On Fri, Dec 28, 2018 at 5:13 PM Jim Meyering <j...@meyering.net> wrote: > > On Fri, Jun 22, 2018 at 7:49 AM Hongxu Chen <leftcopy....@gmail.com> wrote: > > We found with our fuzzer 2 crashes on diffutils version 576645c: one is > > a heap-buffer-overflow at util.c:1249, another is an invalid read resulting > > from `output_1_line' at util.c:1274. > > The executing command is: `./diff -a --strip-trailing-cr $file > > add.wasm` where $file is the poc file (I attached them as *.input.txt); > > "add.wasm" is also attached however it seems that content of the comparison > > file is not important. > > Thank you for fuzz-testing diffutils. > FYI, here is a reproducer for the limit[-1]-related UMR bugs: > > valgrind src/diff -a --strip-trailing-cr <(printf '\r') <(echo a) > > I've attached a patch:
That patch was provably incomplete. I ran this (adding -u to the above) and found one new UMR. Guarding yet another [-1] reference fixes it. There are still numerous unguarded [-1] references, so this updated patch is doubtless still incomplete: for i in hbo*; do echo $i; valgrind --quiet src/diff -u -a --strip-trailing-cr $i add.wasm > /dev/null; echo $?; done
diffutils-UMR.diff
Description: Binary data
