[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32271: heap buffer overflow in regexp.c, line 286
|
From: |
project-repo |
|
Subject: |
bug#32271: heap buffer overflow in regexp.c, line 286 |
|
Date: |
Wed, 25 Jul 2018 16:34:25 +0200 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Hi,
I let the fuzzer run again and it came up with a second heap buffer
overflow. This time in regexp.c, line 286. Here is a backtrace as
supplied by the address sanitizer:
=================================================================
==7428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000b2f
at pc 0x7fee3354c574 bp 0x7ffd9adf2120 sp 0x7ffd9adf18d0
READ of size 238 at 0x611000000b2f thread T0
#0 0x7fee3354c573 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
#1 0x55aabd6d7025 in match_regex sed/regexp.c:286
#2 0x55aabd6cd5a5 in do_subst sed/execute.c:1098
#3 0x55aabd6cd5a5 in execute_program sed/execute.c:1507
#4 0x55aabd6d4d5a in process_files sed/execute.c:1677
#5 0x55aabd6ac5a2 in main sed/sed.c:377
#6 0x7fee33173a86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#7 0x55aabd6ad1c9 in _start (/home/jefeus/sed/sed/sed+0xc1c9)
0x611000000b2f is located 0 bytes to the right of 239-byte region
[0x611000000a40,0x611000000b2f)
allocated by thread T0 here:
#0 0x7fee335e5fd0 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x55aabd6dd3ea in ck_realloc sed/utils.c:418
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x40573)
Shadow bytes around the buggy address:
0x0c227fff8110: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa
0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8160: 00 00 00 00 00[07]fa fa fa fa fa fa fa fa fa fa
0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa fa
0x0c227fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7428==ABORTING
This bug can be reproduced by running "sed -f min file-min". Where min
and file-min are the files attached.
cheers,
project-repo
min
Description: Text document
file-min
Description: Text document
- bug#32271: heap buffer overflow in regexp.c, line 286,
project-repo <=