Steps to reproduce: Compile with -fsanitize=address, then run:
info -f reproduce_bug.info Expected behavior: info does not trigger AddressSanitizer errors. Actual behavior:AddressSanitizer reports a heap-buffer-overflow from skip_node_separator() in info/search.c:645
Comments:This file was generated by afl-fuzz and then hand-edited; I don't understand how it creates a heap buffer overflow.
Sincerely, Nathaniel Beaver P.S. Version information: $ git describe --tags texinfo-6.6-794-ga11612ff66 $ git rev-parse HEAD a11612ff665391142fc8adb90796741cabb3b683 $ info/ginfo --version | head -n 1 info (GNU texinfo) 6.7.90
=================================================================
==12599==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x613000000220 at pc 0x564c3fbb9262 bp 0x7fffe8e7fef0 sp 0x7fffe8e7fee0
READ of size 1 at 0x613000000220 thread T0
#0 0x564c3fbb9261 in skip_node_separator
/home/nathaniel/local/texinfo-asan/texinfo/info/search.c:645
#1 0x564c3fb9b263 in scan_node_contents
/home/nathaniel/local/texinfo-asan/texinfo/info/info-utils.c:1633
#2 0x564c3fbb5ac1 in info_node_of_tag_ext
/home/nathaniel/local/texinfo-asan/texinfo/info/nodes.c:1288
#3 0x564c3fbb5eb5 in info_node_of_tag
/home/nathaniel/local/texinfo-asan/texinfo/info/nodes.c:1328
#4 0x564c3fbb479a in info_get_node_of_file_buffer
/home/nathaniel/local/texinfo-asan/texinfo/info/nodes.c:1073
#5 0x564c3fbb4308 in info_get_node_with_defaults
/home/nathaniel/local/texinfo-asan/texinfo/info/nodes.c:995
#6 0x564c3fbb43d2 in info_get_node
/home/nathaniel/local/texinfo-asan/texinfo/info/nodes.c:1018
#7 0x564c3fbc953d in dump_node_to_stream
/home/nathaniel/local/texinfo-asan/texinfo/info/session.c:3771
#8 0x564c3fbc9913 in dump_node_to_stream
/home/nathaniel/local/texinfo-asan/texinfo/info/session.c:3824
#9 0x564c3fbc93b0 in dump_nodes_to_file
/home/nathaniel/local/texinfo-asan/texinfo/info/session.c:3734
#10 0x564c3fba195c in main
/home/nathaniel/local/texinfo-asan/texinfo/info/info.c:1065
#11 0x7f1762585bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#12 0x564c3fb817e9 in _start
(/home/nathaniel/local/texinfo-asan/texinfo/info/ginfo+0x237e9)
Address 0x613000000220 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/nathaniel/local/texinfo-asan/texinfo/info/search.c:645 in
skip_node_separator
Shadow bytes around the buggy address:
0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8030: 00 00 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fff8040: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12599==ABORTING
original.info
Description: application/info
reproduce_bug.info
Description: application/info
