|
From: | Hanno Boeck |
Subject: | [bug-gettext] [bug #45391] Out of bounds read in xgettext on malformed input |
Date: | Wed, 24 Jun 2015 13:17:30 +0000 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.30 Safari/537.36 |
URL: <http://savannah.gnu.org/bugs/?45391> Summary: Out of bounds read in xgettext on malformed input Project: GNU gettext Submitted by: hanno Submitted on: Wed 24 Jun 2015 03:17:28 PM CEST Category: None Severity: 3 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: The attached file will cause an out of bounds heap read access in xgettext. Found with american fuzzy lop. This can be detected with either address sanitizer or valgrind. Address Sanitizer trace: ``` ==29054==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000c6b2 at pc 0x0000004fad7e bp 0x7fff2b6eb190 sp 0x7fff2b6eb188 READ of size 1 at 0x60200000c6b2 thread T0 #0 0x4fad7d in literalstring_parse /f/gettext-0.19.4/gettext-tools/src/x-c.c:887:20 #1 0x4f518b in arglist_parser_done /f/gettext-0.19.4/gettext-tools/src/xgettext.c:3099:31 #2 0x4ff01b in extract_parenthesized /f/gettext-0.19.4/gettext-tools/src/x-c.c:2111:11 #3 0x4fde0c in extract_parenthesized /f/gettext-0.19.4/gettext-tools/src/x-c.c:2016:15 #4 0x4fcc35 in extract_whole_file /f/gettext-0.19.4/gettext-tools/src/x-c.c:2144:11 #5 0x4fae27 in extract_c /f/gettext-0.19.4/gettext-tools/src/x-c.c:2163:3 #6 0x4e93dd in extract_from_file /f/gettext-0.19.4/gettext-tools/src/xgettext.c:2043:3 #7 0x4e5e6c in main /f/gettext-0.19.4/gettext-tools/src/xgettext.c:818:7 #8 0x7fc9d5a8af9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289 #9 0x43cfa6 in _start (/mnt/ram/gettext/xgettext+0x43cfa6) 0x60200000c6b2 is located 0 bytes to the right of 2-byte region [0x60200000c6b0,0x60200000c6b2) allocated by thread T0 here: #0 0x4c3f72 in malloc (/mnt/ram/gettext/xgettext+0x4c3f72) #1 0x68ed0a in xmalloc /f/gettext-0.19.4/gettext-tools/gnulib-lib/xmalloc.c:64:7 #2 0x7fff2b6eb67f (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow /f/gettext-0.19.4/gettext-tools/src/x-c.c:887 literalstring_parse Shadow bytes around the buggy address: 0x0c047fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff98d0: fa fa 00 02 fa fa[02]fa fa fa fd fa fa fa 00 02 0x0c047fff98e0: fa fa 00 07 fa fa fd fd fa fa 00 00 fa fa 00 fa 0x0c047fff98f0: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9900: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9910: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9920: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29054==ABORTING _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Wed 24 Jun 2015 03:17:28 PM CEST Name: xgettext-oob-heap-literalstring_parse.c Size: 12B By: hanno sample file triggering out of bounds heap access <http://savannah.gnu.org/bugs/download.php?file_id=34305> _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?45391> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |