=================================================================
==13981==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd3 at pc 0x7f898811550c bp 0x7ffd279fb1c0 sp 0x7ffd279fb1b0
READ of size 1 at 0x60200000efd3 thread T0
#0 0x7f898811550b in set_bm_skip /work/ref/Onigmo/regcomp.c:4252
#1 0x7f898811c341 in set_optimize_exact_info /work/ref/Onigmo/regcomp.c:5294
#2 0x7f898811cce5 in set_optimize_info_from_tree /work/ref/Onigmo/regcomp.c:5386
#3 0x7f898811db90 in onig_compile /work/ref/Onigmo/regcomp.c:5798
#4 0x7f898811e553 in onig_new /work/ref/Onigmo/regcomp.c:5938
#5 0x400be1 in main /work/ref/Onigmo/sample/simple.c:12
#6 0x7f8987d2d290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#7 0x4009d9 in _start (/work/ref/Onigmo/sample/.libs/simple+0x4009d9)
0x60200000efd3 is located 0 bytes to the right of 3-byte region [0x60200000efd0,0x60200000efd3)
allocated by thread T0 here:
#0 0x7f89884aee60 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x7f898811be9e in set_optimize_exact_info /work/ref/Onigmo/regcomp.c:5268
#2 0x7f898811cce5 in set_optimize_info_from_tree /work/ref/Onigmo/regcomp.c:5386
#3 0x7f898811db90 in onig_compile /work/ref/Onigmo/regcomp.c:5798
#4 0x7f898811e553 in onig_new /work/ref/Onigmo/regcomp.c:5938
#5 0x400be1 in main /work/ref/Onigmo/sample/simple.c:12
#6 0x7f8987d2d290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: heap-buffer-overflow /work/ref/Onigmo/regcomp.c:4252 in set_bm_skip
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[03]fa fa fa 00 04
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13981==ABORTING
Valgrind reports out-of-bounds memory access while creating a Regexp object with an invalid byte sequence:
$ valgrind ruby -e'Regexp.new("\\\xD3\xD5\xBE\x1E+".force_encoding("euc-jp"))'
==21986== Memcheck, a memory error detector
==21986== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21986== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==21986== Command: ruby -eRegexp.new("\\\\\\xD3\\xD5\\xBE\\x1E+".force_encoding("euc-jp"))
==21986==
==21986== Invalid read of size 1
==21986== at 0x1EF7D0: set_bm_skip.isra.17 (regcomp.c:4271)
==21986== by 0x1FC1FB: set_optimize_exact_info (regcomp.c:5310)
==21986== by 0x1FC1FB: set_optimize_info_from_tree (regcomp.c:5396)
==21986== by 0x1FC1FB: onig_compile (regcomp.c:5824)
==21986== by 0x1E7C0C: onig_new_with_source (re.c:850)
==21986== by 0x1E7C0C: make_regexp (re.c:874)
==21986== by 0x1E7C0C: rb_reg_initialize (re.c:2681)
==21986== by 0x1E7DEE: rb_reg_initialize_str (re.c:2715)
==21986== by 0x1E8021: rb_reg_init_str (re.c:2751)
==21986== by 0x1E8021: rb_reg_initialize_m (re.c:3293)
==21986== by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131)
==21986== by 0x2981AA: vm_call0_cfunc (vm_eval.c:148)
==21986== by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180)
==21986== by 0x29897C: vm_call0 (vm_eval.c:61)
==21986== by 0x29897C: rb_call0 (vm_eval.c:342)
==21986== by 0x19BFA0: rb_class_new_instance (object.c:1895)
==21986== by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752)
==21986== by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847)
==21986== by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138)
==21986== by 0x296FC2: vm_call_method (vm_insnhelper.c:2288)
==21986== by 0x28FEC8: vm_exec_core (insns.def:1066)
==21986== Address 0x73f7333 is 0 bytes after a block of size 3 alloc'd
==21986== at 0x4C2AB8D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21986== by 0x1FC083: set_optimize_exact_info (regcomp.c:5284)
==21986== by 0x1FC083: set_optimize_info_from_tree (regcomp.c:5396)
==21986== by 0x1FC083: onig_compile (regcomp.c:5824)
==21986== by 0x1E7C0C: onig_new_with_source (re.c:850)
==21986== by 0x1E7C0C: make_regexp (re.c:874)
==21986== by 0x1E7C0C: rb_reg_initialize (re.c:2681)
==21986== by 0x1E7DEE: rb_reg_initialize_str (re.c:2715)
==21986== by 0x1E8021: rb_reg_init_str (re.c:2751)
==21986== by 0x1E8021: rb_reg_initialize_m (re.c:3293)
==21986== by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131)
==21986== by 0x2981AA: vm_call0_cfunc (vm_eval.c:148)
==21986== by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180)
==21986== by 0x29897C: vm_call0 (vm_eval.c:61)
==21986== by 0x29897C: rb_call0 (vm_eval.c:342)
==21986== by 0x19BFA0: rb_class_new_instance (object.c:1895)
==21986== by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752)
==21986== by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847)
==21986== by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138)
==21986== by 0x296FC2: vm_call_method (vm_insnhelper.c:2288)
==21986== by 0x28FEC8: vm_exec_core (insns.def:1066)
==21986==
==21986==
==21986== HEAP SUMMARY:
==21986== in use at exit: 2,538,700 bytes in 17,476 blocks
==21986== total heap usage: 43,758 allocs, 26,282 frees, 10,646,254 bytes allocated
==21986==
==21986== LEAK SUMMARY:
==21986== definitely lost: 349,991 bytes in 3,886 blocks
==21986== indirectly lost: 474,023 bytes in 5,121 blocks
==21986== possibly lost: 1,441,628 bytes in 7,599 blocks
==21986== still reachable: 273,058 bytes in 870 blocks
==21986== suppressed: 0 bytes in 0 blocks
==21986== Rerun with --leak-check=full to see details of leaked memory
==21986==
==21986== For counts of detected and suppressed errors, rerun with: -v
==21986== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
The text was updated successfully, but these errors were encountered:
Note: with the following code, enclen() returns 2, not 1.
p = "\xBE";
len = enclen(ONIG_ENCODING_EUC_JP, p, p + 1);
Need to check the end of the string.
The following code
causes out-of-bounds heap read:
(originally reported at https://bugs.ruby-lang.org/issues/12997)
The text was updated successfully, but these errors were encountered: