Bug#989735: minicom: stack smashing when searching in history buffer

Mon, 14 Jun 2021 04:15:46 -0700 

On Sunday 13 June 2021 at 21:22:32 +0200, Adam Lackorzynski wrote:
> thanks again. I wonder why it did not reproduce for me earlier.
> Could you try attached patch and report back?

Hi Adam,

Thanks for the patch. It did seem better. However, when I do a
case-insensitive search I now get:

=================================================================
==177613==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffc43f1c280 at pc 0x56316a341202 bp 0x7ffc43f1be40 sp 0x7ffc43f1be38
WRITE of size 4 at 0x7ffc43f1c280 thread T0
    #0 0x56316a341201 in upcase ../../src/minicom.c:375
    #1 0x56316a341201 in StrStr ../../src/minicom.c:392
    #2 0x56316a3416fd in find_next ../../src/minicom.c:348
    #3 0x56316a33d4c1 in scrollback ../../src/minicom.c:546
    #4 0x56316a33d4c1 in main ../../src/minicom.c:1713
    #5 0x7fd5eb7c5d09 in __libc_start_main ../csu/libc-start.c:308
    #6 0x56316a3400c9 in _start 
(/overflow/mac/nobackup/git/minicom/build/src/minicom+0x250c9)

Address 0x7ffc43f1c280 is located in stack of thread T0 at offset 1056 in frame
    #0 0x56316a340f2f in StrStr ../../src/minicom.c:386

  This frame has 2 object(s):
    [32, 1056) 'tmpstr1' (line 387) <== Memory access at offset 1056 overflows 
this variable
    [1184, 2208) 'tmpstr2' (line 387)
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../src/minicom.c:375 in 
upcase
Shadow bytes around the buggy address:
  0x1000087db800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000087db850:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000087db860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000087db8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==177613==ABORTING

Thanks.

Mike.

Reply via email to