[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

indent crashes on various inputs

From: Sami Liedes
Subject: indent crashes on various inputs
Date: Sat, 28 Mar 2015 02:48:53 +0200
User-agent: Mutt/1.5.23 (2014-03-12)


I discovered by fuzzing (using afl-fuzz) that indent 2.2.11 crashes,
or at least invokes undefined behavior, on various inputs. For
example, on Debian unstable:

$ echo -ne '/*' |indent
Segmentation fault

There are even one-character inputs that cause reads of

$ echo -ne '}' |valgrind indent
==16665== Invalid read of size 4
==16665==  Address 0x51eb4ec is 4 bytes before a block of size 8 alloc'd

At least some of them are rather obvious heap buffer overflows using
data from the input. Indeed, there's even a comment on these buffers
in the code in parse.c:

    /* Although these are supposed to grow if we reach the end,
     * I can find no place in the code which does this. */

    combuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);
    labbuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);
    codebuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);

So, I'd venture to guess that some of these are likely to be
exploitable to execute arbitrary code if untrusted input is passed to
indent (which I hope is unlikely anyway).

Here's a bunch of test files which, when passed via standard input to
indent, all cause slightly different crashes or out-of-bounds accesses
(verified by compiling indent with clang -fsanitize=address;
alternatively, you could run indent under valgrind):


Or individually:



Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]