Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Found by AddressSanitizer:
==8157==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f5897 at pc 0x4816ef bp 0x7fffffffafb0 sp 0x7fffffffafa0
READ of size 1 at 0x61d0000f5897 thread T0
#0 0x4816ee in Expand_Series ../src/core/m-series.c:138
#1 0x4e258c in Insert_Gobs ../src/core/t-gob.c:219
rebol#2 0x4e7782 in T_Gob ../src/core/t-gob.c:833
rebol#3 0x42e26f in Do_Act ../src/core/c-function.c:338
rebol#4 0x42e9d8 in Do_Action ../src/core/c-function.c:396
rebol#5 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#6 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#7 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#8 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#9 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#10 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#11 0x4893c0 in N_unless ../src/core/n-control.c:792
rebol#12 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#13 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#14 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#15 0x488c03 in N_switch ../src/core/n-control.c:736
rebol#16 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#17 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#18 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#19 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#20 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#21 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#22 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#23 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#24 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#25 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#26 0x4862f8 in N_attempt ../src/core/n-control.c:306
rebol#27 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#28 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#29 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#30 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
rebol#31 0x49693a in N_for ../src/core/n-loop.c:486
rebol#32 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#33 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#34 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#35 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#36 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#37 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#38 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#39 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#40 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#41 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#42 0x488f7d in N_try ../src/core/n-control.c:760
rebol#43 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#44 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#45 0x4118a1 in Do_Args ../src/core/c-do.c:668
rebol#46 0x413700 in Do_Next ../src/core/c-do.c:879
rebol#47 0x4118a1 in Do_Args ../src/core/c-do.c:668
rebol#48 0x413700 in Do_Next ../src/core/c-do.c:879
rebol#49 0x414f2f in Do_Block_Value_Throw ../src/core/c-do.c:1048
rebol#50 0x5725ac in Parse_Rules_Loop ../src/core/u-parse.c:830
rebol#51 0x5731f8 in Parse_Rules_Loop ../src/core/u-parse.c:927
rebol#52 0x56c799 in Parse_Series ../src/core/u-parse.c:96
rebol#53 0x576950 in N_parse ../src/core/u-parse.c:1269
rebol#54 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#55 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#56 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#57 0x4883d6 in N_if ../src/core/n-control.c:632
rebol#58 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#59 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#60 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#61 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#62 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#63 0x415658 in Try_Block ../src/core/c-do.c:1083
rebol#64 0x4862f8 in N_attempt ../src/core/n-control.c:306
rebol#65 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#66 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#67 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#68 0x487b91 in N_do ../src/core/n-control.c:524
rebol#69 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#70 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#71 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#72 0x487fcb in N_either ../src/core/n-control.c:598
rebol#73 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#74 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#75 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#76 0x487fcb in N_either ../src/core/n-control.c:598
rebol#77 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#78 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#79 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#80 0x487fcb in N_either ../src/core/n-control.c:598
rebol#81 0x42dd9c in Do_Native ../src/core/c-function.c:289
rebol#82 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#83 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#84 0x42ea5c in Do_Function ../src/core/c-function.c:415
rebol#85 0x4198c2 in Apply_Function ../src/core/c-do.c:1524
rebol#86 0x419fa8 in Do_Sys_Func ../src/core/c-do.c:1584
rebol#87 0x41e406 in Init_Mezz ../src/core/c-do.c:2313
rebol#88 0x405fd3 in RL_Start ../src/core/a-lib.c:167
rebol#89 0x59d1f7 in main ../src/os/host-main.c:231
rebol#90 0x7ffff571403f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
rebol#91 0x405858 (/home/zsx/work/r3.git/make/r3-view-linux+0x405858)
0x61d0000f5897 is located 7 bytes to the right of 2064-byte region [0x61d0000f5080,0x61d0000f5890)
allocated by thread T0 here:
#0 0x7ffff6f56b77 in __interceptor_malloc (/usr/lib/libasan.so.1+0x57b77)
#1 0x47c300 in Make_Mem ../src/core/m-pools.c:125
rebol#2 0x47ca2f in Fill_Pool ../src/core/m-pools.c:233
rebol#3 0x47d80c in Make_Series ../src/core/m-pools.c:388
rebol#4 0x4826f3 in Copy_Series ../src/core/m-series.c:261
rebol#5 0x43ca14 in Copy_Deep_Values ../src/core/f-blocks.c:131
rebol#6 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#7 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#8 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#9 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#10 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#11 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#12 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#13 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#14 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#15 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#16 0x43cb82 in Copy_Deep_Values ../src/core/f-blocks.c:136
rebol#17 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
rebol#18 0x43cd9f in Clone_Block ../src/core/f-blocks.c:174
rebol#19 0x42db12 in Clone_Function ../src/core/c-function.c:266
rebol#20 0x43cc00 in Copy_Deep_Values ../src/core/f-blocks.c:139
rebol#21 0x43cd30 in Copy_Block_Values ../src/core/f-blocks.c:159
rebol#22 0x4fd371 in T_Object ../src/core/t-object.c:364
rebol#23 0x42e26f in Do_Act ../src/core/c-function.c:338
rebol#24 0x42e9d8 in Do_Action ../src/core/c-function.c:396
rebol#25 0x41395b in Do_Next ../src/core/c-do.c:886
rebol#26 0x4133cc in Do_Next ../src/core/c-do.c:860
rebol#27 0x414b73 in Do_Blk ../src/core/c-do.c:1016
rebol#28 0x493bb9 in Loop_Integer ../src/core/n-loop.c:131
rebol#29 0x49693a in N_for ../src/core/n-loop.c:486
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:138 Expand_Series
Shadow bytes around the buggy address:
0x0c3a80016ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80016b10: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a80016b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8157==ABORTING
This is happening because "GOB_TAIL(gob) = count" sets the tail of a
series with length of "count" to be "count", and Expand_Series expects
a terminator in the series. (m-series.c:90 size = (series->tail + 1) * wide;)- Loading branch information
