[Bug libstdc++/79136] New: read outside of buffer in char* std::__copy_move::__copy_m(unsigned char const*, unsigned char const*, char*) (stl_algobase.h)

Wed, 18 Jan 2017 10:49:20 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79136

            Bug ID: 79136
           Summary: read outside of buffer in char*
                    std::__copy_move<false, false,
                    std::random_access_iterator_tag>::__copy_m<unsigned
                    char const*, char*>(unsigned char const*, unsigned
                    char const*, char*) (stl_algobase.h)
           Product: gcc
           Version: 6.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: brian.carpenter at gmail dot com
  Target Milestone: ---

Created attachment 40539
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40539&action=edit
crashing test case

While fuzzing draco by Google (https://github.com/google/draco) with American
Fuzzy Lop, I was able to trigger a read outside of buffer in libstdc++ v6.2.1.

./draco_decoder -i

==23621==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a00001f13c at pc 0x00000056ebf8 bp 0x7ffe174908b0 sp 0x7ffe174908a8
READ of size 1 at 0x61a00001f13c thread T0
    #0 0x56ebf7 in char* std::__copy_move<false, false,
std::random_access_iterator_tag>::__copy_m<unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:324:20
    #1 0x56ebf7 in char* std::__copy_move_a<false, unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:385
    #2 0x56ebf7 in char* std::__copy_move_a2<false, unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:422
    #3 0x56ebf7 in char* std::copy<unsigned char const*, char*>(unsigned char
const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:454
    #4 0x56ebf7 in char*
std::__uninitialized_copy<true>::__uninit_copy<unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:93
    #5 0x56ebf7 in char* std::uninitialized_copy<unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:123
    #6 0x56ebf7 in char* std::__uninitialized_copy_a<unsigned char const*,
char*, char>(unsigned char const*, unsigned char const*, char*,
std::allocator<char>&)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:281
    #7 0x56ebf7 in void std::vector<char, std::allocator<char>
>::_M_range_insert<unsigned char const*>(__gnu_cxx::__normal_iterator<char*,
std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char
const*, std::forward_iterator_tag)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/vector.tcc:643
    #8 0x5ad3f1 in void std::vector<char, std::allocator<char>
>::_M_insert_dispatch<unsigned char const*>(__gnu_cxx::__normal_iterator<char*,
std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char
const*, std::__false_type)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:1375:4
    #9 0x5ad3f1 in __gnu_cxx::__normal_iterator<char*, std::vector<char,
std::allocator<char> > > std::vector<char, std::allocator<char>
>::insert<unsigned char const*, void>(__gnu_cxx::__normal_iterator<char const*,
std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char
const*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:1100
    #10 0x5ad3f1 in draco::EncoderBuffer::Encode(void const*, unsigned long)
/root/draco/core/encoder_buffer.h:71
    #11 0x5ad3f1 in draco::PlyEncoder::EncodeInternal()
/root/draco/io/ply_encoder.cc:142
    #12 0x5a8a59 in draco::PlyEncoder::EncodeToBuffer(draco::PointCloud const&,
draco::EncoderBuffer*) /root/draco/io/ply_encoder.cc:48:8
    #13 0x5a8a59 in draco::PlyEncoder::EncodeToFile(draco::PointCloud const&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&) /root/draco/io/ply_encoder.cc:32
    #14 0x5101cc in main /root/draco/tools/draco_decoder.cc:136:12
    #15 0x7f8cfe1be2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #16 0x43c9e9 in _start (/root/draco/build/draco_decoder+0x43c9e9)

0x61a00001f13c is located 24 bytes to the right of 1188-byte region
[0x61a00001ec80,0x61a00001f124)
allocated by thread T0 here:
    #0 0x50c010 in operator new(unsigned long)
(/root/draco/build/draco_decoder+0x50c010)
    #1 0x707db0 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned
long, void const*)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/ext/new_allocator.h:104:27
    #2 0x707db0 in std::allocator_traits<std::allocator<unsigned char>
>::allocate(std::allocator<unsigned char>&, unsigned long)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/alloc_traits.h:416
    #3 0x707db0 in std::_Vector_base<unsigned char, std::allocator<unsigned
char> >::_M_allocate(unsigned long)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:170
    #4 0x707db0 in std::vector<unsigned char, std::allocator<unsigned char>
>::_M_default_append(unsigned long)
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/vector.tcc:557

SUMMARY: AddressSanitizer: heap-buffer-overflow
/usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:324:20
in char* std::__copy_move<false, false,
std::random_access_iterator_tag>::__copy_m<unsigned char const*,
char*>(unsigned char const*, unsigned char const*, char*)
Shadow bytes around the buggy address:
  0x0c347fffbdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbe20: 00 00 00 00 04 fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c347fffbe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbe40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23621==ABORTING

Reply via email to