A global-buffer overflow occurs in commit fbef90a7039b994907db34fde50f6fa5e46ab535 (ASAN on).
System info: ubuntu 18.04, x86-64 Without ASAN, tcc will encounter a segment fault due to this overflow. $ cat poc.c a() { int b; c(b && (void)b); } $ ./tcc -c poc.c poc.c:3: warning: implicit declaration of function 'c' poc.c:3: error: invalid operand types for binary operation ================================================================= ==34633==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064fcbf at pc 0x0000005f7d1c bp 0x7ffcfcea77d0 sp 0x7ffcfcea77c8 READ of size 1 at 0x00000064fcbf thread T0 #0 0x5f7d1b (/root/git/tinycc/tcc+0x5f7d1b) #1 0x57c6b7 (/root/git/tinycc/tcc+0x57c6b7) #2 0x5a5643 (/root/git/tinycc/tcc+0x5a5643) #3 0x5908e2 (/root/git/tinycc/tcc+0x5908e2) #4 0x58b3cf (/root/git/tinycc/tcc+0x58b3cf) #5 0x588c25 (/root/git/tinycc/tcc+0x588c25) #6 0x5afa26 (/root/git/tinycc/tcc+0x5afa26) #7 0x5abf86 (/root/git/tinycc/tcc+0x5abf86) #8 0x554412 (/root/git/tinycc/tcc+0x554412) #9 0x51b550 (/root/git/tinycc/tcc+0x51b550) #10 0x51d252 (/root/git/tinycc/tcc+0x51d252) #11 0x51697a (/root/git/tinycc/tcc+0x51697a) #12 0x7f417374bb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310 #13 0x41a5d9 in pthread_getattr_np (/root/git/tinycc/tcc+0x41a5d9) 0x00000064fcbf is located 1 bytes to the left of global variable 'arg_regs' defined in './x86_64-gen.c:1215:22' (0x64fcc0) of size 6 0x00000064fcbf is located 48 bytes to the right of global variable '<string literal>' defined in './x86_64-gen.c:1539:20' (0x64fc60) of size 47 '<string literal>' is ascii string 'SSE disabled but floating point arguments used' SUMMARY: AddressSanitizer: global-buffer-overflow (/root/git/tinycc/tcc+0x5f7d1b) Shadow bytes around the buggy address: 0x0000800c1f40: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 f9 0x0000800c1f50: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 00 04 0x0000800c1f60: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 05 f9 f9 0x0000800c1f70: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 05 f9 f9 0x0000800c1f80: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 =>0x0000800c1f90: 00 07 f9 f9 f9 f9 f9[f9]06 f9 f9 f9 f9 f9 f9 f9 0x0000800c1fa0: 00 00 00 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 0x0000800c1fb0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 06 0x0000800c1fc0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 02 f9 f9 f9 0x0000800c1fd0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00 0x0000800c1fe0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==34633==ABORTING _______________________________________________ Tinycc-devel mailing list Tinycc-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/tinycc-devel