[Bug libstdc++/62196] running time segment fault with valarray

Mon, 14 May 2018 06:03:13 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62196

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2018-05-14
     Ever confirmed|0                           |1

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
abcdefghijklmnopqrstuvwxyz
=================================================================
==15899==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000036 at pc 0x0000004024c5 bp 0x7ffe7350f5f0 sp 0x7ffe7350f5e0
READ of size 1 at 0x602000000036 thread T0
    #0 0x4024c4 in void std::__valarray_copy<char>(std::_Array<char>, unsigned
long, std::_Array<char>, std::_Array<bool>) (/tmp/a.out+0x4024c4)
    #1 0x402092 in std::mask_array<char>::operator=(std::valarray<char> const&)
const (/tmp/a.out+0x402092)
    #2 0x40154c in main (/tmp/a.out+0x40154c)
    #3 0x7f3736481f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #4 0x400ef9 in _start (/tmp/a.out+0x400ef9)

0x602000000036 is located 0 bytes to the right of 6-byte region
[0x602000000030,0x602000000036)
allocated by thread T0 here:
    #0 0x7f37371e0158 in operator new(unsigned long)
(/lib64/libasan.so.4+0xe0158)
    #1 0x40187a in std::__valarray_get_memory(unsigned long)
(/tmp/a.out+0x40187a)
    #2 0x402155 in bool* restrict std::__valarray_get_storage<bool>(unsigned
long) (/tmp/a.out+0x402155)
    #3 0x401a35 in std::valarray<bool>::valarray(bool const*, unsigned long)
(/tmp/a.out+0x401a35)
    #4 0x4013e8 in main (/tmp/a.out+0x4013e8)
    #5 0x7f3736481f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/a.out+0x4024c4) in void
std::__valarray_copy<char>(std::_Array<char>, unsigned long, std::_Array<char>,
std::_Array<bool>)
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 06 fa fa fa[06]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15899==ABORTING

Reply via email to