Segment Fault format.c:1412 in set_font

[PangPangpeng]

gdb-peda$ set args ./pocs/poc4
gdb-peda$ run
Starting program: /root/Intriguer/intriguer/opensoft/abc2music/origin/abcm2ps ./pocs/poc4
abcm2ps-8.14.9 (2020-06-21)
File ./pocs/poc4
./pocs/poc4:26:2: error: Cannot identify meter top
26 M:Cÿÿ/4
^
./pocs/poc4:30:4: error: Not a note
30 [KgC# alto]rigin
^
./pocs/poc4:30:5: error: Not a note
30 [KgC# alto]rigin
^
./pocs/poc4:30:10: error: Not a note
30 [KgC# alto]rigin
^
./pocs/poc4:30:16: error: Not a note
30 [KgC# alto]rigin
^
./pocs/poc4:30:1: error: Chord not closed
30 [KgC# alto]rigin
^
./pocs/poc4:30:0: error: Bad character 'n'
./pocs/poc4:30:0: error: Bad character 'i'
./pocs/poc4:30:0: error: Bad character 'i'
./pocs/poc4:30:0: error: Bad character 'r'
./pocs/poc4:30:0: error: Bad character 'o'
./pocs/poc4:30:0: error: Bad character 't'
./pocs/poc4:30:0: error: Bad character 'l'
./pocs/poc4:30:0: error: Bad character 'K'
./pocs/poc4:33:0: error: Voice '2' of %%staves has no symbol
./pocs/poc4:33:0: error: Misplaced ']' in %%staves
./pocs/poc4:33:0: error: Bad voice ID in %%staves
./pocs/poc4:33:0: error: Voice 'CEGc' of %%staves has no symbol
./pocs/poc4:67:23: error: Bad character
67 !fine!C!invertedfermataD !longphrase!E !mediumphrase!F !mf!G!open!A !p!B...
^
./pocs/poc4:65:31: error: Decoration !cresc(! not defined
./pocs/poc4:65:58: error: Too many words in lyric line
./pocs/poc4:67:11: error: Bad character 'n'
./pocs/poc4:67:11: error: Bad character 'i'
./pocs/poc4:67:14: error: Bad character 't'
./pocs/poc4:67:14: error: Bad character 'r'
./pocs/poc4:67:20: error: Bad character 'm'
./pocs/poc4:67:20: error: Bad character 'r'
./pocs/poc4:67:22: error: Bad character 't'
./pocs/poc4:67:24: warning: Not enough words for lyric line

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xa0000 ('')
RBX: 0xb ('\x0b')
RCX: 0x0
RDX: 0x1
RSI: 0x44c627 --> 0x20656c7469540020 (' ')
RDI: 0xb ('\x0b')
RBP: 0xa0000 ('')
RSP: 0x7fffffffdd20 --> 0xffffffffffffffff
RIP: 0x41f771 (<set_font+193>: mov rcx,QWORD PTR [rax8+0x668c60])
R8 : 0x0
R9 : 0x1
R10: 0xf
R11: 0x7ffff788bf60 --> 0xfff1ee20fff1ee10
R12: 0x1
R13: 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x41f763 <set_font+179>: mov edx,DWORD PTR [rip+0x247277] # 0x6669e0 <file_initialized>
0x41f769 <set_font+185>: test edx,edx
0x41f76b <set_font+187>: jle 0x41f818 <set_font+360>
=> 0x41f771 <set_font+193>: mov rcx,QWORD PTR [rax8+0x668c60]
0x41f779 <set_font+201>: mov edx,0x449890
0x41f77e <set_font+206>: xor esi,esi
0x41f780 <set_font+208>: mov edi,0x1
0x41f785 <set_font+213>: xor eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd20 --> 0xffffffffffffffff
0008| 0x7fffffffdd28 --> 0x9 ('\t')
0016| 0x7fffffffdd30 --> 0x675640 ("Composer (Origin)")
0024| 0x7fffffffdd38 --> 0x4364ea (<str_ft_out1+58>: test BYTE PTR [rip+0x22cdd7],0x1 # 0x6632c8 )
0032| 0x7fffffffdd40 --> 0xffffffff
0040| 0x7fffffffdd48 --> 0x675649 ("(Origin)")
0048| 0x7fffffffdd50 --> 0x675640 ("Composer (Origin)")
0056| 0x7fffffffdd58 --> 0x4366fe (<str_ft_out+478>: jmp 0x4366b5 <str_ft_out+405>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
set_font (ft=0xb) at format.c:1412
1412 error(1, NULL,
gdb-peda$ bt
#0 set_font (ft=0xb) at format.c:1412
#1 0x00000000004364ea in str_ft_out1 (p=p@entry=0x675640 <tex_buf> "Composer (Origin)", l=l@entry=0x9) at subs.c:822
#2 0x00000000004366fe in str_ft_out (p=0x675649 <tex_buf+9> "(Origin)", end=0x1) at subs.c:896
#3 0x00000000004371ec in str_out (p=, action=) at subs.c:942
#4 0x0000000000437214 in put_str (str=str@entry=0x7fffffffdda0 "Composer (Origin)", action=action@entry=0x2) at subs.c:980
#5 0x00000000004381f0 in put_inf2r (s1=, s1@entry=0x6e4960, s2=, s2@entry=0x6e4bc0, action=action@entry=0x2) at subs.c:1026
#6 0x000000000043928d in write_heading () at subs.c:1783
#7 0x0000000000433036 in get_info (s=s@entry=0x6e5530) at parse.c:2913
#8 0x0000000000435068 in do_tune () at parse.c:3501
#9 0x00000000004088e2 in abc_parse (p=0x694370 "", fname=fname@entry=0x692560 "./pocs/poc4", ln=ln@entry=0x54) at abcparse.c:179
#10 0x000000000041fa17 in txt_add_eos (fname=fname@entry=0x692560 "./pocs/poc4", linenum=linenum@entry=0x54) at front.c:379
#11 0x0000000000420478 in frontend (s=0x693f76 "\nX:8\nT:Decorations on two voices\nT:(also in 'd:' lines)\n%%infoline 1\nC:Composer\nO:Or@",
s@entry=0x6937a0 "% Sample file to test various features of abcm2ps\n%%footer abcm2ps - sample2\n\nU: N = !tenuto!\n\nX:1\nT:All clefs\nM:C\nL:1/4\nK:C bass\n"^bass"G,CEG|[K:bass3]"^bass3"G,CEG|[K:alto4]"^alto4"G,CEG|[K:alto]"^a"..., ftype=ftype@entry=0x0, fname=fname@entry=0x692560 "./pocs/poc4", linenum=, linenum@entry=0x0) at front.c:891
#12 0x0000000000403fdd in treat_file (fn=0x7fffffffe78c "./pocs/poc4", ext=) at abcm2ps.c:240
#13 0x0000000000403118 in main (argc=0x0, argc@entry=0x2, argv=, argv@entry=0x7fffffffe508) at abcm2ps.c:1041
#14 0x00007ffff7724840 in __libc_start_main (main=0x4029e0

, argc=0x2, argv=0x7fffffffe508, init=, fini=, rtld_fini=, stack_end=0x7fffffffe4f8)
at ../csu/libc-start.c:291
#15 0x0000000000403689 in _start ()
poc4.zip

[moinejf]

Sorry for I have no such a crash in my system (ARM 32 bits).
May you reduce the source file to the smallest sequence that raises the bug?

[PangPangpeng]

I remove some line in the poc , and I reproduce the crash in my system(x86 64bit). I also tried to run it in qemu-arm-static, as you said, I didn't get the crash either. May be it is relevant to the system bit.

root@ubuntu:# uname -a
Linux ubuntu 4.15.0-106-generic #107-16.04.1-Ubuntu SMP Thu Jun 4 15:40:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:/abc2music/origin# ./abcm2ps poc_small
abcm2ps-8.14.9 (2020-06-21)
File poc_small
poc_small:6:2: error: Cannot identify meter top
6 M:Cÿÿ/4
^
poc_small:10:4: error: Not a note
10 [KgC# alto]rigin
^
poc_small:10:5: error: Not a note
10 [KgC# alto]rigin
^
poc_small:10:10: error: Not a note
10 [KgC# alto]rigin
^
poc_small:10:16: error: Not a note
10 [KgC# alto]rigin
^
poc_small:10:1: error: Chord not closed
10 [KgC# alto]rigin
^
poc_small:10:0: error: Bad character 'n'
poc_small:10:0: error: Bad character 'i'
poc_small:10:0: error: Bad character 'i'
poc_small:10:0: error: Bad character 'r'
poc_small:10:0: error: Bad character 'o'
poc_small:10:0: error: Bad character 't'
poc_small:10:0: error: Bad character 'l'
poc_small:10:0: error: Bad character 'K'
poc_small:13:0: error: Voice '2' of %%staves has no symbol
poc_small:13:0: error: Misplaced ']' in %%staves
poc_small:13:0: error: Bad voice ID in %%staves
poc_small:13:0: error: Voice 'CEGc' of %%staves has no symbol
poc_small:27:23: error: Bad character
27 !fine!C!invertedfermataD !longphrase!E !mediumphrase!F !mf!G!open!A !p!B...
^
poc_small:25:31: error: Decoration !cresc(! not defined
poc_small:25:58: error: Too many words in lyric line
poc_small:27:11: error: Bad character 'n'
poc_small:27:11: error: Bad character 'i'
poc_small:27:14: error: Bad character 't'
poc_small:27:14: error: Bad character 'r'
poc_small:27:20: error: Bad character 'm'
poc_small:27:20: error: Bad character 'r'
poc_small:27:22: error: Bad character 't'
poc_small:27:24: warning: Not enough words for lyric line
Segment Fault

pocx.zip

[moinejf]

There are still a lot of tunes, a lot of lines and a lot of notes.
Can you reduce your file down to one tune, two or three lines in the header and one line of music with the smaller number of notes?
Also, is the crash exactly the same as in the full file?

[PangPangpeng]

Oh, your're right......pocx produce another crash. And I tried my best to reduce the poc ,unfortunately, I can only reproduce with the full file.
And during I doing that ,I found the other crach could be triggered by this short poc.
poc_2.zip

[moinejf]

I found a X64 computer and I build abcm2ps, but then I had no crash with any of your files (including the one of the issue #73).
For more information, the computer is a MinisForum with a Intel Atom N3350 running VoidLinux; abcm2ps was compiled with 'clang' and dynamically linked with the glibc.

[PangPangpeng]

I re-compile abcm2ps with 'clang' and dynamically linked with the glibc, I didn't get the crash either. But when I compile abcm2ps with 'gcc-5.4', the crash return again. I debug the code with GDB, and I found the glocal variable curvoice was modified and point to the address &dfmt +384, this is very strange, which cause cfmt and dfmt destoried. when we try to
run get_font_encoding, and the the cfmt.font_tb[ft].fnum was modified coincidentally, we will get an segment fault. Because font_enc[cfmt.font_tb[ft].fnum] tries to read an inaccessible address

I spent a lot time on finding the bug code. I think I found which line modified the address of curvoice.
in function process_pscomment , it calls get_staves， after running this function, it execute this line:
curvoice = &voice_tb[parsys->top_voice], and the parsys->top_voice==0xffff, so it makes curvoice point to (&voice_tb -0x200). using IDA I get the .bss segment, and (&voice_tb -0x200) == (&dfmt+384). Here is the stack.

#0 0x000000000043242b in get_staves (s=0x7fffffffdd00) at parse.c:2528
#1 process_pscomment (s=s@entry=0x6a5408) at parse.c:5699
#2 0x0000000000435078 in do_tune () at parse.c:3504
#3 0x00000000004088e2 in abc_parse (p=0x693e20 "", fname=fname@entry=0x692560 "pocx", ln=ln@entry=0x18) at abcparse.c:179
#4 0x000000000041fa17 in txt_add_eos (fname=fname@entry=0x692560 "pocx", linenum=linenum@entry=0x18) at front.c:379
#5 0x0000000000420478 in frontend (
s=0x693962 "\nX:4\nT:Guitar chords - annotations\nM:none\nL:1/4\nK:C\n"^no time""^signature"CD"gchord""^on bar"|EF\\n"^appogiattura"{B}c "^acRiaccatura"{/B}c \\n"^three;annot;lines"G "^and""^four""^annot""^lines!"c| \\n"^"...,
s@entry=0x6937a0 "U: N = !tenuto!\n\nX:2\nT:Key signature change\nT:and multi-measure rest\nM:2\nL:1/4\nK:C\nZ4|"C"CEGc|[K:A]"A"Acea|[K:B]"B"Bdfb|[K:A]"A"Acea|\n[K:Eb]"Eb"EGBe|[K:Cb]"Cb"CEGc|[K:C]"C"CEGc|\n\nX:3\nT:All clefs with "..., ftype=ftype@entry=0x0, fname=fname@entry=0x692560 "pocx", linenum=, linenum@entry=0x0) at front.c:891
#6 0x0000000000403fdd in treat_file (fn=0x7fffffffe70c "pocx", ext=) at abcm2ps.c:240
#7 0x0000000000403118 in main (argc=0x0, argc@entry=0x2, argv=, argv@entry=0x7fffffffe478) at abcm2ps.c:1041
#8 0x00007ffff7724840 in __libc_start_main (main=0x4029e0

, argc=0x2, argv=0x7fffffffe478, init=, fini=, rtld_fini=, stack_end=0x7fffffffe468)
at ../csu/libc-start.c:291
#9 0x0000000000403689 in _start ()

[moinejf]

That was big bug, and well hidden! It should be fixed by the commit 74fc325.
Many thanks.