Re: Invalid memory read / heap out of bounds in parse_top_node_line()
On 18 October 2016 at 10:51, Hanno Böck wrote: > Hi, > > The attached file will cause an out of bounds heap read in the > function parse_top_node_line. > To see this you need a memory safety detection tool like valgrind or > address sanitizer (add "-fsanitize=address" to CFLAGS+LDFLAGS). > > This was found with the tool american fuzzy lop. > > > Here's a stack trace from address sanitizer (latest svn code): > > ==4818==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x6020dd9d at pc 0x0051c1dd bp 0x7fff7ca0ad10 sp 0x7fff7ca0ad08 > READ of size 1 at 0x6020dd9d thread T0 > #0 0x51c1dc in parse_top_node_line > /f/texinfo/trunk/info/info-utils.c:1174:11 > #1 0x51c1dc in scan_node_contents /f/texinfo/trunk/info/info-utils.c:1646 > #2 0x53d816 in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1445:11 > #3 0x53bada in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1486:10 > #4 0x53bada in info_get_node_of_file_buffer > /f/texinfo/trunk/info/nodes.c:1110 > #5 0x53b289 in info_get_node_with_defaults > /f/texinfo/trunk/info/nodes.c:993:14 > #6 0x55ef41 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3765:10 > #7 0x55ec52 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3728:11 > #8 0x5227b0 in main /f/texinfo/trunk/info/info.c:1027:7 > #9 0x7f2aa5adc78f in __libc_start_main (/lib64/libc.so.6+0x2078f) > #10 0x419b28 in _start (/r/texinfo/ginfo+0x419b28) > > 0x6020dd9d is located 0 bytes to the right of 13-byte region > [0x6020dd90,0x6020dd9d) > allocated by thread T0 here: > #0 0x4c1758 in malloc (/r/texinfo/ginfo+0x4c1758) > #1 0x58254e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13 Thanks for the report, I've committed a fix.
Invalid memory read / heap out of bounds in parse_top_node_line()
Hi, The attached file will cause an out of bounds heap read in the function parse_top_node_line. To see this you need a memory safety detection tool like valgrind or address sanitizer (add "-fsanitize=address" to CFLAGS+LDFLAGS). This was found with the tool american fuzzy lop. Here's a stack trace from address sanitizer (latest svn code): ==4818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020dd9d at pc 0x0051c1dd bp 0x7fff7ca0ad10 sp 0x7fff7ca0ad08 READ of size 1 at 0x6020dd9d thread T0 #0 0x51c1dc in parse_top_node_line /f/texinfo/trunk/info/info-utils.c:1174:11 #1 0x51c1dc in scan_node_contents /f/texinfo/trunk/info/info-utils.c:1646 #2 0x53d816 in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1445:11 #3 0x53bada in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1486:10 #4 0x53bada in info_get_node_of_file_buffer /f/texinfo/trunk/info/nodes.c:1110 #5 0x53b289 in info_get_node_with_defaults /f/texinfo/trunk/info/nodes.c:993:14 #6 0x55ef41 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3765:10 #7 0x55ec52 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3728:11 #8 0x5227b0 in main /f/texinfo/trunk/info/info.c:1027:7 #9 0x7f2aa5adc78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #10 0x419b28 in _start (/r/texinfo/ginfo+0x419b28) 0x6020dd9d is located 0 bytes to the right of 13-byte region [0x6020dd90,0x6020dd9d) allocated by thread T0 here: #0 0x4c1758 in malloc (/r/texinfo/ginfo+0x4c1758) #1 0x58254e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13 SUMMARY: AddressSanitizer: heap-buffer-overflow /f/texinfo/trunk/info/info-utils.c:1174:11 in parse_top_node_line Shadow bytes around the buggy address: 0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9b90: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa fd fa 0x0c047fff9ba0: fa fa 04 fa fa fa fd fa fa fa fd fd fa fa fd fd =>0x0c047fff9bb0: fa fa 00[05]fa fa 04 fa fa fa 04 fa fa fa fd fd 0x0c047fff9bc0: fa fa 02 fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9bd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9be0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff9bf0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd 0x0c047fff9c00: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa 00 04 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==4818==ABORTING -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 texinfo-oob-heap-parse_top_node_line.info Description: Binary data pgpjxZNcokl8Z.pgp Description: OpenPGP digital signature