Dear all,
While fuzzing tcc, an out of bounds write was found in the end_macro
function.
Attached are a file producing a crash when compiled and the output of
valgrind.
To reproduce, compile the attached input file with tcc
tcc end_macro.c
The latest git version of tcc (commit
4b46e0ec630531fa85d742706272525bebea49d2) was tested.
Credits: SysSec chair of Ruhr University Bochum
#define Y(Y)ne Áh©½üdÙ,######ú_Ñ##¤Pç´# Y#oäÒ(Æ(;(x)n%¡Æxu±×ÔP #Y[#Y#on#Á»)¢#Nd#8####Æçèe Y#z######[@##fmuls¬:##:õg¥,######ú_Ñ##¤Pç´# Y#oäÒ(Æ(;
;,Ú###.ÿêgRyne Y#o#[#.##[#¨
#define o#ÿ»{ ¢ñÖDxÖаäÒ(Æ(;
#[#######ne äR2#Y#on##, )n j)ÛÒ°RB»Fné Y(').stray '\' in pr§�.......':#)
;]Æíd###.ÿÿÿüine Y#x)ne çþ:##D¿KE3½{§ E¹Ü£üB
;Éñ½ o#]ãûÿû»Ï"'PÓ Úý
==12994== Memcheck, a memory error detector
==12994== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12994== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==12994== Command: ./tcc-plain end_macro.c
==12994==
end_macro.c:4: warning: pasting "[" and "#" does not give a valid preprocessing
token
end_macro.c:4: warning: pasting "on" and "," does not give a valid
preprocessing token
end_macro.c:4: warning: pasting "Æíd" and "#" does not give a valid
preprocessing token
end_macro.c:4: warning: pasting ":" and "D¿KE3½" does not give a valid
preprocessing token
end_macro.c:4: error: macro parameter after '#' expected
==12994== Invalid read of size 8
==12994== at 0x110347: end_macro (tccpp.c:1119)
==12994== by 0x1158B4: preprocess_end (tccpp.c:3630)
==12994== by 0x10B730: tcc_compile (libtcc.c:653)
==12994== by 0x10CE17: tcc_add_file_internal (libtcc.c:1064)
==12994== by 0x10A1AB: main (tcc.c:332)
==12994== Address 0x1ffefffc20 is on thread 1's stack
==12994== 1112 bytes below stack pointer
==12994==
==12994== Invalid read of size 4
==12994== at 0x11034B: end_macro (tccpp.c:1121)
==12994== by 0x1158B4: preprocess_end (tccpp.c:3630)
==12994== by 0x10B730: tcc_compile (libtcc.c:653)
==12994== by 0x10CE17: tcc_add_file_internal (libtcc.c:1064)
==12994== by 0x10A1AB: main (tcc.c:332)
==12994== Address 0x1ffefffc18 is on thread 1's stack
==12994== 1120 bytes below stack pointer
==12994==
==12994== Invalid read of size 8
==12994== at 0x110355: end_macro (tccpp.c:1120)
==12994== by 0x1158B4: preprocess_end (tccpp.c:3630)
==12994== by 0x10B730: tcc_compile (libtcc.c:653)
==12994== by 0x10CE17: tcc_add_file_internal (libtcc.c:1064)
==12994== by 0x10A1AB: main (tcc.c:332)
==12994== Address 0x1ffefffc28 is on thread 1's stack
==12994== 1104 bytes below stack pointer
==12994==
==12994== Invalid read of size 1
==12994== at 0x11036A: end_macro (tccpp.c:1122)
==12994== by 0x1158B4: preprocess_end (tccpp.c:3630)
==12994== by 0x10B730: tcc_compile (libtcc.c:653)
==12994== by 0x10CE17: tcc_add_file_internal (libtcc.c:1064)
==12994== by 0x10A1AB: main (tcc.c:332)
==12994== Address 0x1ffefffc30 is on thread 1's stack
==12994== 1096 bytes below stack pointer
==12994==
==12994== Invalid write of size 1
==12994== at 0x110378: end_macro (tccpp.c:1123)
==12994== by 0x1158B4: preprocess_end (tccpp.c:3630)
==12994== by 0x10B730: tcc_compile (libtcc.c:653)
==12994== by 0x10CE17: tcc_add_file_internal (libtcc.c:1064)
==12994== by 0x10A1AB: main (tcc.c:332)
==12994== Address 0x1ffefffc30 is on thread 1's stack
==12994== 1096 bytes below stack pointer
==12994==
==12994==
==12994== HEAP SUMMARY:
==12994== in use at exit: 512 bytes in 1 blocks
==12994== total heap usage: 142 allocs, 141 frees, 1,935,875 bytes allocated
==12994==
==12994== LEAK SUMMARY:
==12994== definitely lost: 0 bytes in 0 blocks
==12994== indirectly lost: 0 bytes in 0 blocks
==12994== possibly lost: 512 bytes in 1 blocks
==12994== still reachable: 0 bytes in 0 blocks
==12994== suppressed: 0 bytes in 0 blocks
==12994== Rerun with --leak-check=full to see details of leaked memory
==12994==
==12994== For counts of detected and suppressed errors, rerun with: -v
==12994== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
_______________________________________________
Tinycc-devel mailing list
Tinycc-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
