bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #54687] heap buffer overflow in assign_variable_roles

From: Tianxiao Gu
Subject: PSPP-BUG: [bug #54687] heap buffer overflow in assign_variable_roles
Date: Wed, 19 Sep 2018 00:26:43 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 
URL:
  <https://savannah.gnu.org/bugs/?54687>

                 Summary: heap buffer overflow in assign_variable_roles
                 Project: PSPP
            Submitted by: tianxiaogu
            Submitted on: Wed 19 Sep 2018 04:26:42 AM UTC
                Category: Syntax Parser
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Effort: 0.00

    _______________________________________________________

Details:

A heap buffer overflow is triggered using the attached file
(pspp-convert-000000).
This bug affects the binary distributed in Ubuntu 18.04.

Build:
~~~
export CFLAGS="-fsanitize=address -g -O0"
make -Smake # optional for git
./configure
make
~~~ 

Reproduce:
~~~
pspp-convert pspp-convert-000000 -O csv /dev/null
~~~

Output:
~~~
`pspp-convert-000000' near offset 0x56c: Invalid variable display parameters
for variable 7 (FOST2).  Default parameters substituted.
`pspp-convert-000000' near offset 0x8e1: Error parsing attribute value
address@hidden
ASAN:DEADLYSIGNAL
=================================================================
==21330==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f10879d61b0 bp 0x000000000000 sp 0x7fff01937580 T0)
==21330==The signal is caused by a READ memory access.
==21330==Hint: address points to the zero page.
    #0 0x7f10879d61af  (/lib/x86_64-linux-gnu/libc.so.6+0x451af)
    #1 0x7f10882b08f7  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x428f7)
    #2 0x7f1087e7d137 in assign_variable_roles
src/data/sys-file-reader.c:2393
    #3 0x7f1087e73671 in sfm_decode src/data/sys-file-reader.c:853
    #4 0x7f1087dfcb72 in any_reader_decode src/data/any-reader.c:147
    #5 0x7f1087dfccb6 in any_reader_open_and_decode src/data/any-reader.c:172
    #6 0x564c7f61ad5b in main utilities/pspp-convert.c:174
    #7 0x7f10879b2b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x564c7f61a579 in _start
(/home/t/Projects/fuzzing/pspp-1.0.1/utilities/.libs/pspp-convert+0x2579)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x451af) 
==21330==ABORTING
~~~



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 19 Sep 2018 04:26:42 AM UTC  Name: pspp-convert-000000  Size: 3KiB  
By: tianxiaogu

<http://savannah.gnu.org/bugs/download.php?file_id=45046>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?54687>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]