Hi,
The attached file (which consists only of the two bytes "\(" will cause
an out of bounds read in troff.
This can be seen by compiling troff with address sanitizer
(-fsanitize=address in CFLAGS).
This issue was found with the help of american fuzzy lop.
Here's the full debug output from asan:
==23514==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000006b72c1 at pc 0x000000619fa0 bp 0x7ffc636b4ef0 sp 0x7ffc636b4ee8
READ of size 1 at 0x0000006b72c1 thread T0
#0 0x619f9f in make_glyph_node(charinfo*, environment*, int)
/mnt/ram/groff/src/roff/troff/node.cpp:4978:29
#1 0x61a8e0 in node::add_char(charinfo*, environment*, hunits*, int*,
node**) /mnt/ram/groff/src/roff/troff/node.cpp:5080:16
#2 0x4fafff in environment::add_char(charinfo*)
/mnt/ram/groff/src/roff/troff/env.cpp:304:14
#3 0x572408 in token::process()
/mnt/ram/groff/src/roff/troff/input.cpp:7309:5
#4 0x567266 in process_input_stack()
/mnt/ram/groff/src/roff/troff/input.cpp:3040:2
#5 0x5b3d54 in process_input_file(char const*)
/mnt/ram/groff/src/roff/troff/input.cpp:7804:3
#6 0x5ab10b in main /mnt/ram/groff/src/roff/troff/input.cpp:8112:5
#7 0x7f902422c62f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
#8 0x41a468 in _start (/mnt/ram/groff/troff+0x41a468)
0x0000006b72c1 is located 63 bytes to the left of global variable 'table_sizes'
defined in 'src/libs/libgroff/symbol.cpp:43:27' (0x6b7300) of size 68
0x0000006b72c1 is located 0 bytes to the right of global variable '<string
literal>' defined in 'src/libs/libgroff/symbol.cpp:33:27' (0x6b72c0) of size 1
'<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow
/mnt/ram/groff/src/roff/troff/node.cpp:4978:29 in make_glyph_node(charinfo*,
environment*, int)
Shadow bytes around the buggy address:
0x0000800cee00: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
0x0000800cee10: 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0000800cee20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800cee30: 00 00 00 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9
0x0000800cee40: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0000800cee50: 00 00 00 00 00 00 00 00[01]f9 f9 f9 f9 f9 f9 f9
0x0000800cee60: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
0x0000800cee70: 00 00 01 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800cee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800cee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800ceea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23514==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: [email protected]
GPG: BBB51E42
troff-global-oob
Description: Binary data
pgpjPokprX2hd.pgp
Description: OpenPGP digital signature
_______________________________________________ bug-groff mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-groff
