heap-buffer-overflow WRITE

**Describe the bug**
By compiling [givaro-4.2.0](https://casys.gricad-pages.univ-grenoble-alpes.fr/givaro/) with `--enable-doc` I get a random segfault.

Looking at dmesg I can see:
```
[Mon Nov  4 14:27:51 2024] traps: doxygen[52992] general protection fault ip:7ad14294a8b7 sp:7ffd99346848 error:0 in libc.so.6[7ad14280a000+169000]
```

So I have recompiled doxygen with address sanitizer and here is the output:

```
==2437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50b0001983e8 at pc 0x61f90e1d59ed bp 0x7ffc5bf2dec0 sp 0x7ffc5bf2d690
WRITE of size 17961 at 0x50b0001983e8 thread T0
    #0 0x61f90e1d59ec in read (/usr/bin/doxygen+0x47a9ec)
    #1 0x7eae5daf3a5e in std::__basic_file<char>::xsgetn(char*, long) (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libstdc++.so.6+0xf3a5e)
    #2 0x7eae5db23cf9 in std::basic_filebuf<char, std::char_traits<char>>::xsgetn(char*, long) (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libstdc++.so.6+0x123cf9)
    #3 0x7eae5db3139f in std::istream::read(char*, long) (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libstdc++.so.6+0x13139f)
    #4 0x61f90efdf9af in readInputFile(QCString const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, bool, bool) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/util.cpp:5791:7
    #5 0x61f90f4632bf in checkAndOpenFile(yyguts_t*, QCString const&, bool&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:2237:10
    #6 0x61f90f461b9c in findFile(yyguts_t*, QCString const&, bool, bool&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:2257:15
    #7 0x61f90f444e47 in readIncludeFile(yyguts_t*, QCString const&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:3558:8
    #8 0x61f90f41e115 in preYYlex(yyguts_t*) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:1256:45
    #9 0x61f90f452af7 in Preprocessor::processFile(QCString const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:4039:3
    #10 0x61f90e320529 in parseFile(OutlineParserInterface&, FileDef*, QCString const&, ClangTUParser*, bool) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:10296:18
    #11 0x61f90e2b6840 in parseFilesSingleThreading(std::shared_ptr<Entry> const&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:10553:41
    #12 0x61f90e2b281b in parseInput() /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:12229:5
    #13 0x61f90e29b165 in main /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/main.cpp:37:3
    #14 0x7eae5d8393fa  (/lib64/libc.so.6+0x263fa)
    #15 0x7eae5d8394b3 in __libc_start_main (/lib64/libc.so.6+0x264b3)
    #16 0x61f90e1b7614 in _start (/usr/bin/doxygen+0x45c614)

0x50b0001983e8 is located 0 bytes after 104-byte region [0x50b000198380,0x50b0001983e8)
allocated by thread T0 here:
/usr/lib/llvm/19/bin/llvm-symbolizer: error: '[stack]': No such file or directory
    #0 0x61f90e298cb1 in operator new(unsigned long) (/usr/bin/doxygen+0x53dcb1)
    #1 0x61f90f474a80 in std::__detail::_MakeUniq<FileState>::__single_object std::make_unique<FileState>() /usr/lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/unique_ptr.h:1077:30
    #2 0x61f90f46326d in checkAndOpenFile(yyguts_t*, QCString const&, bool&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:2236:10
    #3 0x61f90f461b9c in findFile(yyguts_t*, QCString const&, bool, bool&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:2257:15
    #4 0x61f90f444e47 in readIncludeFile(yyguts_t*, QCString const&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:3558:8
    #5 0x61f90f41e115 in preYYlex(yyguts_t*) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:1256:45
    #6 0x61f90f452af7 in Preprocessor::processFile(QCString const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/pre.l:4039:3
    #7 0x61f90e320529 in parseFile(OutlineParserInterface&, FileDef*, QCString const&, ClangTUParser*, bool) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:10296:18
    #8 0x61f90e2b6840 in parseFilesSingleThreading(std::shared_ptr<Entry> const&) /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:10553:41
    #9 0x61f90e2b281b in parseInput() /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/doxygen.cpp:12229:5
    #10 0x61f90e29b165 in main /var/tmp/portage/app-text/doxygen-1.12.0/work/doxygen-1.12.0/src/main.cpp:37:3
    #11 0x7eae5d8393fa  (/lib64/libc.so.6+0x263fa)
    #12 0x7ffc5bf403dd  ([stack]+0x653dd)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/doxygen+0x47a9ec) in read
Shadow bytes around the buggy address:
  0x50b000198100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50b000198180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50b000198200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50b000198280: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x50b000198300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x50b000198380: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x50b000198400: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x50b000198480: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x50b000198500: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x50b000198580: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x50b000198600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2437==ABORTING
```

The givaro archive is public, so not worth attaching it here:
https://github.com/linbox-team/givaro/archive/refs/tags/v4.2.0.tar.gz

The doxygen command I can see running is just `doxygen Doxyfile`

If I can do something else, please let me know.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow WRITE #11217

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

heap-buffer-overflow WRITE #11217

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions