[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #54725] Assertion abort in pspp-dump-sav.c of libpspp
|
From: |
Peter Lemenkov |
|
Subject: |
PSPP-BUG: [bug #54725] Assertion abort in pspp-dump-sav.c of libpspp |
|
Date: |
Tue, 25 Sep 2018 07:19:14 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
URL:
<https://savannah.gnu.org/bugs/?54725>
Summary: Assertion abort in pspp-dump-sav.c of libpspp
Project: PSPP
Submitted by: peter_lemenkov
Submitted on: Вт. 25 сент. 2018 11:19:13
Category: None
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: None
Effort: 0.00
_______________________________________________________
Details:
Description of problem:
There is a assertion abort in pspp-dump-sav.c of libpspp.
Version-Release number of selected component (if applicable):
<= latest version
How reproducible:
./pspp-dump-sav POC2
Steps to Reproduce:
The information is as follows:
$./pspp-dump-sav POC2
File header record:
Product name: @(#) SPSS DATA FILE MS Windows Release 12.0
spss$o32.dll
Layout code: 2
Compressed: 1 (simple compression)
Weight index: 2
Number of cases: 10
Compression bias: 100
Creation date: 30
Creation time: 14:34:58
File label: ""
...
pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct
sfm_reader *, char *, size_t): Assertion `size > 0' failed.
Aborted
The GDB debugging information is as follows:
(gdb) set args POC2
(gdb) r
...
(gdb) s
read_string (r=<optimized out>, buffer=<optimized out>, size=<optimized out>)
at utilities/pspp-dump-sav.c:1645
1645 assert (size > 0);
(gdb) n
pspp-dump-sav: utilities/pspp-dump-sav.c:1645: void read_string(struct
sfm_reader *, char *, size_t): Assertion `size > 0' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff709e1c7 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff709e1c7 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007ffff709fe2a in __GI_abort () at abort.c:89
#2 0x00007ffff70970bd in __assert_fail_base (fmt=0x7ffff71f8f78 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n",
address@hidden "size > 0", address@hidden
"utilities/pspp-dump-sav.c",
address@hidden, address@hidden "void
read_string(struct sfm_reader *, char *, size_t)")
at assert.c:92
#3 0x00007ffff7097172 in __GI___assert_fail (assertion=0x411fc9 "size > 0",
file=0x411fd2 "utilities/pspp-dump-sav.c",
line=1645, function=0x411fec "void read_string(struct sfm_reader *, char
*, size_t)") at assert.c:101
#4 0x000000000040c90d in read_string (r=<optimized out>, buffer=<optimized
out>, size=<optimized out>)
at utilities/pspp-dump-sav.c:1645
#5 read_variable_record (r=<optimized out>) at utilities/pspp-dump-sav.c:454
#6 main (argc=<optimized out>, argv=<optimized out>) at
utilities/pspp-dump-sav.c:203
The vulnerability was triggered in read_string() at pspp-dump-sav.c:1645.
1643 read_string (struct sfm_reader *r, char *buffer, size_t size)
1644 {
1645 assert (size > 0);
1646 read_bytes (r, buffer, size - 1);
1647 buffer[size - 1] = '\0';
1648 }
Actual results:
crash
Expected results:
file contents dump
Additional info:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact address@hidden and address@hidden if you need
more info about the team, the tool or the vulnerability.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Вт. 25 сент. 2018 11:19:13 Name: POC2 Size: 528Б By:
peter_lemenkov
<http://savannah.gnu.org/bugs/download.php?file_id=45092>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?54725>
_______________________________________________
Сообщение отправлено по Savannah
https://savannah.gnu.org/
- PSPP-BUG: [bug #54725] Assertion abort in pspp-dump-sav.c of libpspp,
Peter Lemenkov <=