bug-gnu-pspp
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: null pointer dereference in gl/xmalloc.c:339


From: Suyue Guo
Subject: PSPP-BUG: null pointer dereference in gl/xmalloc.c:339
Date: Fri, 23 Aug 2024 21:39:23 +0800

Dear maintainers of pspp:

The poc to trigger this bug is in the attached file.

command to run:
pspp nullpointer_pspp


Console output:

./nullpointer_pspp:1.1-1.2: error: Bad character U+FFFD in input.
    1 | ����
      | ^~

./nullpointer_pspp:1.2-1.3: error: Bad character U+FFFD in input.
    1 | ����
      |  ^~

./nullpointer_pspp:1.3-1.4: error: Bad character U+FFFD in input.
    1 | ����
      |   ^~

./nullpointer_pspp:1.4-1.5: error: Bad character U+FFFD in input.
    1 | ����
      |    ^~
******************************************************
You have discovered a bug in PSPP.  Please report this
to bug-gnu-pspp@gnu.org.  Please include this entire
message, *plus* several lines of output just above it.
For the best chance at having the bug fixed, also
include the syntax file that triggered it and a sample
of any data file used for input.
proximate cause:     Segmentation Violation
version:             GNU pspp 2.0.1
host_system:         x86_64-pc-linux-gnu
build_system:        x86_64-pc-linux-gnu
locale_dir:          /usr/local/share/locale
compiler version:    Ubuntu Clang 15.0.7
******************************************************
Segmentation fault


GDB output:

./nullpointer_pspp:1.1-1.2: error: Bad character U+FFFD in input.
    1 | ����
      | ^~

./nullpointer_pspp:1.2-1.3: error: Bad character U+FFFD in input.
    1 | ����
      |  ^~

./nullpointer_pspp:1.3-1.4: error: Bad character U+FFFD in input.
    1 | ����
      |   ^~

./nullpointer_pspp:1.4-1.5: error: Bad character U+FFFD in input.
    1 | ����
      |    ^~

Program received signal SIGSEGV, Segmentation fault.
__strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77
77      ../sysdeps/x86_64/multiarch/strlen-evex.S: No such file or directory.
(gdb) x/10i $pc
=> 0x7ffff74ba0bc <__strlen_evex+28>:   vpcmpeqb (%rdi),%ymm16,%k0
   0x7ffff74ba0c3 <__strlen_evex+35>:   kmovd  %k0,%eax
   0x7ffff74ba0c7 <__strlen_evex+39>:   test   %eax,%eax
   0x7ffff74ba0c9 <__strlen_evex+41>:   je     0x7ffff74ba120 <__strlen_evex+128>
   0x7ffff74ba0cb <__strlen_evex+43>:   tzcnt  %eax,%eax
   0x7ffff74ba0cf <__strlen_evex+47>:   ret
   0x7ffff74ba0d0 <__strlen_evex+48>:   tzcnt  %eax,%eax
   0x7ffff74ba0d4 <__strlen_evex+52>:   sub    %edx,%edi
   0x7ffff74ba0d6 <__strlen_evex+54>:   lea    0x20(%rdi,%rax,1),%eax
   0x7ffff74ba0da <__strlen_evex+58>:   ret
(gdb) info registers
rax            0x0                 0
rbx            0x0                 0
rcx            0x555555ecce00      93825002163712
rdx            0xf5f5f5f5f5f5f5f5  -723401728380766731
rsi            0x7ffff2df3fa0      140737268105120
rdi            0x0                 0
rbp            0x7fffffffe000      0x7fffffffe000
rsp            0x7fffffffd7b8      0x7fffffffd7b8
r8             0x7ffff7fb1000      140737353814016
r9             0x7ffff1d0ec40      140737250389056
r10            0x7fffffffd6e8      140737488344808
r11            0x58                88
r12            0x7fffffffe638      140737488348728
r13            0x0                 0
r14            0x555555e59f70      93825001693040
r15            0x7ffff7ffd040      140737354125376
rip            0x7ffff74ba0bc      0x7ffff74ba0bc <__strlen_evex+28>
eflags         0x10283             [ CF SF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
k0             0xffffffe0          4294967264
k1             0x1f                31
k2             0x313000f           51576847
k3             0x0                 0
k4             0x0                 0
k5             0x0                 0
k6             0x0                 0
k7             0x0                 0
(gdb) bt
#0  __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77
#1  0x000055555569703a in strlen ()
#2  0x0000555555c6dadd in xstrdup (string=0x0) at gl/xmalloc.c:339
#3  0x000055555596e5c9 in show_TITLE (ds=0x612000000040) at src/language/commands/set.c:1043
#4  0x000055555596e6e7 in do_show (ds=0x612000000040, s=0x7ffff2e1b940, ptp=0x7ffff2e1b920) at src/language/commands/set.c:1256
#5  0x000055555596d954 in cmd_show (lexer=0x604000000650, ds=0x612000000040) at src/language/commands/set.c:1475
#6  0x0000555555744996 in do_parse_command (lexer=0x604000000650, ds=0x612000000040, state=CMD_STATE_INITIAL) at src/language/command.c:244
#7  0x00005555557442d0 in cmd_parse_in_state (lexer=0x604000000650, ds=0x612000000040, state=CMD_STATE_INITIAL) at src/language/command.c:150
#8  0x0000555555744b9b in cmd_parse (lexer=0x604000000650, ds=0x612000000040) at src/language/command.c:165
#9  0x0000555555740135 in main (argc=2, argv=0x7fffffffe638) at src/ui/terminal/main.c:139

Attachment: nullpointer_pspp.zip
Description: Zip compressed data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]