==1635== by 0x508ABFE: __gconv (gconv.c:78) ==1635== by 0x508A445: iconv (iconv.c:52) ==1635== by 0x119201: copy_converting (info-utils.c:915) ==1635== by 0x119423: copy_input_to_output (info-utils.c:1006) ==1635== by 0x11956A: skip_input (info-utils.c:1045) ==1635== by 0x11A92F: scan_node_contents (info-utils.c:1727) ==1635== by 0x12650F: info_node_of_tag_ext (nodes.c:1284) ==1635== by 0x126697: info_node_of_tag (nodes.c:1324) ==1635== by 0x125E6C: info_get_node_of_file_buffer (nodes.c:1069) ==1635== by 0x125C15: info_get_node_with_defaults (nodes.c:991) ==1635== by 0x12B489: info_select_reference (session.c:2063) ==1635== Address 0x5485c38 is 24 bytes after a block of size 352 in arena "client" ==1635== ==1635== Invalid read of size 1 ==1635== at 0x4C36108: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1635== by 0x11B0C7: text_buffer_add_string (info-utils.c:1965) ==1635== by 0x118EBA: copy_direct (info-utils.c:720) ==1635== by 0x119263: copy_converting (info-utils.c:929) ==1635== by 0x119423: copy_input_to_output (info-utils.c:1006) ==1635== by 0x11956A: skip_input (info-utils.c:1045) ==1635== by 0x11A92F: scan_node_contents (info-utils.c:1727) ==1635== by 0x12650F: info_node_of_tag_ext (nodes.c:1284) ==1635== by 0x126697: info_node_of_tag (nodes.c:1324) ==1635== by 0x125E6C: info_get_node_of_file_buffer (nodes.c:1069) ==1635== by 0x125C15: info_get_node_with_defaults (nodes.c:991) ==1635== by 0x12B489: info_select_reference (session.c:2063) ==1635== Address 0x5485c38 is 24 bytes after a block of size 352 in arena "client" ==1635== ==1635== ==1635== Process terminating with default action of signal 2 (SIGINT) ==1635== at 0x50A72A7: kill (syscall-template.S:78) ==1635== by 0x13288B: info_signal_proc (signals.c:240) ==1635== by 0x50A703F: ??? (in /lib/x86_64-linux-gnu/libc-2.27.so) ==1635== by 0x119099: copy_converting (info-utils.c:852) ==1635== by 0x119423: copy_input_to_output (info-utils.c:1006) ==1635== by 0x11956A: skip_input (info-utils.c:1045) ==1635== by 0x11A92F: scan_node_contents (info-utils.c:1727) ==1635== by 0x12650F: info_node_of_tag_ext (nodes.c:1284) ==1635== by 0x126697: info_node_of_tag (nodes.c:1324) ==1635== by 0x125E6C: info_get_node_of_file_buffer (nodes.c:1069) ==1635== by 0x125C15: info_get_node_with_defaults (nodes.c:991) ==1635== by 0x12B489: info_select_reference (session.c:2063) ==1635== ==1635== HEAP SUMMARY: ==1635== in use at exit: 179,838 bytes in 371 blocks ==1635== total heap usage: 666 allocs, 295 frees, 213,844 bytes allocated ==1635== ==1635== LEAK SUMMARY: ==1635== definitely lost: 0 bytes in 0 blocks ==1635== indirectly lost: 0 bytes in 0 blocks ==1635== possibly lost: 0 bytes in 0 blocks ==1635== still reachable: 179,838 bytes in 371 blocks ==1635== suppressed: 0 bytes in 0 blocks ==1635== Rerun with --leak-check=full to see details of leaked memory ==1635== ==1635== For counts of detected and suppressed errors, rerun with: -v ==1635== ERROR SUMMARY: 79 errors from 3 contexts (suppressed: 0 from 0)
