[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-ed] invalid free on malformed commands
From: |
Hanno Böck |
Subject: |
[Bug-ed] invalid free on malformed commands |
Date: |
Sun, 8 Jan 2017 12:14:46 +0100 |
Hi,
ed can be crashed with some malformed commands:
echo -e "H\n?\{" | ed
The bug seems to be a call of free on a nonallocated pointer. The bug
was found with the fuzzing tool american fuzzy lop in ed 1.14.
Here's a stack trace from address sanitizer:
==29974==ERROR: AddressSanitizer: attempting free on address which was not
malloc()-ed: 0x0000013cc6c0 in thread T0
#0 0x4c9bd0 in __interceptor_cfree.localalias.1 (/r/ed/ed+0x4c9bd0)
#1 0x51a01c in get_compiled_regex /f/ed/ed-1.14/regex.c:138:5
#2 0x51a666 in next_matching_node_addr /f/ed/ed-1.14/regex.c:193:31
#3 0x516f94 in extract_addresses /f/ed/ed-1.14/main_loop.c:224:31
#4 0x511db0 in exec_command /f/ed/ed-1.14/main_loop.c:424:24
#5 0x51162e in main_loop /f/ed/ed-1.14/main_loop.c:721:19
#6 0x5108b9 in main /f/ed/ed-1.14/main.c:197:10
#7 0x7f93e58fd78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#8 0x419c28 in _start (/r/ed/ed+0x419c28)
AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: bad-free (/r/ed/ed+0x4c9bd0) in
__interceptor_cfree.localalias.1
==29974==ABORTING
--
Hanno Böck
https://hboeck.de/
mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
- [Bug-ed] invalid free on malformed commands,
Hanno Böck <=