On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote: [...] > #1 _rl_get_char_len / update_line [...] > ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61900000cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00 > READ of size 851 at 0x61900000cc80 thread T0 > #0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062) > #1 0x559b50a04821 in _rl_get_char_len > ../../../bash/lib/readline/mbutil.c:223 > #2 0x559b50a048e0 in _rl_compare_chars > ../../../bash/lib/readline/mbutil.c:252 > #3 0x559b509db526 in update_line > ../../../bash/lib/readline/display.c:1664 [...]
I have been looking at this specific example for some time now. The problem is that _rl_get_char_len assumes it's being called with a \0-terminated string, but under some cases (that I haven't been able to figure out), there's no \0 at the end, so the strlen reads more than it should. -- Eduardo Bustamante https://dualbus.me/
