Skip to content

AddressSanitizer: stack-buffer-overflow at lou_translateString.c:358 #635

Closed
@hongxuchen

Description

@hongxuchen

lou_translate may suffer from a stack-buffer-overflow on a stack variable inbuf defined in translate_input.
Relevant files are available here.

Command lines to trigger the crashes:

lou_translate hu-hu-g2.ctb < so_lou_translateString.c:358_1
lou_translate hu-hu-g2.ctb < so_lou_translateString.c:358_2
lou_translate afr-za-g1.ctb < so_lou_translateString.c:358_3
lou_translate afr-za-g1.ctb < so_lou_translateString.c:358_4
lou_translate zhcn-g2.ctb < so_lou_translateString.c:358_5
lou_translate zhcn-g2.ctb < so_lou_translateString.c:358_6

A sample ASAN output is like:

warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
warning: invalid UTF-8. Assuming Latin-1.
=================================================================
==20334==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd15a23240 at pc 0x7fae8e277c91 bp 0x7ffd15a1f6d0 sp 0x7ffd15a1f6c8
READ of size 2 at 0x7ffd15a23240 thread T0
    #0 0x7fae8e277c90 in matchCurrentInput /home/exp/FOT/liblouis/liblouis/lou_translateString.c:358:7
    #1 0x7fae8e2729b7 in passDoTest /home/exp/FOT/liblouis/liblouis/lou_translateString.c:745:14
    #2 0x7fae8e2715ae in findForPassRule /home/exp/FOT/liblouis/liblouis/lou_translateString.c:206:7
    #3 0x7fae8e2627b6 in makeCorrections /home/exp/FOT/liblouis/liblouis/lou_translateString.c:255:8
    #4 0x7fae8e25f51c in _lou_translateWithTracing /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1222:16
    #5 0x7fae8e25d238 in lou_translate /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1070:9
    #6 0x7fae8e25d153 in lou_translateString /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1062:9
    #7 0x51338b in translate_input /home/exp/FOT/liblouis/tools/lou_translate.c:73:13
    #8 0x512d3e in main /home/exp/FOT/liblouis/tools/lou_translate.c:199:2
    #9 0x7fae8d26ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41a209 in _start (/home/exp/FOT/liblouis/install/bin/lou_translate+0x41a209)

Address 0x7ffd15a23240 is located in stack of thread T0 at offset 6336 in frame
    #0 0x512edf in translate_input /home/exp/FOT/liblouis/tools/lou_translate.c:53

  This frame has 6 object(s):
    [32, 2080) 'charbuf' (line 54)
    [2208, 2216) 'outlen' (line 56)
    [2240, 6336) 'inbuf' (line 57) <== Memory access at offset 6336 overflows this variable
    [6464, 10560) 'transbuf' (line 58)
    [10688, 10692) 'inlen' (line 59)
    [10704, 10708) 'translen' (line 60)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/liblouis/liblouis/lou_translateString.c:358:7 in matchCurrentInput
Shadow bytes around the buggy address:
  0x100022b3c5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100022b3c640: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
  0x100022b3c650: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x100022b3c660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b3c690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20334==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    memory errorBuffer overflow, use after free, memory leak, ...

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions