Closed
Description
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb.zip
Tested version 3.5.0 and commit ed6b00a
Might be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1582024
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.
./lou_checktable 5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:1: error: opcode '000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:3: error: opcode '0' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:5: error: invalid dot number '0'.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:6: error: opcode '0000000000000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:7: error: Exactly two Unicode characters and at least one cell are required.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
=================================================================
==31674==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc64214142 at pc 0x7fa79f9917b9 bp 0x7ffc6420d470 sp 0x7ffc6420d468
WRITE of size 2 at 0x7ffc64214142 thread T0
#0 0x7fa79f9917b8 in parseChars /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146
#1 0x7fa79f994170 in getRuleCharsText /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1314
#2 0x7fa79f9d2a45 in compileUplow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:2779
#3 0x7fa79f9d2a45 in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4166
#4 0x7fa79f9e88a2 in compileFile /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4501
#5 0x7fa79f9e97c7 in compileTranslationTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4606
#6 0x7fa79f9e97c7 in lou_getTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4691
#7 0x5593eb49cf13 in main /home/hsalo/src/liblouis-3.5.0/tools/lou_checktable.c:112
#8 0x7fa79f6002e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#9 0x5593eb49d179 in _start (/home/hsalo/builds/liblouis/3.5.0/bin/lou_checktable+0x2179)
Address 0x7ffc64214142 is located in stack of thread T0 at offset 23298 in frame
#0 0x7fa79f9caaff in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:3138
This frame has 17 object(s):
[32, 34) 'c'
[96, 98) 'c'
[160, 164) 'lastToken'
[224, 228) 'after'
[288, 292) 'before'
[352, 356) 'holdOffset'
[416, 432) 'dict'
[480, 2528) 'includeThis'
[2560, 6658) 'token'
[6720, 10818) 'ruleChars'
[10880, 14978) 'ruleDots'
[15040, 19138) 'name'
[19200, 23298) 'ruleChars' <== Memory access at offset 23298 overflows this variable
[23360, 27458) 'ruleDots'
[27520, 31618) 'upperDots'
[31680, 35778) 'lowerDots'
[35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146 in parseChars
Shadow bytes around the buggy address:
0x10000c83a7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000c83a820: 00 00 00 00 00 00 00 00[02]f4 f4 f4 f2 f2 f2 f2
0x10000c83a830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000c83a870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31674==ABORTING