[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-ed] invalid free on malformed commands

From: Hanno Böck
Subject: [Bug-ed] invalid free on malformed commands
Date: Sun, 8 Jan 2017 12:14:46 +0100


ed can be crashed with some malformed commands:
echo -e "H\n?\{" | ed

The bug seems to be a call of free on a nonallocated pointer. The bug
was found with the fuzzing tool american fuzzy lop in ed 1.14.

Here's a stack trace from address sanitizer:
==29974==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x0000013cc6c0 in thread T0
    #0 0x4c9bd0 in __interceptor_cfree.localalias.1 (/r/ed/ed+0x4c9bd0)
    #1 0x51a01c in get_compiled_regex /f/ed/ed-1.14/regex.c:138:5
    #2 0x51a666 in next_matching_node_addr /f/ed/ed-1.14/regex.c:193:31
    #3 0x516f94 in extract_addresses /f/ed/ed-1.14/main_loop.c:224:31
    #4 0x511db0 in exec_command /f/ed/ed-1.14/main_loop.c:424:24
    #5 0x51162e in main_loop /f/ed/ed-1.14/main_loop.c:721:19
    #6 0x5108b9 in main /f/ed/ed-1.14/main.c:197:10
    #7 0x7f93e58fd78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x419c28 in _start (/r/ed/ed+0x419c28)

AddressSanitizer can not describe address in more detail (wild memory access 
SUMMARY: AddressSanitizer: bad-free (/r/ed/ed+0x4c9bd0) in 

Hanno Böck

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

reply via email to

[Prev in Thread] Current Thread [Next in Thread]