https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79136
Bug ID: 79136 Summary: read outside of buffer in char* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) (stl_algobase.h) Product: gcc Version: 6.2.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: libstdc++ Assignee: unassigned at gcc dot gnu.org Reporter: brian.carpenter at gmail dot com Target Milestone: --- Created attachment 40539 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40539&action=edit crashing test case While fuzzing draco by Google (https://github.com/google/draco) with American Fuzzy Lop, I was able to trigger a read outside of buffer in libstdc++ v6.2.1. ./draco_decoder -i ==23621==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f13c at pc 0x00000056ebf8 bp 0x7ffe174908b0 sp 0x7ffe174908a8 READ of size 1 at 0x61a00001f13c thread T0 #0 0x56ebf7 in char* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:324:20 #1 0x56ebf7 in char* std::__copy_move_a<false, unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:385 #2 0x56ebf7 in char* std::__copy_move_a2<false, unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:422 #3 0x56ebf7 in char* std::copy<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:454 #4 0x56ebf7 in char* std::__uninitialized_copy<true>::__uninit_copy<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:93 #5 0x56ebf7 in char* std::uninitialized_copy<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:123 #6 0x56ebf7 in char* std::__uninitialized_copy_a<unsigned char const*, char*, char>(unsigned char const*, unsigned char const*, char*, std::allocator<char>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_uninitialized.h:281 #7 0x56ebf7 in void std::vector<char, std::allocator<char> >::_M_range_insert<unsigned char const*>(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char const*, std::forward_iterator_tag) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/vector.tcc:643 #8 0x5ad3f1 in void std::vector<char, std::allocator<char> >::_M_insert_dispatch<unsigned char const*>(__gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char const*, std::__false_type) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:1375:4 #9 0x5ad3f1 in __gnu_cxx::__normal_iterator<char*, std::vector<char, std::allocator<char> > > std::vector<char, std::allocator<char> >::insert<unsigned char const*, void>(__gnu_cxx::__normal_iterator<char const*, std::vector<char, std::allocator<char> > >, unsigned char const*, unsigned char const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:1100 #10 0x5ad3f1 in draco::EncoderBuffer::Encode(void const*, unsigned long) /root/draco/core/encoder_buffer.h:71 #11 0x5ad3f1 in draco::PlyEncoder::EncodeInternal() /root/draco/io/ply_encoder.cc:142 #12 0x5a8a59 in draco::PlyEncoder::EncodeToBuffer(draco::PointCloud const&, draco::EncoderBuffer*) /root/draco/io/ply_encoder.cc:48:8 #13 0x5a8a59 in draco::PlyEncoder::EncodeToFile(draco::PointCloud const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/draco/io/ply_encoder.cc:32 #14 0x5101cc in main /root/draco/tools/draco_decoder.cc:136:12 #15 0x7f8cfe1be2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #16 0x43c9e9 in _start (/root/draco/build/draco_decoder+0x43c9e9) 0x61a00001f13c is located 24 bytes to the right of 1188-byte region [0x61a00001ec80,0x61a00001f124) allocated by thread T0 here: #0 0x50c010 in operator new(unsigned long) (/root/draco/build/draco_decoder+0x50c010) #1 0x707db0 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/ext/new_allocator.h:104:27 #2 0x707db0 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/alloc_traits.h:416 #3 0x707db0 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_vector.h:170 #4 0x707db0 in std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/vector.tcc:557 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/6.2.1/../../../../include/c++/6.2.1/bits/stl_algobase.h:324:20 in char* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<unsigned char const*, char*>(unsigned char const*, unsigned char const*, char*) Shadow bytes around the buggy address: 0x0c347fffbdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbe20: 00 00 00 00 04 fa fa[fa]fa fa fa fa fa fa fa fa 0x0c347fffbe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbe40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbe70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23621==ABORTING