Pass correct length to Deline_* · earl/r3@0a98b69

Commit

Pass correct length to Deline_*

The length of the VAL_SERIES(value) has been set correctly by
Append_UTF8, and it could be smaller than "len", because UTF8 is a
multi-byte encoding, thus passing "len" to Deline_Uni could cause
out-of-bound memory access.

Fixes CC#2169

The following code

    REBOL[]
    t: <ēee>

causes:

==13053==ERROR: AddressSanitizer: use-after-poison on address 0x61d00001a5f8 at pc 0x000000853d50 bp 0x7ffd2a31a1b0 sp 0x7ffd2a31a1a8
WRITE of size 2 at 0x61d00001a5f8 thread T0
    #0 0x853d4f in Deline_Uni /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426:2
    #1 0x7064d4 in Scan_Any /home/zsx/stuffs/work/r3.git/make/../src/core/l-types.c:846:7
    rebol#2 0x6dca3c in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1421:4
    rebol#3 0x6d9f92 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1301:12
    rebol#4 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
    rebol#5 0x6df462 in Scan_Source /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1570:9
    rebol#6 0x896105 in Make_Block_Type /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:306:9
    rebol#7 0x89af62 in T_Block /home/zsx/stuffs/work/r3.git/make/../src/core/t-block.c:624:3
    rebol#8 0x8ac80b in T_Datatype /home/zsx/stuffs/work/r3.git/make/../src/core/t-datatype.c:92:20
    rebol#9 0x5c458f in Do_Act /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:338:8
    rebol#10 0x5c5927 in Do_Action /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:396:2
    rebol#11 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#12 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
    rebol#13 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#14 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
    rebol#15 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#16 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#17 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#18 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#19 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#20 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
    rebol#21 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
    rebol#22 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
    rebol#23 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#24 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#25 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#26 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#27 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#28 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#29 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#30 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#31 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#32 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
    rebol#33 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
    rebol#34 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
    rebol#35 0xb07e30 in Parse_Series /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:96:9
    rebol#36 0xb06e85 in N_parse /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:1269:7
    rebol#37 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#38 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#39 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#40 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#41 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#42 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#43 0x746174 in N_case /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:348:10
    rebol#44 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#45 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#46 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#47 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#48 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#49 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#50 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#51 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
    rebol#52 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#53 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#54 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#55 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#56 0x749e2b in N_do /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:524:8
    rebol#57 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#58 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#59 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#60 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
    rebol#61 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#62 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#63 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#64 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
    rebol#65 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#66 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#67 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#68 0x74aeea in N_either /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:598:3
    rebol#69 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#70 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#71 0x5576e1 in Do_Blk /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1017:11
    rebol#72 0x5c5c4f in Do_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:415:11
    rebol#73 0x5758b0 in Apply_Function /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1528:33
    rebol#74 0x576ec0 in Do_Sys_Func /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1588:10
    rebol#75 0x582548 in Init_Mezz /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:2320:9
    rebol#76 0x52e62f in RL_Start /home/zsx/stuffs/work/r3.git/make/../src/core/a-lib.c:193:9
    rebol#77 0xbb6fb3 in main /home/zsx/stuffs/work/r3.git/make/../src/os/host-main.c:235:6
    rebol#78 0x7fd1c04ef7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    rebol#79 0x486498 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x486498)

0x61d00001a5f8 is located 376 bytes inside of 2064-byte region [0x61d00001a480,0x61d00001ac90)
allocated by thread T0 here:
    #0 0x50d462 in __interceptor_malloc (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x50d462)
    #1 0x721a85 in Make_Mem /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:132:14
    rebol#2 0x723bed in Fill_Pool /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:240:19
    rebol#3 0x7233c2 in Make_Node /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:295:20
    rebol#4 0x7267f3 in Make_Series /home/zsx/stuffs/work/r3.git/make/../src/core/m-pools.c:419:10
    rebol#5 0x818d71 in Copy_String /home/zsx/stuffs/work/r3.git/make/../src/core/s-make.c:337:8
    rebol#6 0x6dc386 in Scan_Block /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1388:22
    rebol#7 0x6df0e6 in Scan_Code /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1550:9
    rebol#8 0x6e1f81 in N_transcode /home/zsx/stuffs/work/r3.git/make/../src/core/l-scan.c:1630:8
    rebol#9 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#10 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#11 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#12 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#13 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#14 0x56110f in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:942:13
    rebol#15 0x568295 in Try_Block /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1087:11
    rebol#16 0x7506ac in N_try /home/zsx/stuffs/work/r3.git/make/../src/core/n-control.c:760:6
    rebol#17 0x5c379d in Do_Native /home/zsx/stuffs/work/r3.git/make/../src/core/c-function.c:289:6
    rebol#18 0x55f3d7 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:886:18
    rebol#19 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#20 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#21 0x56360b in Do_Args /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:668:12
    rebol#22 0x55edc9 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:879:11
    rebol#23 0x55e447 in Do_Next /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:860:11
    rebol#24 0x566f3d in Do_Block_Value_Throw /home/zsx/stuffs/work/r3.git/make/../src/core/c-do.c:1049:11
    rebol#25 0xb0b9f9 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:830:4
    rebol#26 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
    rebol#27 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
    rebol#28 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9
    rebol#29 0xb0eb17 in Parse_Rules_Loop /home/zsx/stuffs/work/r3.git/make/../src/core/u-parse.c:927:9

SUMMARY: AddressSanitizer: use-after-poison /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426 Deline_Uni
Shadow bytes around the buggy address:
  0x0c3a7fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fffb4a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c3a7fffb4b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 f7 00 00[f7]
  0x0c3a7fffb4c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fffb4d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fffb4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fffb4f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fffb500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13053==ABORTING

Loading branch information

zsx committed May 21, 2015

1 parent 9aba084 commit 0a98b69

src/core/l-types.c

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -837,13 +837,11 @@ bad_hex:	Trap0(RE_INVALID_CHARS);
  
    	VAL_SET(value, type);

    	VAL_SERIES(value) = Append_UTF8(0, cp, len);

    	VAL_INDEX(value) = 0;

    	VAL_TAIL(value) = len;

    	if (VAL_BYTE_SIZE(value)) {

    		n = Deline_Bytes(VAL_BIN(value), len);

    		n = Deline_Bytes(VAL_BIN(value), VAL_LEN(value));

    	} else {

    		n = Deline_Uni(VAL_UNI(value), len);

    		n = Deline_Uni(VAL_UNI(value), VAL_LEN(value));

    	}

    	VAL_TAIL(value) = n;

0 comments on commit `0a98b69`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `0a98b69`

Commit

There are no files selected for viewing

0 comments on commit 0a98b69

0 comments on commit `0a98b69`