[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A heap-buffer-overflow in convert_strings
|
From: |
Thomas Dickey |
|
Subject: |
Re: A heap-buffer-overflow in convert_strings |
|
Date: |
Thu, 20 Aug 2020 03:59:30 -0400 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Thu, Aug 20, 2020 at 11:10:42AM +0800, 乐泰 wrote:
> Detail Information: we have found a heap-buffer-overflow bug in the function
> convert_strings of ncurses-6.2. We compile the ncurses-6.2 by
> AddressSanitizer in x86-64 format with commands:
> $cd ./ncurses-6.2
> $mkdir asan-ins
> $cd asan-ins
> $AFL_USE_ASAN=1 CC=afl-gcc CXX=afl-g++ CFLAGS="-g3" CXXFLAGS="-g3"
> ../configure --prefix=`pwd`/bin --disable-stripping
> $AFL_USE_ASAN=1 make
> $AFL_USE_ASAN=1 sudo make install
> Then we execute the toe:
> $./asan-ins/bin/bin/toe
> And it reports:
>
> =================================================================
>
> ==10095==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x616000036add at pc 0x00000040278c bp 0x7ffdd40b20d0 sp 0x7ffdd40b20c0
>
> READ of size 1 at 0x616000036add thread T0
> #0 0x40278b in convert_strings ../../ncurses/tinfo/read_entry.c:164
> #1 0x41523c in _nc_read_termtype ../../ncurses/tinfo/read_entry.c:371
> #2 0x41523c in _nc_read_file_entry ../../ncurses/tinfo/read_entry.c:567
> #3 0x407914 in typelist ../../progs/toe.c:438
> #4 0x404359 in main ../../progs/toe.c:735
> #5 0x7fc3756b782f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #6 0x4056b8 in _start
> (/home/ubuntu/yuetai/test_programs/ncurses-6.2/asan-ins/bin/bin/toe+0x4056b8)
an overread apparently, not a buffer overflow (a frequent problem with asan2).
(in any case, I'll investigate all three reports - thanks)
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net
signature.asc
Description: PGP signature