Printed out the address right before MariRSRecoveryDecoder.cpp:727, the
addr is 0x6250000002900, which is different from the address reported by
AdressSanitizer.
./fuzz/decode_fuzz_test: Running 1 inputs 1 time(s) each.
Running: crash-96da7f498ec50184b4a59ff76016825944944534
addr = 0x625000002900, it - begin = 0, capacity = 4, size = 3
addr = 0x625000002900, it - begin = 0, capacity = 4, size = 2
=================================================================
==61653==ERROR: AddressSanitizer: container-overflow on address
0x625000003992 at pc 0x00010cc8a126 bp 0x7fff52ff2fe0 sp 0x7fff52ff2fd8
READ of size 2 at 0x625000003992 thread T0
#0 0x10cc8a125 in CRsFecHeader::GetSourceBlockNumber() const
RsFecHeader.h:184
#1 0x10cc91fa3 in
CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:727
#2 0x10cc990dc in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:650
#3 0x10cca058d in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
MariRSRecoveryDecoder.cpp:891
#4 0x10cc070d2 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
#5 0x10cd07491 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (decode_fuzz_test:x86_64+0x100102491)
#6 0x10ccdea1c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1000d9a1c)
#7 0x10ccea0bd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50bd)
#8 0x10ccddc5f in main (decode_fuzz_test:x86_64+0x1000d8c5f)
#9 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
0x625000003992 is located 4242 bytes inside of 8448-byte region
[0x625000002900,0x625000004a00)
allocated by thread T0 here:
#0 0x10e0d0162 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
#1 0x10cccf735 in std::__1::__split_buffer<fecPacket,
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
long, std::__1::allocator<fecPacket>&) new:226
#2 0x10cccd8ab in std::__1::__split_buffer<fecPacket,
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
long, std::__1::allocator<fecPacket>&) __split_buffer:310
#3 0x10cccc915 in void std::__1::vector<fecPacket,
std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket
const&>(fecPacket const&&&) vector:1567
#4 0x10cca0127 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
vector:1588
#5 0x10cc070d2 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
#6 0x10cd07491 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (decode_fuzz_test:x86_64+0x100102491)
#7 0x10ccdea1c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1000d9a1c)
#8 0x10ccea0bd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50bd)
#9 0x10ccddc5f in main (decode_fuzz_test:x86_64+0x1000d8c5f)
#10 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
HINT: if you don't care about these errors you may set
ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also:
https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in
CRsFecHeader::GetSourceBlockNumber() const
Shadow bytes around the buggy address:
0x1c4a000006e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000006f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00000730: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000740: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000750: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000760: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000770: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==61653==ABORTING
==61653== ERROR: libFuzzer: deadly signal
#0 0x10e0cccf7 in __sanitizer_print_stack_trace
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
#1 0x10cd0418b in fuzzer::Fuzzer::CrashCallback()
(decode_fuzz_test:x86_64+0x1000ff18b)
#2 0x10cd0413d in fuzzer::Fuzzer::StaticCrashSignalCallback()
(decode_fuzz_test:x86_64+0x1000ff13d)
#3 0x10cd69797 in fuzzer::CrashHandler(int, __siginfo*, void*)
(decode_fuzz_test:x86_64+0x100164797)
#4 0x7fffc0b39b39 in _sigtramp (libsystem_platform.dylib:x86_64+0x2b39)
#5 0x100000000
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0xf33fb000)
#6 0x7fffc09be41f in abort
(/usr/lib/system/libsystem_c.dylib:x86_64+0x5f41f)
#7 0x10e0e48e5 in __sanitizer_cov_pcs_init
(/Users/jeromy/work/playground/third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
#8 0x10e0e3853 in OnPrint
(/Users/jeromy/work/playground/third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
#9 0x10e0c9d76 in __asan_on_error
(/Users/jeromy/work/playground/third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
#10 0x10e0c97e1 in __asan_unpoison_intra_object_redzone
(/Users/jeromy/work/playground/third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
#11 0x10e0ca39a in __asan_report_load2
(/Users/jeromy/work/playground/third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
#12 0x10cc8a125 in CRsFecHeader::GetSourceBlockNumber() const
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x100085125)
#13 0x10cc91fa3 in
CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x10008cfa3)
#14 0x10cc990dc in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x1000940dc)
#15 0x10cca058d in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x10009b58d)
#16 0x10cc070d2 in LLVMFuzzerTestOneInput
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x1000020d2)
#17 0x10cd07491 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long)
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x100102491)
#18 0x10ccdea1c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x1000d9a1c)
#19 0x10ccea0bd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x1000e50bd)
#20 0x10ccddc5f in main
(/Users/jeromy/work/cisco/wme/vendor/mari/bld/unix/./fuzz/decode_fuzz_test:x86_64+0x1000d8c5f)
#21 0x7fffc092a234 in start
(/usr/lib/system/libdyld.dylib:x86_64+0x5234)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash
reports.
SUMMARY: libFuzzer: deadly signal
On Tuesday, August 22, 2017 at 5:30:28 PM UTC-7, Evgeniy Stepanov wrote:
>
> it - begin = 0, capacity = 4, size = 2
> 0x625000003992 is located 4242 bytes inside of 8448-byte region
> [0x625000002900,0x625000004a00)
>
> vector element size = 8448 / 4 = 2112 bytes
> offset 4242 belongs to the 3rd element, which is actually out of
> bounds when size == 2.
>
> Looks like a true positive.
>
> On Tue, Aug 22, 2017 at 5:26 PM, Jennifer Liu <[email protected]
> <javascript:>> wrote:
> > thanks a lot, looks like false positive, here is the output:
> >
> > ./fuzz/decode_fuzz_test crash-96da7f498ec50184b4a59ff76016825944944534
> >
> > INFO: Seed: 3163772972
> >
> > INFO: Loaded 1 modules (4395 guards): 4395 [0x1042ffcf0, 0x10430419c),
> >
> > ./fuzz/decode_fuzz_test: Running 1 inputs 1 time(s) each.
> >
> > Running: crash-96da7f498ec50184b4a59ff76016825944944534
> >
> > it - begin = 0, capacity = 4, size = 3
> >
> > it - begin = 0, capacity = 4, size = 2
> >
> > =================================================================
> >
> > ==19407==ERROR: AddressSanitizer: container-overflow on address
> > 0x625000003992 at pc 0x0001042011e6 bp 0x7fff5ba7c000 sp 0x7fff5ba7bff8
> >
> > READ of size 2 at 0x625000003992 thread T0
> >
> > #0 0x1042011e5 in CRsFecHeader::GetSourceBlockNumber() const
> > RsFecHeader.h:184
> >
> > #1 0x104208fe1 in
> CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
> > MariRSRecoveryDecoder.cpp:726
> >
> > #2 0x10421011c in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
> > MariRSRecoveryDecoder.cpp:650
> >
> > #3 0x1042175cd in CMariRSRecoveryDecoder::receiveInd(unsigned int,
> > unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
> > MariRSRecoveryDecoder.cpp:890
> >
> > #4 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >
> > #5 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
> >
> > #6 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
> >
> > #7 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int
> (*)(unsigned
> > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
> >
> > #8 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
> >
> > #9 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >
> >
> > 0x625000003992 is located 4242 bytes inside of 8448-byte region
> > [0x625000002900,0x625000004a00)
> >
> > allocated by thread T0 here:
> >
> > #0 0x106414162 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
> >
> > #1 0x104246775 in std::__1::__split_buffer<fecPacket,
> > std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
> > long, std::__1::allocator<fecPacket>&) new:226
> >
> > #2 0x1042448eb in std::__1::__split_buffer<fecPacket,
> > std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
> > long, std::__1::allocator<fecPacket>&) __split_buffer:310
> >
> > #3 0x104243955 in void std::__1::vector<fecPacket,
> > std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket
> > const&>(fecPacket const&&&) vector:1567
> >
> > #4 0x104217167 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
> > unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
> > vector:1588
> >
> > #5 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >
> > #6 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
> >
> > #7 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
> >
> > #8 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int
> (*)(unsigned
> > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
> >
> > #9 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
> >
> > #10 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >
> >
> > HINT: if you don't care about these errors you may set
> > ASAN_OPTIONS=detect_container_overflow=0.
> >
> > If you suspect a false positive see also:
> >
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
>
> >
> > SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in
> > CRsFecHeader::GetSourceBlockNumber() const
> >
> > Shadow bytes around the buggy address:
> >
> > 0x1c4a000006e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > 0x1c4a000006f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > 0x1c4a00000700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > 0x1c4a00000710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > 0x1c4a00000720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > =>0x1c4a00000730: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > 0x1c4a00000740: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > 0x1c4a00000750: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > 0x1c4a00000760: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > 0x1c4a00000770: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > 0x1c4a00000780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >
> > Shadow byte legend (one shadow byte represents 8 application bytes):
> >
> > Addressable: 00
> >
> > Partially addressable: 01 02 03 04 05 06 07
> >
> > Heap left redzone: fa
> >
> > Freed heap region: fd
> >
> > Stack left redzone: f1
> >
> > Stack mid redzone: f2
> >
> > Stack right redzone: f3
> >
> > Stack after return: f5
> >
> > Stack use after scope: f8
> >
> > Global redzone: f9
> >
> > Global init order: f6
> >
> > Poisoned by user: f7
> >
> > Container overflow: fc
> >
> > Array cookie: ac
> >
> > Intra object redzone: bb
> >
> > ASan internal: fe
> >
> > Left alloca redzone: ca
> >
> > Right alloca redzone: cb
> >
> > ==19407==ABORTING
> >
> > ==19407== ERROR: libFuzzer: deadly signal
> >
> > #0 0x106410cf7 in __sanitizer_print_stack_trace
> > (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
> >
> > #1 0x10427b1cb in fuzzer::Fuzzer::CrashCallback()
> > (decode_fuzz_test:x86_64+0x1000ff1cb)
> >
> > #2 0x10427b17d in fuzzer::Fuzzer::StaticCrashSignalCallback()
> > (decode_fuzz_test:x86_64+0x1000ff17d)
> >
> > #3 0x1042e07d7 in fuzzer::CrashHandler(int, __siginfo*, void*)
> > (decode_fuzz_test:x86_64+0x1001647d7)
> >
> > #4 0x7fffc0b39b39 in _sigtramp
> (libsystem_platform.dylib:x86_64+0x2b39)
> >
> > #5 0x7fff5ba7ae5f (<unknown module>)
> >
> > #6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f)
> >
> > #7 0x1064288e5 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
> >
> > #8 0x106427853 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
> >
> > #9 0x10640dd76 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
> >
> > #10 0x10640d7e1 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
> >
> > #11 0x10640e39a in __asan_report_load2
> > (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
> >
> > #12 0x1042011e5 in CRsFecHeader::GetSourceBlockNumber() const
> > RsFecHeader.h:184
> >
> > #13 0x104208fe1 in
> > CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
> > MariRSRecoveryDecoder.cpp:726
> >
> > #14 0x10421011c in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
> > MariRSRecoveryDecoder.cpp:650
> >
> > #15 0x1042175cd in CMariRSRecoveryDecoder::receiveInd(unsigned int,
> > unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
> > MariRSRecoveryDecoder.cpp:890
> >
> > #16 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >
> > #17 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
> >
> > #18 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> > unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
> >
> > #19 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int
> (*)(unsigned
> > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
> >
> > #20 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
> >
> > #21 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >
> >
> > NOTE: libFuzzer has rudimentary signal handlers.
> >
> > Combine libFuzzer with AddressSanitizer or similar for better
> crash
> > reports.
> >
> > SUMMARY: libFuzzer: deadly signal
> >
> >
> > On Tuesday, August 22, 2017 at 3:22:04 PM UTC-7, kcc wrote:
> >>
> >>
> >>
> >> On Tue, Aug 22, 2017 at 3:09 PM, Jennifer Liu <[email protected]>
> >> wrote:
> >>>
> >>> Thanks for taking look at this.
> >>>
> >>> asan should already be enabled for all libs and binaries. Here is the
> >>> output:
> >>
> >>
> >> I remember that container-overflow was more problematic on Mac
> (compared
> >> to Linux) since more libs are potentially uninstrumented.
> >>
> >> In this case, try to add a printf that shows .size() and .capacity() of
> >> the vector object at the time of acccess.
> >> i.e. print 4 values:
> >> v.begin()
> >> v.begin() + v.capacity()
> >> v.begin() + v.size()
> >> ptr // the pointer that causes the crash.
> >>
> >> if ptr is less than v.begin() + v.size() it's a false positive, as
> >> explained at
> >>
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives
>
> >>
> >>
> >>>
> >>>
> >>> ==27158==ERROR: AddressSanitizer: container-overflow on address
> >>> 0x6250004b8992 at pc 0x00010f37fdf6 bp 0x7fff508fd5c0 sp
> 0x7fff508fd5b8
> >>> READ of size 2 at 0x6250004b8992 thread T0
> >>> #0 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const
> >>> RsFecHeader.h:184
> >>> #1 0x10f3872a7 in
> >>> CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
> >>> MariRSRecoveryDecoder.cpp:722
> >>> #2 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
> >>> MariRSRecoveryDecoder.cpp:649
> >>> #3 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
> >>> unsigned short, unsigned char const*, unsigned long, bool, unsigned
> int)
> >>> MariRSRecoveryDecoder.cpp:876
> >>> #4 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >>> #5 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> >>> const*, unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
> >>> #6 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*,
> >>> unsigned long, bool, fuzzer::InputInfo*)
> >>> (decode_fuzz_test:x86_64+0x1000fd553)
> >>> #7 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
> >>> (decode_fuzz_test:x86_64+0x100104200)
> >>> #8 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
> >>> (decode_fuzz_test:x86_64+0x100104ac2)
> >>> #9 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int
> >>> (*)(unsigned char const*, unsigned long))
> >>> (decode_fuzz_test:x86_64+0x1000e311a)
> >>> #10 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
> >>> #11 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >>>
> >>> 0x6250004b8992 is located 4242 bytes inside of 8448-byte region
> >>> [0x6250004b7900,0x6250004b9a00)
> >>> allocated by thread T0 here:
> >>> #0 0x1107c7162
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
> >>> #1 0x10f3c1d05 in std::__1::__split_buffer<fecPacket,
> >>> std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long,
> unsigned
> >>> long, std::__1::allocator<fecPacket>&) new:226
> >>> #2 0x10f3bfe7b in std::__1::__split_buffer<fecPacket,
> >>> std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long,
> unsigned
> >>> long, std::__1::allocator<fecPacket>&) __split_buffer:310
> >>> #3 0x10f3beee5 in void std::__1::vector<fecPacket,
> >>> std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket
> >>> const&>(fecPacket const&&&) vector:1567
> >>> #4 0x10f392f02 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
> >>> unsigned short, unsigned char const*, unsigned long, bool, unsigned
> int)
> >>> vector:1588
> >>> #5 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >>> #6 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> >>> const*, unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
> >>> #7 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*,
> >>> unsigned long, bool, fuzzer::InputInfo*)
> >>> (decode_fuzz_test:x86_64+0x1000fd553)
> >>> #8 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
> >>> (decode_fuzz_test:x86_64+0x100104200)
> >>> #9 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
> >>> (decode_fuzz_test:x86_64+0x100104ac2)
> >>> #10 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int
> >>> (*)(unsigned char const*, unsigned long))
> >>> (decode_fuzz_test:x86_64+0x1000e311a)
> >>> #11 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
> >>> #12 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >>>
> >>> HINT: if you don't care about these errors you may set
> >>> ASAN_OPTIONS=detect_container_overflow=0.
> >>> If you suspect a false positive see also:
> >>>
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
>
> >>> SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in
> >>> CRsFecHeader::GetSourceBlockNumber() const
> >>> Shadow bytes around the buggy address:
> >>> 0x1c4a000970e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> 0x1c4a000970f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> 0x1c4a00097100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> 0x1c4a00097110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> 0x1c4a00097120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> =>0x1c4a00097130: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> 0x1c4a00097140: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> 0x1c4a00097150: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> 0x1c4a00097160: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> 0x1c4a00097170: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> 0x1c4a00097180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >>> Shadow byte legend (one shadow byte represents 8 application bytes):
> >>> Addressable: 00
> >>> Partially addressable: 01 02 03 04 05 06 07
> >>> Heap left redzone: fa
> >>> Freed heap region: fd
> >>> Stack left redzone: f1
> >>> Stack mid redzone: f2
> >>> Stack right redzone: f3
> >>> Stack after return: f5
> >>> Stack use after scope: f8
> >>> Global redzone: f9
> >>> Global init order: f6
> >>> Poisoned by user: f7
> >>> Container overflow: fc
> >>> Array cookie: ac
> >>> Intra object redzone: bb
> >>> ASan internal: fe
> >>> Left alloca redzone: ca
> >>> Right alloca redzone: cb
> >>> ==27158==ABORTING
> >>> MS: 2 ChangeBinInt-CrossOver-; base unit:
> >>> 39df3a26431dc09379d257bc172adeab21071c68
> >>> artifact_prefix='./'; Test unit written to
> >>> ./crash-96da7f498ec50184b4a59ff76016825944944534
> >>> ==27158== ERROR: libFuzzer: deadly signal
> >>> #0 0x1107c3cf7 in __sanitizer_print_stack_trace
> >>> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
> >>> #1 0x10f3f675b in fuzzer::Fuzzer::CrashCallback()
> >>> (decode_fuzz_test:x86_64+0x1000fb75b)
> >>> #2 0x10f3f670d in fuzzer::Fuzzer::StaticCrashSignalCallback()
> >>> (decode_fuzz_test:x86_64+0x1000fb70d)
> >>> #3 0x10f45bd67 in fuzzer::CrashHandler(int, __siginfo*, void*)
> >>> (decode_fuzz_test:x86_64+0x100160d67)
> >>> #4 0x7fffc0b39b39 in _sigtramp
> >>> (libsystem_platform.dylib:x86_64+0x2b39)
> >>> #5 0x7fff508fc41f (<unknown module>)
> >>> #6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f)
> >>> #7 0x1107db8e5
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
> >>> #8 0x1107da853
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
> >>> #9 0x1107c0d76
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
> >>> #10 0x1107c07e1
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
> >>> #11 0x1107c139a in __asan_report_load2
> >>> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
> >>> #12 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const
> >>> RsFecHeader.h:184
> >>> #13 0x10f3872a7 in
> >>> CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
> >>> MariRSRecoveryDecoder.cpp:722
> >>> #14 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
> >>> MariRSRecoveryDecoder.cpp:649
> >>> #15 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned
> int,
> >>> unsigned short, unsigned char const*, unsigned long, bool, unsigned
> int)
> >>> MariRSRecoveryDecoder.cpp:876
> >>> #16 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
> >>> #17 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
> >>> const*, unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
> >>> #18 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*,
> >>> unsigned long, bool, fuzzer::InputInfo*)
> >>> (decode_fuzz_test:x86_64+0x1000fd553)
> >>> #19 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
> >>> (decode_fuzz_test:x86_64+0x100104200)
> >>> #20 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
> >>> (decode_fuzz_test:x86_64+0x100104ac2)
> >>> #21 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int
> >>> (*)(unsigned char const*, unsigned long))
> >>> (decode_fuzz_test:x86_64+0x1000e311a)
> >>> #22 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
> >>> #23 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
> >>>
> >>> NOTE: libFuzzer has rudimentary signal handlers.
> >>> Combine libFuzzer with AddressSanitizer or similar for better
> crash
> >>> reports.
> >>> SUMMARY: libFuzzer: deadly signal
> >>> MS: 2 ChangeBinInt-CrossOver-; base unit:
> >>> 39df3a26431dc09379d257bc172adeab21071c68
> >>> artifact_prefix='./'; Test unit written to
> >>> ./crash-96da7f498ec50184b4a59ff76016825944944534
> >>>
> >>>
> >>>
> >>> On Tuesday, August 22, 2017 at 12:44:53 PM UTC-7, Evgeniy Stepanov
> wrote:
> >>>>
> >>>> I don't know how common this algorithm is, given that it does N^2
> >>>> operations to remove N elements.
> >>>>
> >>>> But I don't see any container overflow here. Could you post the
> actual
> >>>> report?
> >>>>
> >>>> Does this look relevant to your setup:
> >>>>
> >>>>
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives
>
> >>>>
> >>>> On Tue, Aug 22, 2017 at 11:54 AM, Jennifer Liu <[email protected]>
>
> >>>> wrote:
> >>>> > Is this false alarm of "container-overflow", it looks like very
> common
> >>>> > way
> >>>> > to remove elements by iterator in while loop.
> >>>> >
> >>>> >
> >>>> > std::vector<Packet>::iterator it = m_packets.begin();
> >>>> >
> >>>> > while (it != m_packets.end()) {
> >>>> >
> >>>> > if (it->header.GetSourceBlockNumber() <=
> >>>> > rsrp.GetSourceBlockNumber()) {
> >>>> >
> >>>> > if (it->repair.pData != NULL) {
> >>>> >
> >>>> > free(it->repair.pData);
> >>>> >
> >>>> > it->repair.pData = NULL;
> >>>> >
> >>>> > }
> >>>> >
> >>>> > it = m_packets.erase(it);
> >>>> >
> >>>> > } else {
> >>>> >
> >>>> > ++it;
> >>>> >
> >>>> > }
> >>>> >
> >>>> > }
> >>>> >
> >>>> >
> >>>> > Thanks
> >>>> >
> >>>> >
> >>>> > --
> >>>> > You received this message because you are subscribed to the Google
> >>>> > Groups
> >>>> > "address-sanitizer" group.
> >>>> > To unsubscribe from this group and stop receiving emails from it,
> send
> >>>> > an
> >>>> > email to [email protected].
> >>>> > For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "address-sanitizer" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to [email protected].
> >>> For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "address-sanitizer" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
