[Dot] Segmentation fault and use-after-free bugs

[GadgetSteve]

Ported Issue from Mantis
Original ID: 2580
Reported By: alexpark

SEVERITY: CRASH
Submitted: 2015-12-06 23:50:25

OS: LINUX

OS BUILD: UBUNTU 15.10

PLATFORM: LINUX (UBUNTU)

DESCRIPTION

I found two bugs in latest development version of graphviz's dot.
To be honest, test-case file is one but its can lead to crash two case of bugs.
One is segmentation fault, the other is use-after-free bug.

STEPS TO REPRODUCE

1. use-after-free

use one of options such as plain or plain-ext like below:

$ dot -Tplain sigsegv_sample.dot -Otest.plain

1. segmentation fault

use one of options such as cmap, gd, gd2, gif, ismap, jpe, jpeg, jpg, png, wbmp like below:

$ dot -Tpng sigsegv_sample.dot -Otest.png

ADDITIONAL INFORMATION

plain, plain-ext

/home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/.libs/dot -Tplain sigsegv_sample.dot -Otest.plain

==21005==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000003ca0 at pc 0x7fd8f8598b10 bp 0x7ffc4d6ca060 sp 0x7ffc4d6ca030
READ of size 2798 at 0x61e000003ca0 thread T0
#0 0x7fd8f8598b0f in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x33b0f)
#1 0x7fd8f82e9751 in gvputs (/usr/lib/libgvc.so.6+0x20751)
#2 0x7fd8f8325c45 in write_plain (/usr/lib/libgvc.so.6+0x5cc45)
#3 0x7fd8f06f2ca2 (/usr/lib/graphviz/libgvplugin_core.so.6+0x7ca2)
#4 0x7fd8f82e7bd7 in gvrender_end_graph (/usr/lib/libgvc.so.6+0x1ebd7)
#5 0x7fd8f832f509 in emit_graph (/usr/lib/libgvc.so.6+0x66509)
#6 0x7fd8f8331632 in gvRenderJobs (/usr/lib/libgvc.so.6+0x68632)
#7 0x401501 in main /home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/dot.c:192
#8 0x7fd8f7d0aa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#9 0x401658 in _start (/home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/.libs/dot+0x401658)

0x61e000003ca0 is located 32 bytes inside of 2837-byte region [0x61e000003c80,0x61e000004795)
freed by thread T0 here:
#0 0x7fd8f85bc5af in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x575af)
#1 0x7fd8f6f9d1bb (/usr/lib/libcdt.so.5+0x41bb)

previously allocated by thread T0 here:
#0 0x7fd8f85bc827 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x57827)
#1 0x7fd8f80bcaf0 (/usr/lib/libcgraph.so.6+0x8af0)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
0x0c3c7fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c7fff8790: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff87a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff87b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff87c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff87d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff87e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==21005==ABORTING

DOT Output type: cmap, gd, gd2, gif, ismap, jpe, jpeg, jpg, png, wbmp

alex@vm64:~/Downloads$ /home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/.libs/dot -Twbmp sigsegv_sample.dot
Warning: Invalid 4-byte UTF8 found in input of graph finite_state_machine - treated as Latin-1. Perhaps "-Gcharset=latin1" is needed?

ASAN:SIGSEGV

==22407==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8388069738 (pc 0x7f848cc6b918 sp 0x7ffcaf9c6dd0 bp 0x7f849225b800 T0)
#0 0x7f848cc6b917 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x34917)
#1 0x7f848ccaf565 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x78565)
#2 0x7f848cca16ab (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6a6ab)
#3 0x7f848cca2471 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b471)
#4 0x7f848cca2abd (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6babd)
#5 0x7f848cca2f58 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6bf58)
#6 0x7f848cc5df2f (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x26f2f)
#7 0x7f848cc6f1b6 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x381b6)
#8 0x7f848cca61d6 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6f1d6)
#9 0x7f848cc660db (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2f0db)
#10 0x7f848cc58854 in cairo_fill_preserve (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x21854)
#11 0x7f848d15fa55 (/usr/lib/graphviz/libgvplugin_pango.so.6+0x5a55)
#12 0x7f84910085a9 in gvrender_polygon (/usr/lib/libgvc.so.6+0x1f5a9)
#13 0x7f8491008668 in gvrender_box (/usr/lib/libgvc.so.6+0x1f668)
#14 0x7f849104fcf8 in emit_graph (/usr/lib/libgvc.so.6+0x66cf8)
#15 0x7f8491051632 in gvRenderJobs (/usr/lib/libgvc.so.6+0x68632)
#16 0x401501 in main /home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/dot.c:192
#17 0x7f8490a2aa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#18 0x401658 in _start (/home/alex/hack/project/src/graphviz-2.38.0/cmd/dot/.libs/dot+0x401658)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==22407==ABORTING