Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test failure because of a stack-buffer-overflow #469

Open
asarubbo opened this issue Sep 13, 2023 · 0 comments
Open

test failure because of a stack-buffer-overflow #469

asarubbo opened this issue Sep 13, 2023 · 0 comments

Comments

@asarubbo
Copy link

Our Gentoo Tinderbox reported a test failure at bug 914094

Looking at test-suite.log I can see that it fails because of a stack-buffer-overflow:

FAIL: ical-012.sh
=================

=================================================================
==679==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7efd3d8125df at pc 0x5654ab7a5229 bp 0x7ffff80873e0 sp 0x7ffff80873d0
READ of size 1 at 0x7efd3d8125df thread T0
    #0 0x5654ab7a5228 in ical_readline /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:693
    #1 0x5654ab7a7c61 in ical_chk_header /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:723
    #2 0x5654ab7a7c61 in ical_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:1878
    #3 0x5654ab7b742d in io_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/io.c:1303
    #4 0x5654ab78cfad in parse_args /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/args.c:966
    #5 0x5654ab675c8e in main /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/calcurse.c:709
    #6 0x7efd3ee23c89  (/lib64/libc.so.6+0x23c89)
    #7 0x7efd3ee23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
    #8 0x5654ab677340 in _start (/var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/calcurse+0x2c340)

Address 0x7efd3d8125df is located in stack of thread T0 at offset 9695 in frame
    #0 0x5654ab7a764f in ical_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:1873

  This frame has 39 object(s):
    [48, 49) 'c' (line 875)
    [64, 68) 'major' (line 1875)
    [80, 84) 'minor' (line 1875)
    [96, 100) 'bytes_read' (line 876)
    [112, 116) 'week' (line 877)
    [128, 132) 'day' (line 877)
    [144, 148) 'mon' (line 927)
    [160, 164) 'n' (line 928)
    [176, 180) 'mday' (line 948)
    [192, 196) 'n' (line 949)
    [208, 212) 'order' (line 970)
    [224, 228) 'n' (line 970)
    [240, 248) 'fmt' (line 472)
    [272, 280) 'p' (line 1358)
    [304, 312) 'dtstart' (line 1359)
    [336, 344) 'dtend' (line 1359)
    [368, 376) 'duration' (line 1359)
    [400, 408) 'rrule' (line 1359)
    [432, 440) 'until' (line 1553)
    [464, 472) 'msg' (line 1555)
    [496, 504) 'freqstr' (line 1066)
    [528, 536) 'note' (line 1868)
    [560, 568) 'note' (line 1868)
    [592, 600) 'p' (line 1723)
    [624, 632) 'note' (line 1868)
    [656, 668) 'vparam' (line 761)
    [688, 700) 'vparam' (line 761)
    [720, 732) 'vparam' (line 761)
    [752, 768) 's' (line 1360)
    [784, 800) 'exdate' (line 1360)
    [816, 832) 's' (line 1724)
    [848, 865) 'datestr' (line 1066)
    [912, 960) 'vtodo' (line 1729)
    [992, 1072) 'tmp' (line 552)
    [1104, 1216) 'vevent' (line 1369)
    [1248, 9440) 'buf' (line 1874)
    [9696, 17888) 'lstore' (line 1874) <== Memory access at offset 9695 underflows this variable
    [18144, 26336) 'msg' (line 581)
    [26592, 34784) 'msg' (line 525)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:693 in ical_readline
Shadow bytes around the buggy address:
  0x7efd3d812300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812480: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x7efd3d812500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x7efd3d812580: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
  0x7efd3d812600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==679==ABORTING

If I can do more, please let me know.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asarubbo