AddressSanitizerFoundBugs

technology into large-scale software products: Tizen
distribution and Linux kernel. The tool has already found
around a hundred of serious memory bugs in various Tizen
applications and in mainline Linux kernel. ```

# Unsorted

  * http://hg.dovecot.org/dovecot-2.2/rev/740935acc0f8
  * http://core.tcl.tk/tk/tktview/b1534b438bc711e848ad7ade3642ce0a6323fe8e
  * http://core.tcl.tk/tk/tktview/9bad630c3163b4b2ef8781089ae27058c957a428
  * https://bugzilla.gnome.org/show_bug.cgi?id=751603
  * https://bugzilla.gnome.org/show_bug.cgi?id=751631
  * https://bugzilla.gnome.org/show_bug.cgi?id=751643
  * https://bugzilla.gnome.org/show_bug.cgi?id=752191
  * https://bugzilla.gnome.org/show_bug.cgi?id=751633
  * https://savannah.gnu.org/bugs/index.php?45391
  * https://github.com/radare/radare2/issues/2665
  * https://github.com/radare/radare2/issues/2683
  * https://github.com/radare/radare2/issues/2684
  * https://github.com/radare/radare2/issues/2705
  * https://github.com/radare/radare2/issues/2706
  * https://github.com/radare/radare2/issues/2736 (cmd\_zign, script)
  * https://github.com/radare/radare2/issues/2737 (script, r\_print\_fill)
  * https://github.com/radare/radare2/issues/2759 (r\_reg\_get\_name\_idx) (fixed)
  * https://github.com/radare/radare2/issues/2760 (r\_core\_syscmd\_ls) (fixed)
  * https://github.com/radare/radare2/issues/2764 (r\_num\_calc) (fixed)
  * https://github.com/radare/radare2/issues/2765 (r\_str\_escape_) (fixed)
  * https://github.com/radare/radare2/issues/2795 (cmd\_type) (fixed)
  * https://github.com/radare/radare2/issues/2796 (cmd\_write) (fixed)
  * https://github.com/radare/radare2/issues/2797 (cmd\_flag) (fixed)
  * https://github.com/radare/radare2/issues/2806 (r\_core\_yank\_hud\_file) (fixed)
  * https://github.com/radare/radare2/issues/2807 (cmd\_open) (fixed)
  * https://github.com/radare/radare2/issues/2808 (updateAddr) (fixed)
  * https://github.com/radare/radare2/issues/2809 (r\_core\_magic\_at, UAF) (fixed)
  * https://github.com/radare/radare2/issues/2832 (r\_mem\_copyendian)
  * https://github.com/radare/radare2/issues/2833 (r\_wstr\_clen) (fixed)
  * https://github.com/radare/radare2/issues/2836 (r\_str\_glob) (fixed)
  * https://github.com/radare/radare2/issues/2850 (cmd\_search, fixed)
  * https://github.com/radare/radare2/issues/2851 (core\_anal\_bytes, fixed)
  * https://github.com/radare/radare2/issues/2852 (pdi, fixed)
  * https://github.com/radare/radare2/issues/2853 (perform\_disassembly, fixed)
  * https://github.com/radare/radare2/issues/2854 (radare\_compare, fixed)
  * https://github.com/radare/radare2/issues/2855 (UAF, r\_num\_calc\_index, fixed)
  * https://github.com/radare/radare2/issues/2869 (heap overflow write, r\_rprint\_randomart, fixed)
  * https://github.com/radare/radare2/issues/2870 (UNFIXED, core\_anal\_bytes again)
  * https://github.com/radare/radare2/issues/2871 (pdi again, fixed)
  * https://github.com/radare/radare2/issues/2872 (perform\_disassebly again, fixed)
  * https://github.com/radare/radare2/issues/2889 (UAF r\_num\_calc\_index again, fixed)
  * https://github.com/radare/radare2/issues/2909 (fixed, cmd\_search again, fixed)
  * https://github.com/radare/radare2/issues/2910 (r\_core\_write\_op, fixed)
  * https://bugs.freedesktop.org/show_bug.cgi?id=90784_

# Spec CPU 2006
Use-after-free in 400.perlbench (a pointer is used after it is passed to `realloc`).

READ of size 1 at 0x00000000023b7413 thread T0 (bad: 0x00002000008edd04; shadow: 0x0000100000476e82) #0 0x66490a in Perl_sv_setpvn sv.c:4127 #1 0x45766c in Perl_magic_get mg.c:772 #2 0x453bcb in Perl_mg_get mg.c:169 #3 0x669fb8 in Perl_sv_setsv_flags sv.c:3796 #4 0x684c3f in Perl_sv_mortalcopy sv.c:6748 #5 0x56fedd in Perl_pp_leaveeval pp_ctl.c:3486 #6 0x635d44 in Perl_runops_standard run.c:37 #7 0x4d2ad6 in S_run_body perl.c:2017 #8 0x4f9077 in main perlmain.c:100 #9 0x7fa3900e2c4d in __libc_start_main ??:0 #10 0x403519 in _start ??:0 0x00000000023b7413 is located 3 bytes inside of 5-byte region [0x00000000023b7410,0x00000000023b7415) freed by thread T0 here: #0 0x7bc852 in realloc asan_rtl #1 0x733e2e in Perl_safesysrealloc util.c:132 #2 0x650a82 in Perl_sv_grow sv.c:1620 #3 0x66c3f5 in Perl_sv_setsv_flags sv.c:4012 #4 0x5735e8 in Perl_pp_sassign pp_hot.c:122 #5 0x635d44 in Perl_runops_standard run.c:37 #6 0x4d2ad6 in S_run_body perl.c:2017 #7 0x4f9077 in main perlmain.c:100 #8 0x7fa3900e2c4d in __libc_start_main ??:0 previously allocated by thread T0 here: #0 0x7bc852 in realloc asan_rtl #1 0x733e2e in Perl_safesysrealloc util.c:132 #2 0x650a82 in Perl_sv_grow sv.c:1620 #3 0x6745f5 in Perl_sv_catpvn_flags sv.c:4376 #4 0x675027 in Perl_sv_catsv_flags sv.c:4460 #5 0x5402a3 in Perl_pp_substcont pp_ctl.c:190 #6 0x635d44 in Perl_runops_standard run.c:37 #7 0x4d2ad6 in S_run_body perl.c:2017 #8 0x4f9077 in main perlmain.c:100 #9 0x7fa3900e2c4d in __libc_start_main ??:0


global-buffer-overflow in `memcmp("perlio", "unix", 6)`:

==17858== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006af025 at pc 0x426478 bp 0x7fffb37ffe40 sp 0x7fffb37ffe18 READ of size 6 at 0x0000006af025 thread T0 #0 0x426477 in __interceptor_memcmp asan_rtl #1 0x4bf792 in PerlIO_find_layer perlio.c:751 #2 0x4c0ab2 in PerlIO_default_buffer perlio.c:1015 #3 0x4c1171 in PerlIO_default_layers perlio.c:1113 #4 0x4c255d in PerlIO_resolve_layers perlio.c:1433 #5 0x4c3289 in PerlIO_openn perlio.c:1519 #6 0x4c1410 in PerlIO_fdopen perlio.c:4745 #7 0x4cfca1 in Perl_PerlIO_stdin perlio.c:4686 #8 0x4b57df in S_open_script perl.c:3348 #9 0x4d13f7 in main perlmain.c:96 #10 0x7fcab450876c in __libc_start_main libc-start.c:226 #11 0x4359b4 in _start ??:0 0x0000006af025 is located 59 bytes to the left of global variable '.str39 (perlio.c)' (0x6af060) of size 3 '.str39 (perlio.c)' is ascii string 'r+' 0x0000006af025 is located 0 bytes to the right of global variable '.str38 (perlio.c)' (0x6af020) of size 5 '.str38 (perlio.c)' is ascii string 'unix' Shadow bytes around the buggy address:



Stack buffer overflow in 464.h264ref:

int k, satd = 0, m[16], dd, d[16]; ... for (dd=d[k=0]; k<16; dd=d[++k]) ^^^^^^ // On the last iteration, d[++k] reads d[16], one element after the array boundary.

READ of size 4 mem: 0x00007fff516bd140 thread T0 #0 0x506211 in SATD mv-search.c:1093 #1 0x509524 in SubPelBlockMotionSearch mv-search.c:1398 #2 0x527300 in BlockMotionSearch mv-search.c:2672 #3 0x53091e in PartitionMotionSearch mv-search.c:3272 ... Address 0x00007fff516bd140 is inside T0's stack

See also: http://www.spec.org/cpu2006/Docs/faq.html#Run.05

Global buffer overflow in 464.h264ref:

context_ini.c:222: BIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_BCBP_CTX, tc->bcbp_contexts, INIT_BCBP, img->model_number);

READ of size 4 at 0x00000000005ec1c0 thread T0 #0 0x4139cf in biari_init_context biariencode.c:334 #1 0x43f8f3 in init_contexts context_ini.c:222 #2 0x5a6f33 in start_slice slice.c:118 #3 0x5a93b7 in encode_one_slice slice.c:223 #4 0x466d7a in code_a_picture image.c:236 #5 0x4728c0 in frame_picture image.c:800 #6 0x4696ef in encode_one_frame image.c:411 #7 0x48167d in main lencod.c:413 0x00000000005ec1c0 is located 0 bytes to the right of global variable 'INIT_BCBP_I' (0x5ec0c0) of size 256

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AddressSanitizerFoundBugs

Chromium, WebKit Safari, iTunes

Mozilla

Opera

vlc

ffmpeg

FreeType

bash

webrtc

perl

libcurl

php

parrot (http://www.parrot.org/)

libreoffice

MySQL

RocksDB

PostgreSQL

Hypertable

vim

Phusion Passenger (https://www.phusionpassenger.com/)

Percona Server with XtraDB (http://www.percona.com/software/percona-server)

libpango

LLVM

GCC

Go

Tor

Impala

GNU Coreutils

Tizen

Clone this wiki locally